Localization of personal data
Oh, how much has been said about personal data! Internet entrepreneurs are particularly agitated by the story of localization. And it is still not entirely clear how and to whom this 242 FZ applies. Therefore, my colleagues and I from B152 decided by examples to sort out everything and offer data storage options suitable for completely different companies.
Recall that it entered into force on September 1, 2015, although it was adopted in the summer of 2014. There is a lot of talk about him, but there is no judicial practice yet. Therefore, we turn to the experience of foreign colleagues.
The essence of the law is that henceforth legal entities who work with the personal data of Russian citizens are prohibited from collecting and storing this data abroad - they are obliged to localize databases in Russia. This law makes important changes to the Federal Law No. 152 “On Personal Data”, which entered into force in 2007.
')
In terms of strict requirements for localization of PD, we are far from alone. On the territory of other countries, such laws have been in force for more than a year.
Vietnam
In 2013, in Vietnam, the owners of several specific types of resources (news, social networks and online games) were obliged to localize copies of data. For what it was done, it is not difficult to guess. Of course, to provide them to the competent authorities and facilitate the consideration of claims of users. The Vietnamese authorities have not imposed a ban on the parallel processing of personal data abroad.
China
The Chinese have more severely addressed the issue of cross-border data transfer, but with respect to only one type of personal information. Around two years ahead of the Vietnamese, the People’s Bank of China issued a Notice to Banking Institutions on the Protection of Personal Financial Information. This document prohibited credit institutions from storing, processing or analyzing overseas personal financial information obtained within the country.
India
In the same 2011, the Ministry of Communications and Information Technology of India approved the Rules of Procedures and Practices. Such a vague document name implies very specific goals, namely, ensuring the security of special categories of personal data. The Rules define these most specific categories, including passwords, financial information (including bank account or credit card information), health, sexual orientation, and biometric data.
For these categories, PDs established the requirement that transferring them to any other company or individual in India or in another state is possible only if they are provided with the appropriate level of protection. And all this is possible only within the framework of the fulfillment of the contract concluded with the data subject, or in the case of obtaining consent from it for the transfer.
Malaysia
The final depth of our immersion in history today will be 2010, when the law on the protection of personal data of Malaysia imposed a ban on the transfer of personal data outside the country. Cross-border transfer of personal data can only be carried out under certain conditions and in some exceptional cases. For example: the consent of the PD subject, the need to execute the contract between the subject and the operator, the need to execute the contract between the operator and the third party, which was concluded on request or in the interests of the PD subject.
However, such innovations concern not only Asian countries. The ban on the transfer of personal data abroad was introduced in Australia, but only in relation to health data.
That's just against the backdrop of the FZ-242 all the above laws and instructions - children's fairy tales. Our law is more severe and specific.
Most disputes arise around the fact that this law prohibits the storage of personal data of Russian citizens abroad, but parallel storage, at first glance, cannot be traced. In addition, the law does not contain legal instruments that solve this problem.
The Ministry of Communications has clarified the issue of cross-border transmission. According to their explanations, PDs of citizens originally entered into databases in Russia can be transferred abroad in accordance with the provision on cross-border data transfer. The agency also confirmed the possibility of providing remote access to Russian databases from the territory of other states.
No court decisions yet, too little time has passed. So far we can only say that the changes have affected all the companies that operate in the territory of the Russian Federation. How to be and what to do? How to build your work now?
First of all, do not panic. And what to do next - advise our colleagues from the B-152.
1. You are a foreign company that operates in the territory of the Russian Federation, including through a separate legal entity or branch.
Option 1. Transfer data abroad in an impersonal form.
This means that personal data will be stored on servers in Russia, but each individual will be assigned an ID, which is transferred abroad. Thus, personal data are separated from the subject, and it will not be possible to relate them to a specific person. This approach offers Microsoft to work with their services and Microsoft Azure.
Option 2. Cross-border data transfer with storage of the primary relevant base in Russia.
As we have said, the law does not prohibit the processing of data abroad, but only if the database in the Russian Federation is the most complete and relevant. That is, if the collection and storage initially occurs in a database in Russia, then personal data can be transferred abroad and used there. At the moment it is one of the most popular ways to localize personal data.
And the easiest way to implement it is to use a buffer server in Russia. In this case, the data first fall on this server, and only then - abroad. The position of the regulators allows this to be done, since the main requirement is met - the primary database is located in Russia.
Recall that the database, from the point of view of the Ministry of Communications and Roskomnadzor, are considered including paper databases. For example, it could be a closet with personal files of employees in the form of a filing cabinet or a table in excel.
2. You are a Russian company
The most obvious way is to transfer personal data bases, their processing, collecting and storing to the territory of the Russian Federation using Russian data centers.
However, options with a cross-border transfer and depersonalization will suit you too.
For violation of the localization rules of a separate responsibility is not provided. So, Art. 13.11 Code of Administrative Offenses of the Russian Federation, which establishes sanctions for violation of the established procedure for collecting, storing, using or distributing personal data. The penalty for this is quite small; for legal entities it amounts to no more than 10 thousand rubles.
But this is not the only measure of impact. An alternative is the ability to add domain names and network addresses to the registry of violators of personal data subject rights. Which is perhaps more significant than a fine.
So, what needs to be done with the urgency “yesterday” to understand which of the described actions to take:
Sources:
1. Saveliev A. I. Legislation on data localization and its impact on the e-commerce market in Russia. // Law, 2014, â„– 9.
2. Information Technology (Reasonable security practices), 2011. Indian Ministry of Communication and Information Technology.
