Leaks and laws. Who is guilty?
Many emotions have already been expressed about the guilt of the recent leaks.
However, let's quickly figure out how to look at all this from the point of view of the law.
For example, let us take the case when it was precisely the full passport data that flowed away (for example, from the Russian Railways base), because under this it is easiest to bring a legislative base.
In accordance with the recently entered into force 152 FZ, each person storing and processing personal data (passport data refers to them) must comply with the requirements of this law. Such a person becomes an operator of personal data.
')
Article 7. Confidentiality of personal data
1. Operators and third parties receiving access to personal data should ensure the confidentiality of such data, except as provided for in paragraph 2 of this article.
2. Ensuring the confidentiality of personal data is not required:
1) in case of anonymization of personal data;
2) in relation to publicly available personal data.
This alone makes the owners of the services, who have allowed data leakage by violators of the law FZ 152 , which entails varying degrees of responsibility.
They index everything within their reach. When a Yandex robot hits my personal data, it also indexes them. The process of indexing, that is, entering into the database and subsequent manipulations falls under the definition of data processing.
Processing of personal data - actions (operations) with personal data, including the collection, systematization, accumulation, storage, refinement (update, change), use, distribution (including transmission), depersonalization, blocking, destruction of personal data p.3.3 152 FZ
In accordance with the law 152 such an action is possible only with the consent of the owners of personal data:
Section 6. Conditions for the processing of personal data
1. The processing of personal data may be carried out by the operator with the consent of the subjects of personal data, except as provided for in paragraph 2 of this article.
2. The consent of the subject of personal data provided for in part 1 of this article is not required in the following cases:
1) the processing of personal data is carried out on the basis of federal law, establishing its purpose, the conditions for obtaining personal data and the range of subjects whose personal data are subject to processing, as well as determining the powers of the operator;
1.1) the processing of personal data is necessary in connection with the implementation of international agreements of the Russian Federation on readmission;
2) the processing of personal data is carried out in order to fulfill the contract, one of the parties to which is the subject of personal data;
3) the processing of personal data is carried out for statistical or other scientific purposes, subject to the mandatory depersonalization of personal data;
4) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
5) the processing of personal data is necessary for the delivery of postal items by postal organizations, for telecommunication operators to make settlements with users of communication services for communication services rendered, as well as for considering claims of users of communication services;
5.1) personal data processing is necessary for managing organizations, homeowner associations, housing cooperatives, housing construction cooperatives ... (and so on - reduced; author’s comment)
6) the processing of personal data is carried out for the purposes of the professional activities of a journalist or for the purposes of scientific, literary or other creative activity, provided that this does not violate the rights and freedoms of the subject of personal data;
7) the processing of personal data to be published in accordance with federal laws, including personal data of persons holding public positions, positions of the state civil service, personal data of candidates for elected state or municipal positions.
3. Features of the processing of special categories of personal data, as well as biometric personal data are established, respectively, by articles 10 and 11 of this Federal Law.
4. In the event that the operator on the basis of a contract entrusts the processing of personal data to another person, the essential condition of the contract is the obligation for the said person to ensure the confidentiality of personal data and the security of personal data during their processing.
The actions of search engines do not fall under any of the sub-paragraphs of the second section. Even if they are indexing for a scientific purpose, they are obliged to depersonalize data, which is not happening.
Thus, the search engine is willing to process my data is required to ask me for permission . Since he does not do this, then his responsibility under the law must come.
The fact that he took this data in a publicly accessible place can in no way serve as an excuse, they are not publicly available by law.
Generally available personal data - personal data, access of an unlimited number of persons to which is granted with the consent of the subject of personal data p.3.12 152 FZ
And the main point here - the consent of the subject, which is missing.
Yes, the owner of the leakage resource is legally responsible.
Yes, search engines also violate the law 152 on personal data. And yes, they should also be accountable under the law.
PS I want to add on my own. This whole article is full of extreme tediousness. I myself claims to search engines seem to be generally sucked from the finger. But from the point of view of the law, they break it. And if we live in a state of law, we must act in accordance with the laws (changing them as necessary).
Thanks for attention.
PSS I am not a lawyer and do not conduct a detailed analysis. I am sure that lawyers at Yandex have already been lined with piles of literature and somehow get out. But in terms of banal erudition, the situation is exactly as I wrote above;)
However, let's quickly figure out how to look at all this from the point of view of the law.
