Scientific and practical commentary of Roskomnadzor to the law “On Personal Data”. Does it have something scientific and practical?
More recently, in the narrowly-focused media, there was a news that Roskomnadzor published under the auspices of the Russian newspaper a reading called “Federal Law“ On Personal Data ”. Scientific and practical commentary. For me, by the nature of the activity, this brochure (well, as a brochure, almost a 200-page Talmud) is simply “Mast Hev.” Despite the fact that I have been engaged in the protection of personal data in organizations for 7 years, during all this time I have not lined up in the head of a coherent picture of “what, how and why”. I was hoping that the document in question would help streamline at least something. Did Roskomnadzor manage to clarify the muddy moments of the legislation on personal data, read under the cut.
')
Immediately talk about the process of obtaining a book. It is available on the website of the Russian newspaper library here . Any normal person can immediately ask the question: why should I pay for the regulator to clarify the provisions of federal law? Proponents of conspiracy theories will immediately say that the laws are specifically made muddy and incomprehensible in order to sell us explanations. I myself am a fierce opponent of the distribution of such publications for money (as well as paid distribution of GOSTs), but whatever it is, we have what we have ...
I, of course, was interested in the option in PDF format for 100 rubles. Turning to the order of the book, I once again wildly tensed. At this point, I asked myself this question: why can I easily and easily buy tickets to the provincial cinema via credit card, but in order for me to get a “scientific and practical comment” from the Russian newspaper, I need to:
And - innovations
Well, okay, what is it that I am all about sad things, let's ... no, damn it, we'll have again about sad things.
I will say at once that useful and practical in this rather big document, unfortunately very little and I will tell about it at the end of the article, and now about the shortcomings and other sad things.
Here, for example, what the authors write in a comment about the goals of the law “On Personal Data”:
In the light of the recent decision of the Constitutional Court that the European Courts do not decree to us and the introduction of the obligation of storing personal data of citizens of the Russian Federation only on the territory of the Russian Federation from September 1, talks about “cross-border flows” and “implementation of common European law requirements in Russian legislation” than ridiculous. Immediately it should be noted that almost one fifth of the document is devoted to talking about the harmonization of domestic legislation with international legislation, Euroconventions, the Universal Declaration of Human Rights, etc.
The document often states, instead of a useful commentary, the fact that the legislation is indeed muddy and will have to come to terms with it. This begins with the comments to the definition of the concept of "personal data".
This is the definition in the Federal Law “On Personal Data”:
"Scientific and practical" comment:
Further, a dubious conclusion is made that the unambiguous concept of “personal data” cannot be formulated at all and that the current definition was formulated with the aim of maintaining a balance of interests between all participants of relations (regulators, personal data operators and personal data subjects). In fact, the vagueness of the definition gives Roskomnadzor an extra reason to punish the operator. In my practice, there was a case when during an inspection of one organization, not finding anything to dig in, the representatives of the ILO wrote an order that the law on personal data was violated, because such category of personal data as the “power of attorney number issued to an employee” ( provision of incomplete or distorted information to the authorized body).
Interestingly, the authors “explain” what it means to approve a law that the processing of personal data should be carried out on an equitable basis:
Thanks, now I see! I used to ask the question: what is meant by a “just basis”. Now I ask myself the questions: what is meant by "moral and legal category ...", what is meant by "due observance ...", what is meant by "universal values" and "principles of honor and morality".
In general, the “scientific and practical” comment abounds with revolutions like “the question remains open”, “the law is not defined”, “the law does not clarify”, “maybe” (or maybe not…) with the words “maybe” and “probably” . Sometimes, after reading the “scientific-practical” commentary, there are even more questions than after reading the very law “On Personal Data”. For example, after a multipage tirade that the processing of personal data must comply with the stated processing objectives, that the excess personal data is illegally an epic phrase:
Or another:
But this is generally hellish annealing in a question related to the duty of the operator to provide data to the subject on request:
There are also frank contradictions in the document. So, for example, on the question of what is considered personal data and what is not, first the authors say:
Then:
Well, after all, we consider personal data only as data that is sufficient for identifying a subject or are some assumptions of the “probable coincidence” type acceptable? I am personally more confused.
