New edition of the law on PD: do we need to be afraid?
In late July, the President signed a bill amending the federal law “ On Personal Data ”. This law was published in the Rossiyskaya Gazeta on July 27, and then entered into force. In addition, he was also given a “reverse force”: his action spreads to those legal relations that arose from July 1. The adoption was preceded by a heated discussion: several experts in the field of information security appealed to the President with an open letter in which they urged his law not to sign in any way. According to the signatories of the letter, the proposed amendments do not comply with the Council of Europe Convention on the Protection of Individuals with Automated Processing of Personal Data, although the aim of the project was to fulfill its requirements.
The scheme for determining measures to protect personal data, which has been adopted now, is fundamentally contrary to the conventional one. According to the convention, the person who processes the information can determine for herself by what means they can be protected. But domestic law itself establishes such requirements, providing for liability for their non-performance. Moreover, according to the authors of the letter, these requirements are “methods and ways of protecting state secrets 20 years ago”. The text of the bill itself initially had a compromise character, giving the personal data operator more freedom of action when choosing remedies. But in the process of making its text has been changed. Well, let's see what kind of amendments.
')
Not so long ago, we already examined this law in its previous wording. And the very first moment to which attention should have been paid was the sphere of its operation. Unfortunately, in the law itself it was described not entirely clear to the masses: its requirements extended only to such data processing, which either “is performed using automation equipment ” or “ corresponds to the nature of the actions (operations) performed with personal data with using automation . " What kind of character is this, revealed in the by-laws, which, as a rule, no one reads.
Now the text of the first article of the law has been changed, an explanation has been added to it that concerns this particular moment: data processing “is carried out using automation equipment” if it “allows, according to a given algorithm, to search for personal data recorded on a tangible medium and contained in card files or other systematized personal data collections, and (or) access to such personal data. ” As mentioned in the previous article, the law on PD applies only to mass data processing. This is now clearly indicated in the text. However, this additional specifics was offset by a change in the very concept of personal data. Previously, their definition included “ any information relating to an individual determined or determined on the basis of such information ”. Now, PD refers to “ any information relating to a directly or indirectly determined or determinable individual ”. With these changes, the scope of the law extends to unimaginable limits. Now, personal data is considered to be information that somehow relates to a particular person, and it does not matter if it is possible to establish a person on the basis of it, or whether it is necessary to compare it with data from other sources.
Under the regulation of the law immediately get to every single site on the Internet, even those that do not store names with surnames. An e-mail address, even without any additional information, is already personal data, since it indirectly refers to the designated individual. As well as blog entries, addresses of instant messengers, and a bunch of other information, up to grades in the record book. This uncertainty will inevitably lead (and already leads) to the fact that the law is interpreted “as God will per capita”, and anyone can be punished for violating the procedure for working with PD. So it was during the period of the old version of the law, but the changes will contribute to the greater dissemination of this practice.
In addition, in the fourth article of the law, the range of authorities that can adopt regulatory acts in the field of PD protection is expanded: the Bank of Russia and municipal authorities are included in their number. This is fully consistent with the general policy of the law to an increase in the "over-regulation" of the processing of personal data.
The general condition for the processing of personal data is to obtain consent from that of their subject (that is, the person to whom the data relates). The law provides for a number of situations when such consent is not required. The amended list of such situations has been significantly expanded, since the old edition has clearly not responded to modern realities. The list of such situations was added, for example, the administration of justice and the execution of judicial acts. The fact that this basis was not in the law before this is a clear omission.
The consent of the subject can not be asked in the provision of public services. In addition, such a situation was added to the list of such situations when “the processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties or to achieve socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated ”. As you understand, under “ socially significant goals ” one can understand quite a lot, for example, sites with various kinds of “black lists” in the event of complaints against them, most likely, this is the point of the law that will be referred to. Consent can not be asked in the event that there is a processing of information made public by the subject of personal data. Strangely enough, there was no such exception in the previous wording of the law, that is, formally, consent was even required for the processing of data that was publicly available.