3. Personal Data Protection Act, Law No. 709 of 2010, Official Gazzette of Malaysia, June 10, 2010, PU (B) 464.
Recall that it entered into force on September 1, 2015, although it was adopted in the summer of 2014. There is a lot of talk about him, but there is no judicial practice yet. Therefore, we turn to the experience of foreign colleagues.
The essence of the law is that henceforth legal entities who work with the personal data of Russian citizens are prohibited from collecting and storing this data abroad - they are obliged to localize databases in Russia. This law makes important changes to the Federal Law No. 152 “On Personal Data”, which entered into force in 2007.
')
In terms of strict requirements for localization of PD, we are far from alone. On the territory of other countries, such laws have been in force for more than a year.
Vietnam
In 2013, in Vietnam, the owners of several specific types of resources (news, social networks and online games) were obliged to localize copies of data. For what it was done, it is not difficult to guess. Of course, to provide them to the competent authorities and facilitate the consideration of claims of users. The Vietnamese authorities have not imposed a ban on the parallel processing of personal data abroad.
China
The Chinese have more severely addressed the issue of cross-border data transfer, but with respect to only one type of personal information. Around two years ahead of the Vietnamese, the People’s Bank of China issued a Notice to Banking Institutions on the Protection of Personal Financial Information. This document prohibited credit institutions from storing, processing or analyzing overseas personal financial information obtained within the country.
India
In the same 2011, the Ministry of Communications and Information Technology of India approved the Rules of Procedures and Practices. Such a vague document name implies very specific goals, namely, ensuring the security of special categories of personal data. The Rules define these most specific categories, including passwords, financial information (including bank account or credit card information), health, sexual orientation, and biometric data.
For these categories, PDs established the requirement that transferring them to any other company or individual in India or in another state is possible only if they are provided with the appropriate level of protection. And all this is possible only within the framework of the fulfillment of the contract concluded with the data subject, or in the case of obtaining consent from it for the transfer.
Malaysia
The final depth of our immersion in history today will be 2010, when the law on the protection of personal data of Malaysia imposed a ban on the transfer of personal data outside the country. Cross-border transfer of personal data can only be carried out under certain conditions and in some exceptional cases. For example: the consent of the PD subject, the need to execute the contract between the subject and the operator, the need to execute the contract between the operator and the third party, which was concluded on request or in the interests of the PD subject.
However, such innovations concern not only Asian countries. The ban on the transfer of personal data abroad was introduced in Australia, but only in relation to health data.
That's just against the backdrop of the FZ-242 all the above laws and instructions - children's fairy tales. Our law is more severe and specific.
Most disputes arise around the fact that this law prohibits the storage of personal data of Russian citizens abroad, but parallel storage, at first glance, cannot be traced. In addition, the law does not contain legal instruments that solve this problem.
The Ministry of Communications has clarified the issue of cross-border transmission. According to their explanations, PDs of citizens originally entered into databases in Russia can be transferred abroad in accordance with the provision on cross-border data transfer. The agency also confirmed the possibility of providing remote access to Russian databases from the territory of other states.
Let's go to practice.
No court decisions yet, too little time has passed. So far we can only say that the changes have affected all the companies that operate in the territory of the Russian Federation. How to be and what to do? How to build your work now?
First of all, do not panic. And what to do next - advise our colleagues from the B-152.
So what to do if:
1. You are a foreign company that operates in the territory of the Russian Federation, including through a separate legal entity or branch.
Option 1. Transfer data abroad in an impersonal form.
This means that personal data will be stored on servers in Russia, but each individual will be assigned an ID, which is transferred abroad. Thus, personal data are separated from the subject, and it will not be possible to relate them to a specific person. This approach offers Microsoft to work with their services and Microsoft Azure.
Option 2. Cross-border data transfer with storage of the primary relevant base in Russia.
As we have said, the law does not prohibit the processing of data abroad, but only if the database in the Russian Federation is the most complete and relevant. That is, if the collection and storage initially occurs in a database in Russia, then personal data can be transferred abroad and used there. At the moment it is one of the most popular ways to localize personal data.
And the easiest way to implement it is to use a buffer server in Russia. In this case, the data first fall on this server, and only then - abroad. The position of the regulators allows this to be done, since the main requirement is met - the primary database is located in Russia.
Recall that the database, from the point of view of the Ministry of Communications and Roskomnadzor, are considered including paper databases. For example, it could be a closet with personal files of employees in the form of a filing cabinet or a table in excel.
2. You are a Russian company
The most obvious way is to transfer personal data bases, their processing, collecting and storing to the territory of the Russian Federation using Russian data centers.
However, options with a cross-border transfer and depersonalization will suit you too.
For violation of the localization rules of a separate responsibility is not provided. So, Art. 13.11 Code of Administrative Offenses of the Russian Federation, which establishes sanctions for violation of the established procedure for collecting, storing, using or distributing personal data. The penalty for this is quite small; for legal entities it amounts to no more than 10 thousand rubles.
But this is not the only measure of impact. An alternative is the ability to add domain names and network addresses to the registry of violators of personal data subject rights. Which is perhaps more significant than a fine.
So, what needs to be done with the urgency “yesterday” to understand which of the described actions to take:
- Take inventory of all your information systems / databases.
- Determine the location of each of your existing information systems / databases.
- Use the above methods to localize databases with personal data of citizens of the Russian Federation.
Sources:
1. Saveliev A. I. Legislation on data localization and its impact on the e-commerce market in Russia. // Law, 2014, â„– 9.
2. Information Technology (Reasonable security practices), 2011. Indian Ministry of Communication and Information Technology.
3. Personal Data Protection Act, Law No. 709 of 2010, Official Gazzette of Malaysia, June 10, 2010, PU (B) 464.
Source: https://habr.com/ru/post/306118/
All Articles