There is a more obvious contradiction. For example, explaining the need to obtain the consent of the subject to the processing of personal data on page 36 states explicitly that management companies have the right to send personal data of residents of apartment buildings to settlement centers for charging utility bills without the consent of residents. On page 42, the reverse example is already given:
Dear authors, so are we mere mortals, what should we be guided by - your conclusions or the law enforcement practice that you cite?
From the moment of adoption of the law “On Personal Data” to this day, a number of questions remain that cause heated debates in the network, but there is no single right answer, like, for example, a mathematical equation. These issues include, for example:
- How to determine the harm to the subject of personal data?
- in what form is the assessment of the effectiveness of measures taken to ensure the security of personal data?
- Does the “procedure for assessing the compliance of information security tools” mean mandatory certification?
On the issue of harm assessment:
It would probably not be necessary to wait for the imputed methodology of assessing the harm to the subject of personal data in case of violation of the law in the “scientific commentary”. But a link to the best practices could be left.
On the issue of "performance evaluation" absolutely nothing.
On the issue of certification of information security tools used in personal data information systems - a dry reference to 184- “On technical regulation”. Why this Federal Law is not so simple, can be found in this presentation by Alexey Lukatsky.
I was very saddened by the copy-paste of most of the content of the government resolution 1119, which describes the criteria for assigning personal data to a particular level of security. This was done in the framework of the “interpretation” of Article 152-FZ 19 (Measures to ensure the security of personal data on their processing). Here, I just want to say to the authors: “Guys, PP-1119, unlike your work, is generally available and anyone so can get acquainted with its content!”. It is good that at least 21 orders of the FSTEC were not fully or partially inserted, thanks to that.
Fortunately - there is. Useful information can be collected bit by bit, and I give it below.
At the very beginning of the law refers to cases to which 152-FZ does not apply. The Law “On Personal Data” does not apply, including when organizing the storage of documents falling within the scope of 125- “On Archiving in the Russian Federation”. Our clients often ask if this exception includes digital archives, backups, and so on. The regulator gives an explanation for this - in archival legislation there is no concept of “electronic archive”, therefore all digital archives containing personal data fall under the action of 152- “On personal data”.
Many operators ask themselves whether simple storage falls under the collective concept of “personal data processing”. Roskomnadzor responds to this:
Such processing is regulated by the “Regulation on the peculiarities of personal data processing carried out without the use of automation tools”, approved by the Government of the Russian Federation of September 15, 2008 No. 687. In this position, absolutely crazy definitions of manual processing of personal data were given. According to these definitions, if, for example, a database search is performed with the participation of a person (the user enters a search query), then such processing is considered to be non-automated. These provisions are:
Later, in 2011, 152-FZ was supplemented with the concept of automated processing of personal data. According to the new provision, automated processing is considered to be any processing of personal data using computer technology. A situation has arisen when a resolution of the Government of the Russian Federation contradicts federal law. Moreover, this situation is relevant to this day (no changes have been made to the resolution). Roskomnadzor in its explanations once again recalls the supremacy of the Federal Law over all its bylaws. Consequently, the delusional definitions of the non-automated processing of personal data in PP-687 can be forgotten.
The regulator pays a lot of space explaining that the personal data collected should not be redundant in relation to the purposes of their processing. For example, we cannot require an applicant for a vacant position to require passport data, place of residence and clothing size (there was a violation in one organization where the work involves wearing a uniform). We can demand this data, hiring a person for work, but in order to consider him as a candidate - they are unnecessary. In its explanation, the regulator even gives an example when even consent is not a panacea:
Thus, the multipurpose centers that are actively opening up in the country to provide such services may not collect consent for the processing of personnel data from applicants.
The regulator openly unleashes the banks in the matter of transferring personal data to collectors:
Also, the regulator openly allows the exchange of personal data between telecom operators and its dealers and agents without the consent of the client, referring to 126-FZ "On Telecommunications".
About this regulator writes quite a lot. Owners of Internet sites and ordinary users should be interesting and useful. I will not comment, just bring the most interesting excerpts on this topic from the document.
