Hosting in law. Where to host the site in the context of "localization of personal data"

It remains a little more than two weeks before the entry into force of the new law on the localization of personal data of Russians. In connection with the new legislation, site owners in RuNet still have many questions about where it is safer to host the site, and what will happen if the personal data of Russian users are primarily collected, processed and stored on servers outside the country. In order to answer these questions and understand where it is worth hosting your site and how not to get into an unpleasant situation involving Roscomnadzor being held accountable for breaking the rule about processing personal data of Russian network users, you need to define general rules for legal regulation of hosting in Russia and designate the limits of legislative regulation of civil law circulation of personal data, which is what this study is dedicated to.


HOSTERS AS INFORMATION MEDIATORS
')
Since immemorial times of the analog era, there were intermediaries who were engaged in business activities related to the provision of services for citizens and economic societies (today it is B2C and B2B). Among them were postmen, warehouse owners, traders and organizers of fairs. In the digital age, all the same services that existed in the real world appeared in the form of digital. Instead of postmen, Internet providers appeared, instead of warehouse owners - hosters, instead of fair organizers - search engines, forums and social networks, well, online stores and web auctions took on the role of market sellers.

For a long time, the principle of "postman immunity" strictly operated in the analog world. And in spite of the fact that the SORM analogue was already used in postal communication centers during the Soviet years, postmen never figured as parties in civil and criminal cases related to the contents of a parcel or letter, with their further prosecution.

However, in the digital era, the time came when the role of information mediators increased markedly in the life of society, and there was a need to endow them with a special legal status.

For a long time, there were no special rules in the Russian legal system regarding the activities of hosters, access providers and operators of web applications. However, the Russian legislator, relying on various international legal experience in network regulation, at a rapid pace began in 2012 to adopt rules imposing new responsibilities and providing for the responsibility of information intermediaries.

It should be noted that currently in international practice there are three legal regimes for the activity of information mediators:
- direct responsibility - for example, China, where information intermediaries have the responsibility of actively monitoring content under the threat of punishment;
- “safe havens” - for example, Singapore, Ghana, Uganda, South Africa and Europe, where information mediators have reliable immunity from liability if they follow the procedure for claims consideration of appeals;
- almost absolute immunity from liability for content created by others - for example, the United States or Chile, where the information broker is not responsible for the content created by others if he does not modify the content. The info broker is only required to remove the content by court order.

The Manila principles , developed in the Philippines in 2015 by representatives of the largest human rights organizations in the field of information dissemination, today formulate in more detail the basic principles of the responsibility of information mediators, including and hosters.

Currently, the model of legal regulation of information intermediaries in Russia is only being formed and so far, it seems, it is a mix of the first and third options.

The existing Russian legislation in the field of IT distinguishes three types of information intermediaries:
1. communication operators (in international practice - ISP);
2. hosting providers;
3. information dissemination organizers (OSP).

In this study, we will consider exclusively the legal regulation of the activities of hosting providers and their responsibility for the content posted and the processing of personal data.

LEGAL REGULATION OF HOSTING IN THE RUSSIAN FEDERATION

For the first time, the definition of a hosting provider appeared in Russian law after the entry into force of the first law providing for restrictions on access to websites. Federal Law dated 28.07.2012 No. 139-FZ, which amended Federal Law No. 149-FZ “on Information”, determined that the hosting provider is a person providing services for the provision of computing power for placing information in a permanently connected information system. to the Internet;

The hosting provider, in accordance with the law, was assigned a special role as an information intermediary. Thus, according to Article 15.1 No. 139-FZ, the hoster, within a day from the receipt of the notice from Roskomnadzor about the inclusion of the site in the registry, is obliged to inform the owner of the website on the Internet about this and notify him of the need to immediately remove the Internet page containing information whose distribution in the Russian Federation is prohibited.

If during the day the site owner does not do this, then the hoster is obliged to restrict access to such a site during the day. If this is not done, Roskomnadzor enters the site along with the domain name, site page pointer on the network (URL) and network address (IP) in the registry, after which all telecom operators are required to restrict access to it.

