Email is personal data?
On Habré, quite a lot has been written about Personal Data (they were asked to call PD, so be it). The issue was also discussed on other resources: toster (still here ), forums , blogs, and many other places, which only emphasizes the importance of the issue .
To make it even more interesting - the quote of the Head of Roskomnadzor Alexander Zharov (in this position, he, by the way, is already 5 years old): "... photo, name, phone number and e-mail address allow you to identify a person quite accurately. And the photo and the name Olya are personal data can not be considered as a single e-mail address or phone number. This is a set of data. "
And, as my experience shows, as well as the analysis of materials, the question of whether email is PD or not? Moreover, the law of Spring makes of PD just an artifact of unknown importance.
')
Actually, there are two main positions:
For some, this question is not relevant, but for many - even as: for example, for projects such as Golos , as well as for services that, in principle, do not want to collect personal data , for example, selling VPN / proxy; one-time access passwords; virtual sim, etc. On the legal status of the projects themselves - in one of the following publications, but for now - a few explanatory examples.
So, when I, as an IT lawyer, hear that: “email is personal data,” then I immediately have a reasonable question: “this is a general statement, but there are obvious exceptions to it, so this conclusion is not true? ". I must say at once that, for example, in court, it will be somewhat more difficult to prove this, but this is a question of a different plan.
Go ahead: what is email / email in general? To begin with, “ technology and service for sending and receiving electronic messages,” that is, initially, e-mail is not intended to define anyone and somehow (I’m actually a much more faithful supporter, from the standpoint of legal engineering, the term — identify, but and this is a separate and big question).
And yet, in some cases, email can identify a person: the most common case is when it is used as an HSA. A little more detail: Art. 160 of the Civil Code says that “the use of facsimile reproduction of a signature by means of mechanical or other copying, electronic signature or other analogue of a handwritten signature is allowed in the cases and in the manner prescribed by the law, other legal acts or agreement of the parties”. At the same time, the HSA email itself is quite difficult to do (it hinders the relatively open nature), but the usual pair of “login (email) - password” is fine. Yes, and you can go (and many go) and come to the concept of EDS, which is now very precisely defined in Art. 2 of the Federal Law "On Digital Signatures". In addition, mail on the same domain is always created as a unique one (the question to the habrosocommunity - are there any exceptions? ): Say, admin@gmail.com will not work twice, in fact, that's why we have mail.ru, inbox.ru, bk.ru , list.ru or even more interesting situation (simultaneous registration of a login on different domains) in Yandex.Mail. By the way, it is Yandex that goes along the way (see its “passport” service) when the mail identifies the subject unequivocally: for example, a Yandex.Money account is tied to it (which, by the way, are generally a separate legal entity). Yes, and the state. The authorities are increasingly using e-mail as an unambiguous identifier of citizens: let's say, you can see the Order of Rosnomnadzor of June 14, 2007 N GK-389fs. By the way, just the position of the state. authorities proves that PD for them is always a set of data: for example, the same email is accepted if the request is not anonymous. Anonymous requests (without name and other identifying information) are not accepted for consideration.
This is on the one hand.
And on the other hand, in cases where the email is taken, and identification is not carried out on it, the question of PD can be solved differently: initially, not even try to identify the person. By the way, in the same Golos there is a so-called verification, when there is a confirmation of a personal / corporate blog on Habré, its own website or somewhere else. And this is a step towards PD, not from them.
Thus, I would not argue that email is uniquely and always PD, and moreover to say that the email address is never PD. Rather, today, the current wording of the Federal Law No. 152 and other regulatory acts, as well as the positions of the courts, allow to approach this issue from different sides.
For example: “as a general rule, a legally significant message can be sent via e-mail , facsimile and other communication, carried out in a different form, corresponding to the nature of the message and relations and allowing to reliably determine from whom it originated and to whom it is addressed ”, - Paragraph 65 Resolutions of the Plenum of the Supreme Court of the Russian Federation dated 06.23.2015 No. 25.
Why so, you ask? Yes, everything is simple - the law itself gives the answer to this: “The processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals ” (Article 5). The goal is what helps to understand: is this a PD and the main thing - if so, why are they used?
And, finally, I would recommend to look in the direction of the permitted life hacking: “For informational support purposes, publicly accessible sources of personal data (including reference books, address books) can be created. Publicly available sources of personal data with the written consent of the subject of personal data may include his ... other personal data communicated by the subject of personal data "(article 8 of the same Federal Law No. 152).
PS If the topic continues to be interesting, I would like to discuss more: IP, nicknames and the main collective concept of “behavioral data” (this includes meta-data , recording user behavior and much more).
To make it even more interesting - the quote of the Head of Roskomnadzor Alexander Zharov (in this position, he, by the way, is already 5 years old): "... photo, name, phone number and e-mail address allow you to identify a person quite accurately. And the photo and the name Olya are personal data can not be considered as a single e-mail address or phone number. This is a set of data. "
And, as my experience shows, as well as the analysis of materials, the question of whether email is PD or not? Moreover, the law of Spring makes of PD just an artifact of unknown importance.
')
Actually, there are two main positions:
- Yes, definitely;
- No, because...
