Is it possible to hide from the law “On Personal Data”?
On July 27, 2006, the Personal Data Act was passed. Its adoption was associated with the ratification by Russia of the “Council of Europe Convention on the Protection of Individuals with Automated Processing of Personal Data”. This law was intended to establish the requirements for the protection of personal data that were described in this convention. As conceived by the legislators, those computer systems that were created before the effective date of the law needed to be brought into conformity with its requirements by January 1, 2010. However, as this term approached, it became increasingly obvious that many computer owners could not cope with this. Therefore, at the very end of 2009, when there was very little left until “Day X”, it was moved further, until January 1, 2011. And when there was still quite a bit before this deadline, the “full-fledged” entry into force of the law was postponed once more, now only for half a year.
I think many site owners, already intimidated by this law, began to look for an opportunity to somehow hide from his all-seeing eye. It is possible that in June our lawmakers will do another similar maneuver, however, it is not worth hoping for that. Let's better see how this law threatens us all.
What is PD?
')
To begin with, we will define terminology. Under the " information system " in the law means "a set of personal data contained in the database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without using such tools ." Under this confusing wording lies the usual computer on which personal data are processed. Such “ data ” in the law means any information “ related to a physical person determined or determined on the basis of such information ”.
The law directly lists personal data as “last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income”, however, the list of information in the law is not exhaustive. in other words, “ personal data ” is any information that can be used to identify a person. And it is precisely in this - one of the biggest problems of the law: in fact, such a definition can be interpreted very broadly. Whether a person can be identified on the basis of any data is determined not by the type of this data, but rather by its volume. For example, the name and surname may not be enough to identify if you need to find a person in a large enough array of other people: you can try to search your namesake namesakes on the Internet and see for yourself. At the same time, if we are talking about a school class, then the first and last name is quite enough. There is no “identification at all”; it is always carried out on the basis of a specific amount of data and in a specific situation. The law, in terms of abstract “personal data”, does not take this into account at all. Therefore, the possibility of falling under the sanctions for its violations strongly depends on the subjective opinion of the verifier.
In practice, you can only be sure that the “personal data” will include those categories of information that are expressly specified in the law. Everything else can be considered PD, and it may not be considered - according to the situation. It is worth bearing in mind another nuance: not every mention of other people's data violates the law on PD. The convention itself speaks of “ automated data processing ”, and in the first article of the law, its action extends to actions that are carried out “with the use of automation means or without using such means , if the processing of personal data without using such means is consistent with the nature of the actions (operations) performed with personal data using automation. " This is a very important point that is often forgotten: not any actions with personal data fall under the regulation of the law, but only those related to the processing of sufficiently large arrays of them.
With regard to processing without the use of automation, it is also regulated by law in cases where actions are performed with the data of many people. Under the regulation of the law in this case, get all sorts of card files, lists, and the like.
Who is the “operator”?
“Operator” in the terminology of the law, refers to any person or organization that is engaged in the processing of other people's data. That is, if you launched a site that has a registration with the user's name, that’s all, you seem to have fallen ... Under the regulation of the law. By the way, if you started processing personal data after the adoption of the law, then the term “until July”, which we wrote about at the beginning, is not for you. It is established by article 25 of the law only for those who did so before its entry into force. You had to meet the requirements from the very beginning.
The first thing that our operator must do is to notify the authorized body that monitors compliance with the requirements of the law, the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications (abbreviated Roskomnadzor). The website of the service has a special online form for submitting such a notice, however, there is little sense from it, since it will not be necessary to send it by regular mail.
The ninth article of the law provides for a number of situations where the notification can be not filed. This can not be done if of all types of personal data only the last name, first name and patronymic is processed, which may be sufficient in some cases. Most forums and sites built on the basis of common CMS generally provide for storing only a username and password, which are not “personal data” at all. Therefore, it is recommended to restrict them.