The main idea of the regulator in answering the question “is the conviction a special category of personal data?” Is that if it is a simple report about the fact of a criminal record, its presence and absence, it is not a special category, if with details the special category .
In the explanation, the authors essentially cancel the provisions of the previous Roskomnadzor document “On the issues of attributing photo and video images, fingerprint data and other information to biometric personal data and features of their processing”, which determine that photo and video are biometrics. This is what they write this time:
And indeed, the twins and plastic surgeons are a good argument for identifying a subject by a photo or video. For example, the last time I went abroad, a girl at customs control suspected that I could not slip her passport and began asking questions about what zodiac sign I was, when and where was the last time abroad, how long the trip was, etc. . But it was enough to grow a three-week stubble ... So, photos and videos are not biometrics. But a 3D photo with geometrical parameters of the face is already biometrics!
As a result: SMS-sending and directed (nominal) political agitation are not legal, if the subject did not give a separate consent to this.
What are the general impressions of the document? In fact, even though there are positive moments and something really cleared up, I personally, from almost two hundred pages of comments, expected more. Many important things are not disclosed, and in some cases the commentary raises more questions than the commented law provision. Although the authors are not particularly blamed for anything, since the origin of many issues remains the original source itself, that is, federal law. But on the other hand, Roskomnadzor is the very body that watches for compliance with the law “On Personal Data”, which comes with checks and punishes when violations are detected. I would like more specifics instead of “undefined”, “not clear”. I know from experience that inspectors never say “well, there’s some kind of dreary in the law, so we’ll not check these things”.
What is the bottom line? Can we use the document as a guideline? Not! The document has no legal force, is not registered with the Ministry of Justice and is the point of view of the authors (albeit high-ranking ones). Can we rely on the document on the controversial issues in 152-FZ? Partly. Firstly, Roskomnadzor cannot interpret legislation (this can only be done by lawmakers, and this was spoken to publicly by public officials more than once), so the work reviewed is only a point of view, not an interpretation. Secondly, looking at the question of attributing photos and videos to biometrics, it is clear that yesterday the regulator said one thing, today says the opposite, and there are no guarantees that tomorrow his opinion will not turn again 180 degrees. Thirdly, representatives of the regional offices of Roskomnadzor may not be familiar with these comments or not be guided by them.
I, as a person with a technical education, but on duty to work a lot with regulatory documents, sometimes I want the laws to be developed exclusively by techies, for example, programmers. «», , , : ( ) ( ), , , .
')
How to get
Immediately talk about the process of obtaining a book. It is available on the website of the Russian newspaper library here . Any normal person can immediately ask the question: why should I pay for the regulator to clarify the provisions of federal law? Proponents of conspiracy theories will immediately say that the laws are specifically made muddy and incomprehensible in order to sell us explanations. I myself am a fierce opponent of the distribution of such publications for money (as well as paid distribution of GOSTs), but whatever it is, we have what we have ...
I, of course, was interested in the option in PDF format for 100 rubles. Turning to the order of the book, I once again wildly tensed. At this point, I asked myself this question: why can I easily and easily buy tickets to the provincial cinema via credit card, but in order for me to get a “scientific and practical comment” from the Russian newspaper, I need to:
- Print the receipt;
- Fill out a receipt;
- Go to the bank, pay;
- Scan, send a check or payment by e-mail;
- Wait for your PDF.
And - innovations
Well, okay, what is it that I am all about sad things, let's ... no, damn it, we'll have again about sad things.
I will say at once that useful and practical in this rather big document, unfortunately very little and I will tell about it at the end of the article, and now about the shortcomings and other sad things.
Inconsistency of comments of the current political situation
Here, for example, what the authors write in a comment about the goals of the law “On Personal Data”:
In order to protect the rights of citizens in the field of personal data, the Russian Federation, taking into account the transboundary flows of personal data, first of all ensured the implementation of the requirements of common European law in Russian legislation, created a system for protecting the rights of personal data subjects in accordance with the basic principles laid down in the interstate laws data.