For some, this question is not relevant, but for many - even as: for example, for projects such as Golos , as well as for services that, in principle, do not want to collect personal data , for example, selling VPN / proxy; one-time access passwords; virtual sim, etc. On the legal status of the projects themselves - in one of the following publications, but for now - a few explanatory examples.
- admin [@] .... ru - this is a very old email, which was created by one administrator not known now. Email does not belong to the company, but several people use it at once (admin - for receiving technical letters; lawyer - for answering old projects; manager - when registering on third-party resources). Which of them identifies email? After all, in Art. 3 of the Federal Law №152 says: “personal data - any information relating to directly or indirectly determined or determined individual (subject of personal data)” - it’s about a person, but not about people, isn’t it?
- And here is the following example: supp@money.yandex.ru - support Yandex.Money, support@ridero.ru - support for the service of the same name and similar email is available to many: from ordinary exchangers to banks, from online stores to social networks . Answers there, as a rule, people (not always). And the correspondence can be carried on for years: for example, I have a chain in the mail, which is more than 3 years old and there are over 500 hundred letters, but I still don’t know exactly how those who answer me are called. Yes, and I do not need it. The question is in another support @, help @ and other email technical and customer support is also not a PD? It seems that the answer is obvious - yes. Can there be such addresses on public, public services? Certainly: a simple search through the history of their mailboxes showed that just regional online stores are not averse to this, but there are answers from much larger companies.
- Separately, I would also single out the email of “inverse answers”: these are those where something is written like: “this is an automatic letter, you do not need to answer it”. They clearly do not identify anyone and PD are not?
- And you can also recall the numerous services of temporary email and understand that in just 30 minutes one address can change several owners. And which of them will he identify, say, in a day?
So, when I, as an IT lawyer, hear that: “email is personal data,” then I immediately have a reasonable question: “this is a general statement, but there are obvious exceptions to it, so this conclusion is not true? ". I must say at once that, for example, in court, it will be somewhat more difficult to prove this, but this is a question of a different plan.
Go ahead: what is email / email in general? To begin with, “ technology and service for sending and receiving electronic messages,” that is, initially, e-mail is not intended to define anyone and somehow (I’m actually a much more faithful supporter, from the standpoint of legal engineering, the term — identify, but and this is a separate and big question).
And yet, in some cases, email can identify a person: the most common case is when it is used as an HSA. A little more detail: Art. 160 of the Civil Code says that “the use of facsimile reproduction of a signature by means of mechanical or other copying, electronic signature or other analogue of a handwritten signature is allowed in the cases and in the manner prescribed by the law, other legal acts or agreement of the parties”. At the same time, the HSA email itself is quite difficult to do (it hinders the relatively open nature), but the usual pair of “login (email) - password” is fine. Yes, and you can go (and many go) and come to the concept of EDS, which is now very precisely defined in Art. 2 of the Federal Law "On Digital Signatures". In addition, mail on the same domain is always created as a unique one (the question to the habrosocommunity - are there any exceptions? ): Say, admin@gmail.com will not work twice, in fact, that's why we have mail.ru, inbox.ru, bk.ru , list.ru or even more interesting situation (simultaneous registration of a login on different domains) in Yandex.Mail. By the way, it is Yandex that goes along the way (see its “passport” service) when the mail identifies the subject unequivocally: for example, a Yandex.Money account is tied to it (which, by the way, are generally a separate legal entity). Yes, and the state. The authorities are increasingly using e-mail as an unambiguous identifier of citizens: let's say, you can see the Order of Rosnomnadzor of June 14, 2007 N GK-389fs. By the way, just the position of the state. authorities proves that PD for them is always a set of data: for example, the same email is accepted if the request is not anonymous. Anonymous requests (without name and other identifying information) are not accepted for consideration.
This is on the one hand.
And on the other hand, in cases where the email is taken, and identification is not carried out on it, the question of PD can be solved differently: initially, not even try to identify the person. By the way, in the same Golos there is a so-called verification, when there is a confirmation of a personal / corporate blog on Habré, its own website or somewhere else. And this is a step towards PD, not from them.
Thus, I would not argue that email is uniquely and always PD, and moreover to say that the email address is never PD. Rather, today, the current wording of the Federal Law No. 152 and other regulatory acts, as well as the positions of the courts, allow to approach this issue from different sides.
For example: “as a general rule, a legally significant message can be sent via e-mail , facsimile and other communication, carried out in a different form, corresponding to the nature of the message and relations and allowing to reliably determine from whom it originated and to whom it is addressed ”, - Paragraph 65 Resolutions of the Plenum of the Supreme Court of the Russian Federation dated 06.23.2015 No. 25.
Why so, you ask? Yes, everything is simple - the law itself gives the answer to this: “The processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals ” (Article 5). The goal is what helps to understand: is this a PD and the main thing - if so, why are they used?
And, finally, I would recommend to look in the direction of the permitted life hacking: “For informational support purposes, publicly accessible sources of personal data (including reference books, address books) can be created. Publicly available sources of personal data with the written consent of the subject of personal data may include his ... other personal data communicated by the subject of personal data "(article 8 of the same Federal Law No. 152).
PS If the topic continues to be interesting, I would like to discuss more: IP, nicknames and the main collective concept of “behavioral data” (this includes meta-data , recording user behavior and much more).
Source: https://habr.com/ru/post/327892/
All Articles