However, nowadays social networks require the user to leave more and more data on sites. And the owners of such sites face the following obstacle in the form of obtaining consent from the "subjects". The consent of the data subject (that is, the person to whom the data relates) can be written and oral. In writing, consent must be obtained in a specific list of cases: to include data in a publicly available list ( art. 8 ); to handle special categories of data, such as race, political opinion, and the like (art. 10 ); when processing biometric data ( Art. 11 ); when transferring data abroad ( art. 12 ); for adoption with respect to the subject in the automated processing of his data of some decisions affecting his rights and freedoms ( Article 16 ). In addition, the law may provide for other cases. Moreover, the law on PD ( Article 9 ) establishes additional requirements for such a written form: the consent must contain a handwritten or electronic signature of the person who gives consent. Therefore, the usual procedure of written transactions established by the Civil Code is not applicable to its receipt, when the terms of the contract are set forth in a separate document, and agreement with them can be expressed by performing some kind of action.
Thus, the owners of social networks, which either show users' data to everyone, or allow them to be viewed by a sufficiently large number of people, violate the law. They have neither “paper” consent, nor an electronic signature signed ... They began to violate it quite recently, since July last year: it was then that the relevant changes were made to the law. And to avoid the fulfillment of this requirement can not, it seems, no way. In general, any site owner at this place gives up, and he does not reach the description of the requirements that his computer must meet, saving himself some precious nerve cells (mainly because he never knows how much to pay).
How it is necessary to protect personal data is described in the Regulations on the methods and means of protecting information in personal data information systems. All computer systems are divided into four "classes", of which only for one, fourth, means of protection are applied at the discretion of the owner. The classification procedure is approved by the FSTEC order , and the class to which the system will be assigned depends on the amount of data processed, their type, and other factors. The “fourth class” includes systems in which only the processing of impersonal or publicly accessible personal data takes place, the leakage of which in no way can harm their subjects.
However, if you thought that it was possible to avoid measures of protection by simply warning the user that the data entered by him would be publicly available, then immediately forget about it. At the stage of data collection, that is, receiving them from the user, they are not yet publicly available, that is, any system that collects data cannot be classified as “fourth class”. Although data depersonalization is based on one of the frequently used methods of saving on protection: only those computers that perform data entry are certified. Then each entry is assigned an identifier with which all other computers work: they will be assigned to the “fourth class” for which protection is not required.
And who are the supervisors?
The law “On Personal Data” turned out to be too demanding on operators. In the West, a completely different approach to regulation in this area has been adopted: if the operator has a data leak, he will be punished, and severely. But how he processes this data is his problem. The Russian approach is the exact opposite: here they are trying to regulate everything that is possible, but for violation of the procedure for working with PD, nothing is beyond administrative liability under Article 13.11 of the Administrative Code (a fine of up to 10,000 rubles for legal entities). Therefore, in Russia, famous for its traditions of not fulfilling even normal laws, with such ill-conceived ones as “About personal data”, people are even more struggling in Russian: they simply ignore it, in the hope that they will not punish everyone, by analogy with torrents users.
True, the torrent users much more, and each of them a chance to suffer - respectively, much less. But if your site is located somewhere at a foreign hoster, then Roscomnadzor’s hands will most likely not reach it. However, one recent attempt to bring the site owner to responsibility showed that the controllers themselves do not know the law very well. In the end of January and the beginning of February, two trials took place in the case, in which the representatives of Roskomnadzor were the plaintiffs, and the defendant was the owner of the site “All-Russian Genealogical Tree” Sergey Kotelnikov.
The lawsuit itself was filed on the complaint of one of the site visitors, who found the personal data of six people on it. Roskomnadzor in the process spoke in the interests of an indefinite circle of people, and demanded to destroy the personal data that had been posted on the site by that time. These data were published to search for relatives, and the site itself is the largest Russian genealogical resource. Naturally, users were unhappy. In the course of negotiations with Kotelnikov and Roskomnadzor, they even intended to conclude a settlement agreement, which included the condition that when placing the data, the user would give his consent to the fact that they become publicly available.
With the current distribution of electronic signatures, this task was obviously impossible. But the court did it easier: he did not consider the application. The ruling of the court says that Roskomnadzor simply does not have the right to file claims in the interests of an indefinite circle of people: it can protect the interests of only specific “personal data subjects”, this right is given to it by article 23 of the Law on PD. After all, if “personal data” is information relating to a specific person, then the “indefinite circle” of such persons cannot exist in principle. Thus, this “sensational” trial revealed one of the weaknesses of the overseers: they simply do not have the right to demand to delete all data of all users from the site, the law allows them to act only in the interests of specific individuals.