In the light of the recent decision of the Constitutional Court that the European Courts do not decree to us and the introduction of the obligation of storing personal data of citizens of the Russian Federation only on the territory of the Russian Federation from September 1, talks about “cross-border flows” and “implementation of common European law requirements in Russian legislation” than ridiculous. Immediately it should be noted that almost one fifth of the document is devoted to talking about the harmonization of domestic legislation with international legislation, Euroconventions, the Universal Declaration of Human Rights, etc.
Thanks, now I see!
The document often states, instead of a useful commentary, the fact that the legislation is indeed muddy and will have to come to terms with it. This begins with the comments to the definition of the concept of "personal data".
This is the definition in the Federal Law “On Personal Data”:
Personal data - any information relating to a directly or indirectly determined or determined individual (subject of personal data).
"Scientific and practical" comment:
At the same time, from the point of view of the principles of law operating in the Russian legal system, one can doubt the formal definiteness of the concept of “personal data”. When literally interpreting the norm under consideration, the concept of “personal data” includes a wide range of information, including going beyond what is reasonably expected in this context. In particular, it does not indicate the relationship between information between direct or indirect certainty or "determinability" of an individual. Accordingly, there is no unambiguous understanding of when the data collected and processed will be personal, and in which cases it will not.
Further, a dubious conclusion is made that the unambiguous concept of “personal data” cannot be formulated at all and that the current definition was formulated with the aim of maintaining a balance of interests between all participants of relations (regulators, personal data operators and personal data subjects). In fact, the vagueness of the definition gives Roskomnadzor an extra reason to punish the operator. In my practice, there was a case when during an inspection of one organization, not finding anything to dig in, the representatives of the ILO wrote an order that the law on personal data was violated, because such category of personal data as the “power of attorney number issued to an employee” ( provision of incomplete or distorted information to the authorized body).
Interestingly, the authors “explain” what it means to approve a law that the processing of personal data should be carried out on an equitable basis:
In addition, any processing must be carried out on an equitable basis, that is, on the moral and legal category, reflecting the idea of proper observance of universal human values, principles of morality, honor, law, and law.
Thanks, now I see! I used to ask the question: what is meant by a “just basis”. Now I ask myself the questions: what is meant by "moral and legal category ...", what is meant by "due observance ...", what is meant by "universal values" and "principles of honor and morality".
In general, the “scientific and practical” comment abounds with revolutions like “the question remains open”, “the law is not defined”, “the law does not clarify”, “maybe” (or maybe not…) with the words “maybe” and “probably” . Sometimes, after reading the “scientific-practical” commentary, there are even more questions than after reading the very law “On Personal Data”. For example, after a multipage tirade that the processing of personal data must comply with the stated processing objectives, that the excess personal data is illegally an epic phrase:
However, the current legislation does not contain criteria for the redundancy of processed personal data.
Or another:
Despite the fact that the legislator has enshrined the concept of biometric data in the commented law, so far there is no uniform interpretation of this term, and accordingly, there is no understanding of what data about a person can be biometrics.
But this is generally hellish annealing in a question related to the duty of the operator to provide data to the subject on request:
Thus, information relating to the processing of personal data is provided by the operator in an accessible form. However, the legislator does not disclose the concept of “accessible form”.
Did I say that? I did not say that!
There are also frank contradictions in the document. So, for example, on the question of what is considered personal data and what is not, first the authors say:
In general, members of the working group agree that if a set of data is necessary and sufficient to identify a person, such data should be considered personal data, even if they do not include data of identity documents.
Then:
... the following data can also be considered as personal, despite the fact that some aspect of the likely coincidence remains in their relation ...
Well, after all, we consider personal data only as data that is sufficient for identifying a subject or are some assumptions of the “probable coincidence” type acceptable? I am personally more confused.
There is a more obvious contradiction. For example, explaining the need to obtain the consent of the subject to the processing of personal data on page 36 states explicitly that management companies have the right to send personal data of residents of apartment buildings to settlement centers for charging utility bills without the consent of residents. On page 42, the reverse example is already given:
... ruling of the Kirov court, which decided that the management company violated the law by sending personal data to the clearing center without the consent of the owners and employers.
Dear authors, so are we mere mortals, what should we be guided by - your conclusions or the law enforcement practice that you cite?