In 2013, the Anti-Piracy Law ver.1.0 (Federal Law No. 187 of July 2, 2013) introduced article 1253.1 of the Civil Code of the Russian Federation. Thus, another standard was established on the responsibility of hosting providers for placing content in violation of exclusive copyright. In accordance with Art. 1253.1 information intermediary, providing the possibility of placing material in the information and telecommunications network, is not responsible for intellectual property infringement resulting from the placement of material in the information and telecommunications network by a third party or at his instruction, while the information intermediary observes the following conditions:
1) he did not know and should not have known that the use of the relevant result of intellectual activity or means of individualization contained in such material is illegal;
2) he, in case of receipt in writing of a copyright owner's statement on violation of intellectual rights with indication of the website page and (or) network address on the Internet on which such material is posted, took necessary and sufficient measures to stop the violation of intellectual rights in a timely manner. The list of necessary and sufficient measures and the procedure for their implementation may be established by law.

Article 17 No. 149-FZ "On Information" provides for the limitation of liability of the host. So, if the distribution of certain information is restricted or prohibited by federal laws, civil liability for the dissemination of such information is not borne by the person providing the services:
1) or on the transfer of information provided by another person, subject to its transfer without changes and corrections;
2) either by storing information and providing access to it, provided that this person could not know about the illegality of the dissemination of information.

The hosting provider, telecom operator and the owner of the site on the Internet are not responsible to the copyright holder and the user for restricting access to information and (or) restricting its distribution.

The law established that an information mediator who is not responsible for infringement of intellectual rights may be required to protect intellectual rights that are not related to the application of civil liability measures, including the removal of information that violates exclusive rights, or to restrict access to it.

However, an analysis of law enforcement practice showed that, despite the limitation of liability, hosting providers have become quite frequent defendants in trials for a variety of reasons: in the Moscow City Court - on blocking pirated websites, in district courts - on recovering compensation for infringing intellectual rights, as well as on claims of prosecutors in defense of an unlimited circle of persons in connection with the placement of information recognized as illegal by state bodies. Often, if the Claimant cannot or does not want to involve as the Respondent the owner of the Internet resource or the domain administrator (for example, if such a person is outside the jurisdiction of the Russian Federation, it becomes obvious that the court’s decision will be difficult to execute) who have a real opportunity to moderate the content of the site, the claims are presented to the Russian hosting providers, as to the joint respondents. This allows prosecutors, as well as citizens and legal entities, while respecting the principle of jurisdiction, to nevertheless initiate proceedings in Russian courts, filing lawsuits at the location of the hosting providers.

In such cases, the site owner, who is not in the territory of the Russian Federation, but aimed at a Russian audience, is forced to find a compromise with the person who filed a lawsuit in order to prevent blocking of the resource and loss of Internet traffic.

If the foreign website owner does not do this, then the decision is made in the absence of the parties. The hosting provider, as a rule, has no personal interest in the outcome of the case and is not able to send lawyers to different parts of the country, representing the interests of both himself and his clients in a wide variety of cases involving the placement of illegal information. However, even in the absence of guilt, the hoster, as the losing party, is charged with reimbursement of legal expenses, incl. state fees, expenses for providing evidence, lawyers' fees for the Claimant.

In addition to regular subpoenas, Russian hosting providers also receive many other requests from various structures, but most often they are the Ministry of the Interior (Department K) and the FSB. Sometimes precinct.

The tightening of state regulation of the Russian IT sector and the chaotic practice of curbing illegal information in cyberspace undoubtedly affected the decline in the attractiveness of the Russian hosting market. This is recognized by the industry representatives themselves, who at the XXIV All-Russian Hosting Providers Forum, held on May 28-30, 2015 in St. Petersburg, appealed to the Internet Ombudsman to support an initiative to improve the legal situation in the provision of hosting services.

IMMIGRATION SITES

For the last 3 years, Russian Internet users and domestic IT business have been able to observe a sharp pace of legal regulation of information circulation in the network. In swift terms, without any discussion with the public and taking into account the industry's proposals, 6 federal laws were passed, authorizing 5 different authorities to decide on restricting access to Internet sites for more than 15 reasons .