The ninth article of the law, describing the procedure for obtaining such consent, has also undergone significant changes. In the previous edition it could be given only in writing, and the document had to contain a handwritten signature. Simply put, it had to be paper. Although the Civil Code provides for the possibility of making transactions in writing by exchanging documents, including electronic ones, the requirement of a handwritten signature deprived the operator and the subject of personal data of such an opportunity. An alternative to paper consent was only a document signed with an electronic signature, the prevalence of which in Russia was extremely small.
But first, the law “ On electronic signature ” has changed: in its new version, a document can be signed not only with the help of cryptographic software, but also with the help of passwords, confirmation codes, and other actions. Previously, they were called analogues of a handwritten signature, but under the new law they also became “signature”.
The authors of the amendments to the law on PD went even further and allowed to receive consent for processing "in any form allowing to confirm the fact of its receipt, unless otherwise provided by federal law." The law may also require a written form, in which case the signature may be electronic. Including and tick "agree" in the form of registration of the site. Actually, initially the law did not require any handwritten signature, its necessity was established by amending it. Now these thoughtless changes are rolled back. In addition, Article 18 , which defines the obligations of the PD operator, has also been amended: the list of situations where it may not notify the subject that it processes its personal data in cases when it does not receive it from the subject itself has been expanded. The law exempts from such notification, for example, in the event that processing is carried out for statistical or other research purposes, or in the exercise of journalistic activity.
Well, now we come to the very article ( nineteenth ), which regulates measures to ensure data security. Unlike other articles of the law, no changes were made to it at all. The modified version was simply thrown out of the bill. Meanwhile, it also contained significant breaks for data operators. In the current version, they are required to take the necessary measures to protect the information, while the requirements for ensuring security are established by the Government. There are no exceptions to this rule. But that version of the article, which was contained in the bill, also provided for liberal innovations.
Those “necessary measures” that the operator should take were made dependent on the amount of data and the nature of their processing, the damage that could be caused by the leak, as well as other factors. But most importantly, the Government received the right to determine mandatory protection requirements only for state and municipal institutions. The way information was protected by all other organizations remained entirely on their conscience.
Why this issue is fundamental, you can easily understand if you know how the introduction of certified information systems is proceeding in Russia. A good example is the well-known EGAIS , whose task was to control "every bottle of alcohol in Russia." The system has failed to cope with this task, but mountains of money have already been spent on its implementation, mainly due to the unmeasured cost of certified equipment and maintenance work. True, the software itself for the operation of the system was written specifically for it, and for the protection of personal data, it will be possible to use already existing certified programs, which gives hope for more sparing prices.
But the appetites of certified computer suppliers are hard to predict: for example, a typical set of EGAIS equipment for a distillery costs 650 thousand rubles. It was the excessive expenses that the signatories of the letter to the President referred to: according to their estimates, the costs of fulfilling the requirements of the law can reach six percent of the gross domestic product of the country. And if you thought that the main task of the law was the real protection of personal data, then you are cruelly mistaken. It is simply not capable of protecting it from leaks; on the contrary, the strict requirements it contains only complicate the receipt of electronic services.
As we wrote above, the responsibility of our legislation is established for non-compliance with the mandatory requirements for the protection of information. But at the same time, if some kind of data leakage actually occurs, no sanctions for this are simply provided for: the data operator can only be attracted under Article 13.11 of the Administrative Code, for “violation of the legal procedure” of data processing. This article does not make a difference between a simple violation and one that caused some damage. In addition, there is no responsibility for concealing information about data leaks. Another "running" article of the Administrative Code - 19.7 , which establishes responsibility for the "failure to provide information, the provision of which is provided by law." It is used in cases where the operator does not notify Roskomnadzor that he has begun processing personal data - such a duty is provided for by article 22 of the law on PD. As you can see, responsibility is also applied here for non-compliance with formal requirements, regardless of whether any damage was caused by the violation. But the law may well stimulate sales of certified computers and software.