There were no answers, no
From the moment of adoption of the law “On Personal Data” to this day, a number of questions remain that cause heated debates in the network, but there is no single right answer, like, for example, a mathematical equation. These issues include, for example:
- How to determine the harm to the subject of personal data?
- in what form is the assessment of the effectiveness of measures taken to ensure the security of personal data?
- Does the “procedure for assessing the compliance of information security tools” mean mandatory certification?
On the issue of harm assessment:
Harm should be determined on the basis of an assessment of all adverse effects that may arise from non-compliance with the requirements of the Personal Data Act, from the size of penalties to reputational risks and legal costs.
It would probably not be necessary to wait for the imputed methodology of assessing the harm to the subject of personal data in case of violation of the law in the “scientific commentary”. But a link to the best practices could be left.
On the issue of "performance evaluation" absolutely nothing.
On the issue of certification of information security tools used in personal data information systems - a dry reference to 184- “On technical regulation”. Why this Federal Law is not so simple, can be found in this presentation by Alexey Lukatsky.
Copypasta is our all
I was very saddened by the copy-paste of most of the content of the government resolution 1119, which describes the criteria for assigning personal data to a particular level of security. This was done in the framework of the “interpretation” of Article 152-FZ 19 (Measures to ensure the security of personal data on their processing). Here, I just want to say to the authors: “Guys, PP-1119, unlike your work, is generally available and anyone so can get acquainted with its content!”. It is good that at least 21 orders of the FSTEC were not fully or partially inserted, thanks to that.
And is there anything useful at all?
Fortunately - there is. Useful information can be collected bit by bit, and I give it below.
Pro electronic archives
At the very beginning of the law refers to cases to which 152-FZ does not apply. The Law “On Personal Data” does not apply, including when organizing the storage of documents falling within the scope of 125- “On Archiving in the Russian Federation”. Our clients often ask if this exception includes digital archives, backups, and so on. The regulator gives an explanation for this - in archival legislation there is no concept of “electronic archive”, therefore all digital archives containing personal data fall under the action of 152- “On personal data”.
Is storage “processing” personal data?
Many operators ask themselves whether simple storage falls under the collective concept of “personal data processing”. Roskomnadzor responds to this:
Processing includes any operator's actions with personal data: collection, recording, systematization, accumulation, storage , refinement, retrieval, use, transfer, depersonalization, blocking, deletion, destruction of personal data.
About manual processing of personal data
Such processing is regulated by the “Regulation on the peculiarities of personal data processing carried out without the use of automation tools”, approved by the Government of the Russian Federation of September 15, 2008 No. 687. In this position, absolutely crazy definitions of manual processing of personal data were given. According to these definitions, if, for example, a database search is performed with the participation of a person (the user enters a search query), then such processing is considered to be non-automated. These provisions are:
The processing of personal data contained in the personal data information system or extracted from such a system (hereinafter referred to as personal data) is considered to be carried out without the use of automation tools (non-automated), if such actions with personal data, such as using, specifying, distributing, destroying personal data in relation to each of the subjects of personal data are carried out with the direct participation of the person.
The processing of personal data cannot be deemed to be carried out using automation equipment solely on the basis that personal data is contained in the personal data information system or has been retrieved from it.
Later, in 2011, 152-FZ was supplemented with the concept of automated processing of personal data. According to the new provision, automated processing is considered to be any processing of personal data using computer technology. A situation has arisen when a resolution of the Government of the Russian Federation contradicts federal law. Moreover, this situation is relevant to this day (no changes have been made to the resolution). Roskomnadzor in its explanations once again recalls the supremacy of the Federal Law over all its bylaws. Consequently, the delusional definitions of the non-automated processing of personal data in PP-687 can be forgotten.
About the purposes of processing personal data
The regulator pays a lot of space explaining that the personal data collected should not be redundant in relation to the purposes of their processing. For example, we cannot require an applicant for a vacant position to require passport data, place of residence and clothing size (there was a violation in one organization where the work involves wearing a uniform). We can demand this data, hiring a person for work, but in order to consider him as a candidate - they are unnecessary. In its explanation, the regulator even gives an example when even consent is not a panacea:
Often, when concluding civil contracts, subjects are invited to agree to the distribution of personal data to third parties. However, when concluding a civil contract, it is illegal to require the subject to consent to the dissemination of his personal data to third parties, unless the distribution is conditioned by the contract itself or by virtue of the requirements of the law.