The activities of Roskomnadzor on self-determination of IP addresses of “sites with illegal content”, with further forwarding of requirements to Russian telecom operators to restrict access including to network addresses, naturally led to a violation of the connectivity and integrity of the Russian network. According to the results of public monitoring, more than 260,000 websites were blocked during this time, only because they were located at the same addresses as websites with information to which there were complaints from authorized state bodies and rightholders. The introduction of legislation on child protection, anti-piracy law ver.2.0 with the possibility of perpetual blocking of sites, against the background of non-stop ubiquitous non-system blockages of sites at the request of district and city ​​prosecutors created a generally unfavorable ground for placement in sowing projects in the Russian jurisdiction, and also ready-made b2b and b2c services, forums, blog platforms and other web applications.

The excessive government regulation and the interference of the Russian legislator in the work of the network and the law enforcer created two rules for doing business in RuNet.

The first rule for the implementation of any project on the Internet was the rule not to register domains in the .ru zone. This is due to a number of very real risks:
- the obligation of the Russian domain name registrar to provide all information to third parties (including competitors) about the domain name administrator;
- withdrawal of the domain name by court decision using the norms of the legislation on industrial property;
- an out-of-court procedure for suspending the delegation of a domain name upon the request of the bodies implementing the PSA.

The second rule of doing business in RuNet was storing information on servers located outside the territory of the Russian Federation. This is due to the possibility of disclosure in the Russian Federation of information about the website, customers, and other sensitive information that can be obtained by hackers or at the request of law enforcement, seizure of servers and a number of other risks, which are discussed below.

The indiscriminate blocking of sites along with the constant requirements for providing information and deleting information in the Russian Federation, coupled with a more attractive price / quality indicator for renting server space in EU countries and the USA, led to a massive migration of Russian Internet resources aimed at Russian audiences to foreign hosts where law enforcement practice is more predictable, and the cost of services is lower.

Until 2012, the share of .ru domain zone sites located abroad was 15%, and most of the sites were Russian versions of Internet sites of large international companies. According to the Openstat survey for 2014, only among sites in the .ru zone more than ⅓ of all resources were already hosted abroad. According to Reg.Ru, the German company Hetzner - the largest provider of hosting the zone. Ru - on its servers are 13.8% of the sites of the main domain of Russia.

In 2014, Deputy Klimov presented the results of a study by experts of the All-Russian Popular Front, who selectively examined 9,000 websites of government customers as part of monitoring public procurement. It is rather curious that more than a third of them also ended up on foreign servers, mainly in the USA and Germany. In total, as shown by the ONF study, 1560 federal budgetary institutions, 1230 authorities, 720 municipal institutions and 350 enterprises with strategic attributes use foreign hosting.

COURSE ON REPATRIATION

The increase in legal risks of abruptly shutting down websites with constant pressure on Russian hosts by law enforcement and judicial authorities, as well as rightholders, undoubtedly forced a large number of websites to physically leave for more “safe havens” of foreign jurisdictions. It was obvious that, on the one hand, it damages the economy of the Russian Federation and Russian data centers, on the other hand, it does not allow the bodies that carry out operational search activities to receive information and, if necessary, spy on users of various resources. In order to force Russian websites to return to the servers in the Russian Federation at the highest level, a decision was made to adopt a number of legislative measures.

In neighboring Belarus, they simply legally prohibited residents to host sites outside their homeland (which, despite the prohibitions, is not being implemented almost everywhere). In Russia, however, they decided to follow the path of declaring the direct obligation of the state to protect the personal data of Russians at all costs and ensure the security of the websites of state bodies. Obviously, in the conditions of an impending information war, it is necessary to take all measures to minimize the risks of destruction, blocking and changing information on the official websites of government agencies, as well as to reduce vulnerability from cyber attacks and information espionage.

And if the legal requirement to host state sites on the territory of the Russian Federation, adopted at the end of December 2014 and coming into force on July 1, 2015 was understandable from the point of view of national security, then the imperative requirement of resonant Federal Law No. 242- on the localization of personal data of Russians with September 1, 2015 caused the greatest number of lively discussions and publications at different sites.

It should be noted that Snowden's revelations about the mass NSA surveillance very well formed the new national concept of why personal data (hereinafter - PND) of Russian Internet users and government agencies' websites must be stored on Russian servers without fail.

HOSTING ABROAD IN THE CONTEXT OF PERSONAL DATA

The law on “localization of personal data” has raised a lot of questions for the industry . He was not scolded only lazy. But dura lex sed lex. , , . .

“ ” , №242-:

— ;
— .

? .

№ 242- , « , , , , , , (, ), , ». , , , , .