The scheme for determining measures to protect personal data, which has been adopted now, is fundamentally contrary to the conventional one. According to the convention, the person who processes the information can determine for herself by what means they can be protected. But domestic law itself establishes such requirements, providing for liability for their non-performance. Moreover, according to the authors of the letter, these requirements are “methods and ways of protecting state secrets 20 years ago”. The text of the bill itself initially had a compromise character, giving the personal data operator more freedom of action when choosing remedies. But in the process of making its text has been changed. Well, let's see what kind of amendments.
What does the law apply to?
')
Not so long ago, we already examined this law in its previous wording. And the very first moment to which attention should have been paid was the sphere of its operation. Unfortunately, in the law itself it was described not entirely clear to the masses: its requirements extended only to such data processing, which either “is performed using automation equipment ” or “ corresponds to the nature of the actions (operations) performed with personal data with using automation . " What kind of character is this, revealed in the by-laws, which, as a rule, no one reads.
Now the text of the first article of the law has been changed, an explanation has been added to it that concerns this particular moment: data processing “is carried out using automation equipment” if it “allows, according to a given algorithm, to search for personal data recorded on a tangible medium and contained in card files or other systematized personal data collections, and (or) access to such personal data. ” As mentioned in the previous article, the law on PD applies only to mass data processing. This is now clearly indicated in the text. However, this additional specifics was offset by a change in the very concept of personal data. Previously, their definition included “ any information relating to an individual determined or determined on the basis of such information ”. Now, PD refers to “ any information relating to a directly or indirectly determined or determinable individual ”. With these changes, the scope of the law extends to unimaginable limits. Now, personal data is considered to be information that somehow relates to a particular person, and it does not matter if it is possible to establish a person on the basis of it, or whether it is necessary to compare it with data from other sources.
Under the regulation of the law immediately get to every single site on the Internet, even those that do not store names with surnames. An e-mail address, even without any additional information, is already personal data, since it indirectly refers to the designated individual. As well as blog entries, addresses of instant messengers, and a bunch of other information, up to grades in the record book. This uncertainty will inevitably lead (and already leads) to the fact that the law is interpreted “as God will per capita”, and anyone can be punished for violating the procedure for working with PD. So it was during the period of the old version of the law, but the changes will contribute to the greater dissemination of this practice.
In addition, in the fourth article of the law, the range of authorities that can adopt regulatory acts in the field of PD protection is expanded: the Bank of Russia and municipal authorities are included in their number. This is fully consistent with the general policy of the law to an increase in the "over-regulation" of the processing of personal data.
When not to ask consent?
The general condition for the processing of personal data is to obtain consent from that of their subject (that is, the person to whom the data relates). The law provides for a number of situations when such consent is not required. The amended list of such situations has been significantly expanded, since the old edition has clearly not responded to modern realities. The list of such situations was added, for example, the administration of justice and the execution of judicial acts. The fact that this basis was not in the law before this is a clear omission.
The consent of the subject can not be asked in the provision of public services. In addition, such a situation was added to the list of such situations when “the processing of personal data is necessary to exercise the rights and legitimate interests of the operator or third parties or to achieve socially significant goals, provided that the rights and freedoms of the subject of personal data are not violated ”. As you understand, under “ socially significant goals ” one can understand quite a lot, for example, sites with various kinds of “black lists” in the event of complaints against them, most likely, this is the point of the law that will be referred to. Consent can not be asked in the event that there is a processing of information made public by the subject of personal data. Strangely enough, there was no such exception in the previous wording of the law, that is, formally, consent was even required for the processing of data that was publicly available.