I think many site owners, already intimidated by this law, began to look for an opportunity to somehow hide from his all-seeing eye. It is possible that in June our lawmakers will do another similar maneuver, however, it is not worth hoping for that. Let's better see how this law threatens us all.
What is PD?
')
To begin with, we will define terminology. Under the " information system " in the law means "a set of personal data contained in the database, as well as information technologies and technical means that allow the processing of such personal data using automation tools or without using such tools ." Under this confusing wording lies the usual computer on which personal data are processed. Such “ data ” in the law means any information “ related to a physical person determined or determined on the basis of such information ”.
The law directly lists personal data as “last name, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, profession, income”, however, the list of information in the law is not exhaustive. in other words, “ personal data ” is any information that can be used to identify a person. And it is precisely in this - one of the biggest problems of the law: in fact, such a definition can be interpreted very broadly. Whether a person can be identified on the basis of any data is determined not by the type of this data, but rather by its volume. For example, the name and surname may not be enough to identify if you need to find a person in a large enough array of other people: you can try to search your namesake namesakes on the Internet and see for yourself. At the same time, if we are talking about a school class, then the first and last name is quite enough. There is no “identification at all”; it is always carried out on the basis of a specific amount of data and in a specific situation. The law, in terms of abstract “personal data”, does not take this into account at all. Therefore, the possibility of falling under the sanctions for its violations strongly depends on the subjective opinion of the verifier.
In practice, you can only be sure that the “personal data” will include those categories of information that are expressly specified in the law. Everything else can be considered PD, and it may not be considered - according to the situation. It is worth bearing in mind another nuance: not every mention of other people's data violates the law on PD. The convention itself speaks of “ automated data processing ”, and in the first article of the law, its action extends to actions that are carried out “with the use of automation means or without using such means , if the processing of personal data without using such means is consistent with the nature of the actions (operations) performed with personal data using automation. " This is a very important point that is often forgotten: not any actions with personal data fall under the regulation of the law, but only those related to the processing of sufficiently large arrays of them.
With regard to processing without the use of automation, it is also regulated by law in cases where actions are performed with the data of many people. Under the regulation of the law in this case, get all sorts of card files, lists, and the like.
Who is the “operator”?
“Operator” in the terminology of the law, refers to any person or organization that is engaged in the processing of other people's data. That is, if you launched a site that has a registration with the user's name, that’s all, you seem to have fallen ... Under the regulation of the law. By the way, if you started processing personal data after the adoption of the law, then the term “until July”, which we wrote about at the beginning, is not for you. It is established by article 25 of the law only for those who did so before its entry into force. You had to meet the requirements from the very beginning.
The first thing that our operator must do is to notify the authorized body that monitors compliance with the requirements of the law, the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications (abbreviated Roskomnadzor). The website of the service has a special online form for submitting such a notice, however, there is little sense from it, since it will not be necessary to send it by regular mail.
The ninth article of the law provides for a number of situations where the notification can be not filed. This can not be done if of all types of personal data only the last name, first name and patronymic is processed, which may be sufficient in some cases. Most forums and sites built on the basis of common CMS generally provide for storing only a username and password, which are not “personal data” at all. Therefore, it is recommended to restrict them.
However, nowadays social networks require the user to leave more and more data on sites. And the owners of such sites face the following obstacle in the form of obtaining consent from the "subjects". The consent of the data subject (that is, the person to whom the data relates) can be written and oral. In writing, consent must be obtained in a specific list of cases: to include data in a publicly available list ( art. 8 ); to handle special categories of data, such as race, political opinion, and the like (art. 10 ); when processing biometric data ( Art. 11 ); when transferring data abroad ( art. 12 ); for adoption with respect to the subject in the automated processing of his data of some decisions affecting his rights and freedoms ( Article 16 ). In addition, the law may provide for other cases. Moreover, the law on PD ( Article 9 ) establishes additional requirements for such a written form: the consent must contain a handwritten or electronic signature of the person who gives consent. Therefore, the usual procedure of written transactions established by the Civil Code is not applicable to its receipt, when the terms of the contract are set forth in a separate document, and agreement with them can be expressed by performing some kind of action.