1 2015 № 149 « , » .15.5, , , , -.

, .

, “ ” “ ”.

-, . , :
— , , , ;
— ;
— ;
— () , , ;

, . : “ , ”.

-, , , ETS №108, . ETS №108 « », 2 .12 , , , . 25 .

, , : , , , , , , , , , , , , , , , , , , , , , , , , , , , , . , : , , , , , , , , , , , , .

-, . .3 27.07.2006 №152 „ “ — , ( ).

, , ( ), . 2 , 28 1981 . , « » ( )”.

, , 1 2013 . , .. , . , , .

, , , . , , “ «» , , , ”. . “ «» , , , ”.

, — , , . — . , e-mail , , . , - “ ” “ ”, , .. .

Fourth, the law does not contain any requirements prohibiting the storage of personal data of Russians on servers outside the territory of the Russian Federation. The only thing that is - is the requirement for the operator to ensure the recording, systematization, accumulation, storage, refinement (update, change), extraction of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation.

As the Internet ombudsman and owner of his own hosting, Dmitry Marinichev, rightly pointed out at the St. Petersburg International Legal Forum (May 27-30, 2015):

, , , . , , , . — — , , . . , ?

, -, - , -. “ ” . , .



, :
1. -, ;
2. - . ;
3. - - ( , , );
4. , ;
5. -, , , UGC- (-, , .. -);
6. - , - (landing page), , e-mail ( , .. ).
7. - ( .. “”), : , , , , , , , IP-, , , , , , URL , , , , , cookie , , - . ., - - ;
8. - B2B, / . .
9. ;
10.

, :
1. -, ( , .);
2. ;
3. Web sites that collect biometric data of citizens (including dactyloscopic data, eye iris, DNA tests, height, weight, and others, as well as other physiological or biological characteristics of a person, including the image of a person (photograph and video ), which allow to establish the identity of the person and are used by the operator to identify the person);
4. Payment services;
5. Websites of banks, MFIs and other financial / insurance companies that allow you to submit applications for the provision of financial services;
6. - , , , , , , , , ;
7. - .

, ( , -) , , () . () .

It can be concluded that if the website collects applications only in the form of a name and telephone, or an e-mail, or allows you to exchange e-mails with users indicating only the name and e-mail address, it also does not fall within the localization rule personal data. Protection under the law on personal data is subject only to the information by which it can be determined that this information relates to a specific person. Primary processing, storage and dissemination of information, from which it is impossible to draw an unequivocal conclusion about its belonging to a particular person (including impersonal data) cannot violate the rights and freedoms of an individual, and therefore can be carried out in any place.

, , - “ ” . , . , , - .

, , :
1. -;
2. whether control by Roskomnadzor will be strengthened and how much the number of court proceedings to protect the subject’s rights will increase.

However, despite the legal uncertainty of the law, industry experts agree that it is not worth expecting increased attention from the regulator to all site owners in Runet. And given the many new responsibilities entrusted to the department, it can definitely be said that Roskomnadzor does not have human resources to check more than 3 million companies working in the Runet zone for their compliance with the requirement to localize personal data. . , . , 0,01 (317 ) , . . , Twitter , , Facebook Google .

, . 242-, , IT- () - , .

-. , №242-, - .



, .

First of all, the law “on the localization of personal data” introduced amendments to the laws 152- (On personal data) and 149- (On information) and provides for the creation of a register of violators of the rights of personal data subjects under RosKomNadzor, where from September 1, 2015 Internet resources that violate the requirement to store information about personal data of citizens in the Russian Federation in databases located on the territory of the Russian Federation will be included, and on this basis may be blocked by a court decision.

. , . 13.11 , 500 ( ) 10 . ( ) ( ). , , 2015 . ( ). , , , 700 50 . . . 13.11 8 , ( ).

Administrative responsibility on hosters, as information intermediaries, will not apply.

It is doubtful that the measures taken by the state will be able to significantly increase the demand for the services of data centers in Russia, but to reduce the investment and customer attractiveness is quite, because New rules of regulation cause misunderstanding and fear in many business representatives. According to a study by the European Center for International Political Economy (ECIPE) , the entry into force of the Law on Personal Data will lead to a drop in Russian GDP by 0.27%, which corresponds to 286 billion rubles.

-, , , IT , . - IT-.

- FASTVPS.RU