Pro consent when receiving state and municipal services
... authorities providing state and municipal services, and other bodies involved in the provision of state and municipal services, the consent of the recipient of services as a subject of personal data is not required. This basis also includes interagency cooperation related to the transfer of personal data for the provision of state and municipal services.
Thus, the multipurpose centers that are actively opening up in the country to provide such services may not collect consent for the processing of personnel data from applicants.
About collection agencies
The regulator openly unleashes the banks in the matter of transferring personal data to collectors:
In the event of a debt portfolio, banks are entitled to transfer the right of claim to a third party without the borrower's consent.
About telecom operators and their dealers
Also, the regulator openly allows the exchange of personal data between telecom operators and its dealers and agents without the consent of the client, referring to 126-FZ "On Telecommunications".
About Internet resources, social networks and so on
About this regulator writes quite a lot. Owners of Internet sites and ordinary users should be interesting and useful. I will not comment, just bring the most interesting excerpts on this topic from the document.
Thus, the user of the Internet, when registering on any site, independently makes a decision on the provision of his personal data and gives a concrete, informed and conscious consent to their processing by his will and in his interest. That is, when using Internet services and in accordance with their privacy policy, the user unconditionally accepts the terms of this policy in full at the moment of using services. In case of disagreement with any policy item, the user is not entitled to use the services.
Frequently, user agreements state that the user understands and agrees that the copyright holder has the right to use the information in the services, as well as post user comments submitted and (or) added by means of the services, in official social networking groups and other copyright holder communities on the Internet . Thus, the fact of placing any information (surname, name, patronymic, e-mail address) on the page of the site implies that the user agrees with the terms of the policy, and therefore, consent to posting certain comments on the service.
Also, for example, the subject of personal data when registering as a participant in the competition on Internet sites accepts the conditions of the rules of the competition, posted on the website, and thus undertakes the obligations established by these rules. At the same time, the fact of participation in the competition means the specific, informed and conscious consent of the participant to the processing by the competition organizer of the personal data provided by the participant, including last name, first name, patronymic, telephone number, and mailing address.
A simple electronic signature is an electronic signature that, through the use of codes, passwords or other means, confirms the fact that an electronic signature has been generated by a certain person. For example, the registration of an Internet user on the site, confirmed by a login and password, means the subject's consent to the processing of his personal data.
Often, Roskomnadzor receives complaints from subjects of personal data on the issue of assistance in deleting accounts in social networks, and destruction of personal data on certain Internet resources. At the same time, in this case, the subject of personal data within the framework of part 1 of the article being commented on is entitled to independently contact the site administrator, as the operator of personal data, with the requirement to delete, clarify, and destroy inaccurate, incomplete, outdated personal data.
Conviction
The main idea of the regulator in answering the question “is the conviction a special category of personal data?” Is that if it is a simple report about the fact of a criminal record, its presence and absence, it is not a special category, if with details the special category .
About biometrics
In the explanation, the authors essentially cancel the provisions of the previous Roskomnadzor document “On the issues of attributing photo and video images, fingerprint data and other information to biometric personal data and features of their processing”, which determine that photo and video are biometrics. This is what they write this time:
At the same time, a photograph or video image of a person who is a twin or whose external resemblance to another person is obvious, as well as in cases of plastic surgery, will not allow a reliable identification of the subject when visually assessing the material media in question. In this regard, biometric information should be characterized by unique physiological and biological data, which are characteristic exclusively for one subject of personal data, are more or less unchanged and can be reflected on the material carrier in the form of digital, graphic and other code information. Such an understanding of biometrics corresponds, for example, to papillary patterns, drawing of the iris, etc.
The legislator clearly determined that the assignment of personal information to biometric personal data should be considered from the point of view of the possibility of establishing, confirming the identity of a particular person. Therefore, biometric personal data can be the information that is used to identify, confirm the identity of the physiological parameters, which involves the use of special methods of identification, biometric authentication of the person.
Thus, the legislative concept of biometric data implies not only the availability of certain information containing information about the physiological and biological characteristics of a person, but also the use of biometric methods of personal identification.