The ninth article of the law, describing the procedure for obtaining such consent, has also undergone significant changes. In the previous edition it could be given only in writing, and the document had to contain a handwritten signature. Simply put, it had to be paper. Although the Civil Code provides for the possibility of making transactions in writing by exchanging documents, including electronic ones, the requirement of a handwritten signature deprived the operator and the subject of personal data of such an opportunity. An alternative to paper consent was only a document signed with an electronic signature, the prevalence of which in Russia was extremely small.
But first, the law “ On electronic signature ” has changed: in its new version, a document can be signed not only with the help of cryptographic software, but also with the help of passwords, confirmation codes, and other actions. Previously, they were called analogues of a handwritten signature, but under the new law they also became “signature”.
The authors of the amendments to the law on PD went even further and allowed to receive consent for processing "in any form allowing to confirm the fact of its receipt, unless otherwise provided by federal law." The law may also require a written form, in which case the signature may be electronic. Including and tick "agree" in the form of registration of the site. Actually, initially the law did not require any handwritten signature, its necessity was established by amending it. Now these thoughtless changes are rolled back. In addition, Article 18 , which defines the obligations of the PD operator, has also been amended: the list of situations where it may not notify the subject that it processes its personal data in cases when it does not receive it from the subject itself has been expanded. The law exempts from such notification, for example, in the event that processing is carried out for statistical or other research purposes, or in the exercise of journalistic activity.
... and what will change now?
Well, now we come to the very article ( nineteenth ), which regulates measures to ensure data security. Unlike other articles of the law, no changes were made to it at all. The modified version was simply thrown out of the bill. Meanwhile, it also contained significant breaks for data operators. In the current version, they are required to take the necessary measures to protect the information, while the requirements for ensuring security are established by the Government. There are no exceptions to this rule. But that version of the article, which was contained in the bill, also provided for liberal innovations.
Those “necessary measures” that the operator should take were made dependent on the amount of data and the nature of their processing, the damage that could be caused by the leak, as well as other factors. But most importantly, the Government received the right to determine mandatory protection requirements only for state and municipal institutions. The way information was protected by all other organizations remained entirely on their conscience.
Why this issue is fundamental, you can easily understand if you know how the introduction of certified information systems is proceeding in Russia. A good example is the well-known EGAIS , whose task was to control "every bottle of alcohol in Russia." The system has failed to cope with this task, but mountains of money have already been spent on its implementation, mainly due to the unmeasured cost of certified equipment and maintenance work. True, the software itself for the operation of the system was written specifically for it, and for the protection of personal data, it will be possible to use already existing certified programs, which gives hope for more sparing prices.
But the appetites of certified computer suppliers are hard to predict: for example, a typical set of EGAIS equipment for a distillery costs 650 thousand rubles. It was the excessive expenses that the signatories of the letter to the President referred to: according to their estimates, the costs of fulfilling the requirements of the law can reach six percent of the gross domestic product of the country. And if you thought that the main task of the law was the real protection of personal data, then you are cruelly mistaken. It is simply not capable of protecting it from leaks; on the contrary, the strict requirements it contains only complicate the receipt of electronic services.
As we wrote above, the responsibility of our legislation is established for non-compliance with the mandatory requirements for the protection of information. But at the same time, if some kind of data leakage actually occurs, no sanctions for this are simply provided for: the data operator can only be attracted under Article 13.11 of the Administrative Code, for “violation of the legal procedure” of data processing. This article does not make a difference between a simple violation and one that caused some damage. In addition, there is no responsibility for concealing information about data leaks. Another "running" article of the Administrative Code - 19.7 , which establishes responsibility for the "failure to provide information, the provision of which is provided by law." It is used in cases where the operator does not notify Roskomnadzor that he has begun processing personal data - such a duty is provided for by article 22 of the law on PD. As you can see, responsibility is also applied here for non-compliance with formal requirements, regardless of whether any damage was caused by the violation. But the law may well stimulate sales of certified computers and software.
Source: https://habr.com/ru/post/126299/
All Articles