The correct law "On personal data", as I see it

So, about a month ago, on September 1, 2015, the Law “On Personal Data” entered into force , obliging the Russian personal data to be stored on Russian servers. This law, however, like many other Russian laws, is written in such a way that it can be interpreted as widely as possible, it is almost impossible to verify its implementation, and sometimes it turns out to be impossible to implement it itself. For example, in the case of distributed data storage systems, when information is not physically localized on a single server, but distributed around the world. That is, even the presence of the company's servers in the country does not guarantee that something meaningful is stored on its territory. Moreover, how companies will determine the citizenship of their users, because almost all information resources do not require the provision of passports?



If a foreign company does not have a branch or representative office in Russia, then, according to lawyers, the law does not apply to it. Representatives of Facebook, which has no offices in Russia, have already told Roskomnadzor in a hard form that they do not consider it necessary to post data from Russian users in this country for economic reasons. In addition, the company does not consider the information stored at it personal. What can we say, if the agency itself acknowledged that it could not verify the implementation of the law by foreign companies. The law also made exceptions for airlines, as it turned out that all ticket booking systems in Russia use foreign services. The changes were made in a timely manner, since our deputies risked permanently staying in Russia, which is completely unacceptable for them.

')

So he already looks like a sieve. However, from the very beginning it was clear that this law was written only in order to have another censorship tool for closing unwanted resources, so discussing it from the standpoint of logic or trying to somehow improve is meaningless. Suppose, however, that the law would indeed have been written to protect the rights of people, what should it be in this case? In my humble opinion, the user himself has the right to dispose of his information, but at the same time he has the full right to know where it will be stored and who can read it. One such solution would be to allow users to choose for themselves in which country their data will be stored, or to warn in advance about a single option. The best solution would be to write the law, using the concept of jurisdiction , and not physical location.



Indeed, as already mentioned, the physical location itself is in some cases undefined and loses its meaning, but even if the company declared that the data is stored on a server inside the country, it will not be possible to retrieve or verify it if it is encrypted. So the "low-level" wording of the law is very inconvenient to use. Jurisdiction uniquely determines the country in which your information will be stored, but not in the physical, but in the legal sense. Users themselves will be able to choose or, in any case, will know which country is responsible for storing their personal data.



This is especially valuable, given that different countries have different laws on the protection of personal information and its disclosure on request, including other countries. Not to mention the fact that in some countries the human rights situation is very ambiguous, and Russia, alas, is no exception. By the way, the Russian ombudsman, Dmitry Marinichev, offered a very similar option, which allows storing information about Russians, on foreign servers - with their consent, but as you know, everyone doesn’t care. However, for the implementation of the right to choose the jurisdiction does not need a special law, and I hope that the companies themselves will give users the right. And among other things, such an opportunity will serve as an excellent test of citizens' confidence in the authorities of their country.



References:



In Russia, the law on personal data came into force - Rossiyskaya Gazeta

Processing and storage of personal data in the Russian Federation - Ministry of Communications and Mass Media of the Russian Federation

The speech of the deputy and the speech of the Ombudsman on personal data and state regulation of technologies - Roskomsvoboda

“How are you going to resist progress?” The Personal Data Act: Ombudsman vs. Deputy. Decoding - Meduza

Sanctions to themselves: 286 billion rubles. Russia will lose from the enforcement of the law - Roskomsvoboda

242 Federal Law - Roskomsvoboda

The data on the philosophical views of the Russians will protect a fine - BBC Russian Service