Thus, the owners of social networks, which either show users' data to everyone, or allow them to be viewed by a sufficiently large number of people, violate the law. They have neither “paper” consent, nor an electronic signature signed ... They began to violate it quite recently, since July last year: it was then that the relevant changes were made to the law. And to avoid the fulfillment of this requirement can not, it seems, no way. In general, any site owner at this place gives up, and he does not reach the description of the requirements that his computer must meet, saving himself some precious nerve cells (mainly because he never knows how much to pay).
How it is necessary to protect personal data is described in the Regulations on the methods and means of protecting information in personal data information systems. All computer systems are divided into four "classes", of which only for one, fourth, means of protection are applied at the discretion of the owner. The classification procedure is approved by the FSTEC order , and the class to which the system will be assigned depends on the amount of data processed, their type, and other factors. The “fourth class” includes systems in which only the processing of impersonal or publicly accessible personal data takes place, the leakage of which in no way can harm their subjects.
However, if you thought that it was possible to avoid measures of protection by simply warning the user that the data entered by him would be publicly available, then immediately forget about it. At the stage of data collection, that is, receiving them from the user, they are not yet publicly available, that is, any system that collects data cannot be classified as “fourth class”. Although data depersonalization is based on one of the frequently used methods of saving on protection: only those computers that perform data entry are certified. Then each entry is assigned an identifier with which all other computers work: they will be assigned to the “fourth class” for which protection is not required.
And who are the supervisors?
The law “On Personal Data” turned out to be too demanding on operators. In the West, a completely different approach to regulation in this area has been adopted: if the operator has a data leak, he will be punished, and severely. But how he processes this data is his problem. The Russian approach is the exact opposite: here they are trying to regulate everything that is possible, but for violation of the procedure for working with PD, nothing is beyond administrative liability under Article 13.11 of the Administrative Code (a fine of up to 10,000 rubles for legal entities). Therefore, in Russia, famous for its traditions of not fulfilling even normal laws, with such ill-conceived ones as “About personal data”, people are even more struggling in Russian: they simply ignore it, in the hope that they will not punish everyone, by analogy with torrents users.
True, the torrent users much more, and each of them a chance to suffer - respectively, much less. But if your site is located somewhere at a foreign hoster, then Roscomnadzor’s hands will most likely not reach it. However, one recent attempt to bring the site owner to responsibility showed that the controllers themselves do not know the law very well. In the end of January and the beginning of February, two trials took place in the case, in which the representatives of Roskomnadzor were the plaintiffs, and the defendant was the owner of the site “All-Russian Genealogical Tree” Sergey Kotelnikov.
The lawsuit itself was filed on the complaint of one of the site visitors, who found the personal data of six people on it. Roskomnadzor in the process spoke in the interests of an indefinite circle of people, and demanded to destroy the personal data that had been posted on the site by that time. These data were published to search for relatives, and the site itself is the largest Russian genealogical resource. Naturally, users were unhappy. In the course of negotiations with Kotelnikov and Roskomnadzor, they even intended to conclude a settlement agreement, which included the condition that when placing the data, the user would give his consent to the fact that they become publicly available.
With the current distribution of electronic signatures, this task was obviously impossible. But the court did it easier: he did not consider the application. The ruling of the court says that Roskomnadzor simply does not have the right to file claims in the interests of an indefinite circle of people: it can protect the interests of only specific “personal data subjects”, this right is given to it by article 23 of the Law on PD. After all, if “personal data” is information relating to a specific person, then the “indefinite circle” of such persons cannot exist in principle. Thus, this “sensational” trial revealed one of the weaknesses of the overseers: they simply do not have the right to demand to delete all data of all users from the site, the law allows them to act only in the interests of specific individuals.
Source: https://habr.com/ru/post/113753/
All Articles