For example, let us take the case when it was precisely the full passport data that flowed away (for example, from the Russian Railways base), because under this it is easiest to bring a legislative base.
so
In accordance with the recently entered into force 152 FZ, each person storing and processing personal data (passport data refers to them) must comply with the requirements of this law. Such a person becomes an operator of personal data.
')
In particular:
Article 7. Confidentiality of personal data
1. Operators and third parties receiving access to personal data should ensure the confidentiality of such data, except as provided for in paragraph 2 of this article.
2. Ensuring the confidentiality of personal data is not required:
1) in case of anonymization of personal data;
2) in relation to publicly available personal data.
This alone makes the owners of the services, who have allowed data leakage by violators of the law FZ 152 , which entails varying degrees of responsibility.
Let's now look at Yandex and other search engines.
They index everything within their reach. When a Yandex robot hits my personal data, it also indexes them. The process of indexing, that is, entering into the database and subsequent manipulations falls under the definition of data processing.
Processing of personal data - actions (operations) with personal data, including the collection, systematization, accumulation, storage, refinement (update, change), use, distribution (including transmission), depersonalization, blocking, destruction of personal data p.3.3 152 FZ
In accordance with the law 152 such an action is possible only with the consent of the owners of personal data:
Section 6. Conditions for the processing of personal data
1. The processing of personal data may be carried out by the operator with the consent of the subjects of personal data, except as provided for in paragraph 2 of this article.
2. The consent of the subject of personal data provided for in part 1 of this article is not required in the following cases:
1) the processing of personal data is carried out on the basis of federal law, establishing its purpose, the conditions for obtaining personal data and the range of subjects whose personal data are subject to processing, as well as determining the powers of the operator;
1.1) the processing of personal data is necessary in connection with the implementation of international agreements of the Russian Federation on readmission;
2) the processing of personal data is carried out in order to fulfill the contract, one of the parties to which is the subject of personal data;
3) the processing of personal data is carried out for statistical or other scientific purposes, subject to the mandatory depersonalization of personal data;
4) the processing of personal data is necessary to protect the life, health or other vital interests of the subject of personal data, if obtaining the consent of the subject of personal data is impossible;
5) the processing of personal data is necessary for the delivery of postal items by postal organizations, for telecommunication operators to make settlements with users of communication services for communication services rendered, as well as for considering claims of users of communication services;
5.1) personal data processing is necessary for managing organizations, homeowner associations, housing cooperatives, housing construction cooperatives ... (and so on - reduced; author’s comment)
6) the processing of personal data is carried out for the purposes of the professional activities of a journalist or for the purposes of scientific, literary or other creative activity, provided that this does not violate the rights and freedoms of the subject of personal data;
7) the processing of personal data to be published in accordance with federal laws, including personal data of persons holding public positions, positions of the state civil service, personal data of candidates for elected state or municipal positions.
3. Features of the processing of special categories of personal data, as well as biometric personal data are established, respectively, by articles 10 and 11 of this Federal Law.
4. In the event that the operator on the basis of a contract entrusts the processing of personal data to another person, the essential condition of the contract is the obligation for the said person to ensure the confidentiality of personal data and the security of personal data during their processing.
The actions of search engines do not fall under any of the sub-paragraphs of the second section. Even if they are indexing for a scientific purpose, they are obliged to depersonalize data, which is not happening.
Thus, the search engine is willing to process my data is required to ask me for permission . Since he does not do this, then his responsibility under the law must come.
The fact that he took this data in a publicly accessible place can in no way serve as an excuse, they are not publicly available by law.
Generally available personal data - personal data, access of an unlimited number of persons to which is granted with the consent of the subject of personal data p.3.12 152 FZ
And the main point here - the consent of the subject, which is missing.
Summarizing:
Yes, the owner of the leakage resource is legally responsible.
Yes, search engines also violate the law 152 on personal data. And yes, they should also be accountable under the law.
PS I want to add on my own. This whole article is full of extreme tediousness. I myself claims to search engines seem to be generally sucked from the finger. But from the point of view of the law, they break it. And if we live in a state of law, we must act in accordance with the laws (changing them as necessary).
Thanks for attention.
PSS I am not a lawyer and do not conduct a detailed analysis. I am sure that lawyers at Yandex have already been lined with piles of literature and somehow get out. But in terms of banal erudition, the situation is exactly as I wrote above;)
Source: https://habr.com/ru/post/125022/
All Articles