It should be noted that the concepts of “video recording” and “photography”, considered in the explanations of Roskomnadzor “On the issues of attributing photo- and video images, fingerprinting data and other information to biometric personal data and features of their processing”, are exclusively material storage media, while This information is not biometric in its essence, since it does not reflect individual parameters, such as the thermogram of the face, the pattern of the iris, papillary patterns, allows establish identity.
And indeed, the twins and plastic surgeons are a good argument for identifying a subject by a photo or video. For example, the last time I went abroad, a girl at customs control suspected that I could not slip her passport and began asking questions about what zodiac sign I was, when and where was the last time abroad, how long the trip was, etc. . But it was enough to grow a three-week stubble ... So, photos and videos are not biometrics. But a 3D photo with geometrical parameters of the face is already biometrics!
About the use of PD for marketing purposes or for campaigning purposes
In practice, there are cases when the operator, referring to paragraph 5 of Part 1 of Art. 6 of the commented law, when entering into an agreement with an individual, uses the data of an individual (phone number) for advertising distribution in order to promote goods without obtaining the consent of an individual.
However, based on the provisions of Art. 6 of the Law on Personal Data, obtaining the consent of the subject to the processing of personal data is not required if it is directly related to the execution and (or) conclusion of the contract. The subsequent use of personal data for marketing purposes is in no way connected with the execution of the contract, of which the individual is a party or beneficiary. Thus, the personal data operator is required to obtain consent to use the data in order to promote their goods. In case of violation of this requirement, the operator of personal data shall be subject to liability on the basis of art. 13.11 of the Administrative Code.
In practice, there are cases of collecting and transmitting personal data of subjects for the purpose of political agitation (sending campaign letters) without the prior consent of the subjects of personal data in violation of the Personal Data Act. At the same time, campaign materials are sent to voters with indication of their personal data, which is a violation of the provisions of the Personal Data Law.
Thus, in case of receipt of a relevant request from the subject of personal data, the operator will be obliged to immediately stop the processing of his personal data, carried out for the purposes of political agitation.
The legislator has limited the possibility of processing personal data in order to promote goods, works, services on the market through direct contacts with a potential consumer using communication tools, as well as for political campaigning, finding that information processing for such purposes is allowed only with the prior consent of the subject.
In practice, cases of requesting prior consent of the subject of personal data to the distribution of advertising or other similar correspondence are extremely rare.
As a result: SMS-sending and directed (nominal) political agitation are not legal, if the subject did not give a separate consent to this.
Instead of conclusion
What are the general impressions of the document? In fact, even though there are positive moments and something really cleared up, I personally, from almost two hundred pages of comments, expected more. Many important things are not disclosed, and in some cases the commentary raises more questions than the commented law provision. Although the authors are not particularly blamed for anything, since the origin of many issues remains the original source itself, that is, federal law. But on the other hand, Roskomnadzor is the very body that watches for compliance with the law “On Personal Data”, which comes with checks and punishes when violations are detected. I would like more specifics instead of “undefined”, “not clear”. I know from experience that inspectors never say “well, there’s some kind of dreary in the law, so we’ll not check these things”.
What is the bottom line? Can we use the document as a guideline? Not! The document has no legal force, is not registered with the Ministry of Justice and is the point of view of the authors (albeit high-ranking ones). Can we rely on the document on the controversial issues in 152-FZ? Partly. Firstly, Roskomnadzor cannot interpret legislation (this can only be done by lawmakers, and this was spoken to publicly by public officials more than once), so the work reviewed is only a point of view, not an interpretation. Secondly, looking at the question of attributing photos and videos to biometrics, it is clear that yesterday the regulator said one thing, today says the opposite, and there are no guarantees that tomorrow his opinion will not turn again 180 degrees. Thirdly, representatives of the regional offices of Roskomnadzor may not be familiar with these comments or not be guided by them.
I, as a person with a technical education, but on duty to work a lot with regulatory documents, sometimes I want the laws to be developed exclusively by techies, for example, programmers. «», , , : ( ) ( ), , , .
Source: https://habr.com/ru/post/292902/
All Articles