Storage of personal data on a foreign hosting: if it is possible, how?
After changes in Russian legislation governing the storage and processing of personal data, following the introduction of the principle of localization of personal data bases and blocking LinkedIn among IT professionals, more and more questions arise about what information can be kept on foreign servers.
We hasten to reassure our freedom-loving readers: to store personal data outside Russia is still allowed, but with reservations. And if you want to comply with Russian legislation and, at the same time, protect data from possible administrative attacks of ill-wishers - this post is for you. We formulated the basic “rules of the game”, according to which today the storage and transfer of personal data of citizens of the Russian Federation abroad is carried out.
Understanding exactly what Russian legislation requires is not easy. True, the Ministry of Communications and Mass Media prepared a memo on the main issues of personal data processing , but you cannot call it clear and intelligible (we draw your attention to this link, anyone can ask a clarifying question to experts of the ministry, do not neglect this possibility). Let's start with the question of what “personal data” is. As cultural people, we must first determine the subject of conversation.
')
The Russian law on personal data states the following:
This is a copy of article 2 of the Council of Europe Convention on the Protection of Individuals with the Automated Processing of Personal Data of 1981. But, unlike the corresponding paper, this wording is not transparent. And not as modern as tracing paper. What kind of information are we talking about?
The Ministry of Communications and Roskomnadzor avoid clarifying the concept of “personal data”, citing the lack of authority. The position of departmental theorists from jurisprudence in this case boils down to a well-known joke: “two lawyers - three opinions”. So, those who want to understand the question in practice have to independently study legal practice and make decisions at their own peril and risk.
The first thing that catches your eye is that the law “On Personal Data” protects only individuals. Moreover, information about them (from the point of view of the law) becomes “personal data” only if it can be correlated with a specific person with certainty.
How much and exactly what information needs to be collected so that they become personal data is a moot point. In the EU countries, almost any information can become personal data if it allows you to somehow select a person, for example, from the mass of site users.
A good analogy here is the detective work. As soon as information becomes sufficient to indicate a criminal, it turns into personal data, even if the detective does not know the real name of that high gentleman, that he is the only suspect who is smoking a pipe.
Indicative in this regard is the regulation N 2016/679 of the European Parliament and the Council of the European Union “On the protection of individuals in the processing of personal data and on the free circulation of such data, as well as on the repeal of Directive 95/46 / EC, effective from May 25, 2018 ”. " .
In it, the term “personal data” also refers to any information relating to an identified individual, but this term is disclosed in detail:
Thus, in Europe, big data can be considered as personal data, if there are enough of them to separate a person from the crowd. Note that Evgeny Chereshnev, the head of Biolink Technologies, introduced the term “Digital DNA” into domestic circulation, which describes a set of “big data”, which makes it possible to accurately identify this particular user. I, as a researcher of new media, use the term “digital footprint” for the same phenomenon.
The Russian Federation shares the basic definition of personal data with European countries, but the approach to compiling their list in the country has been formal for a long time and has been narrower.
Personal data was recognized surname, first name, middle name and phone number, date of birth, date of registration, passport number, TIN, data of the employment contract in various combinations, but not separately.
In addition, specific information is recognized as personal information, such as information about fingerprints , about the human genome, or about its health .
But that's not all. Oleg Efimov, managing partner of the legal partnership " Efimov and Partners ", to whom we turned for advice on the practical side of the issue, clarifies that previously the courts were limited to this, but with a change in the position of Roskomnadzor there was a transition to an expansive interpretation of the term. So, for example, Roskomnadzor unambiguously regards the combination of a name and an email address as personal data.
The updated European legislation also provides for restrictions on the processing of personal data that "reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, and data processing regarding health status or sex life." For operations with such information, it is necessary to obtain a separate consent of the subject of personal data.
A similar provision is enshrined in Article 10 of the Law of the Russian Federation “On Personal Data”.
These data can be processed with the written consent of the person to whom they belong, as well as if they are publicly accessible or impersonal.
Russia is among the countries that have signed the Council of Europe Convention on the Protection of Individuals with the Automated Processing of Personal Data of 1981, and therefore can exchange data with other parties to the convention without additional formalities.
Transmission of data to a country not covered by the convention requires the consent of their owner. It can be obtained in writing or requested through the form on the site.
Additionally, the term cross-border data transfer appears in the legal field.
“ Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.”
However, this definition may change. Our expert Oleg Efimov suggests that at the moment there is a draft federal law , where this wording is noticeably simplified: “the cross-border transfer of personal data - the transfer of personal data to the territory of a foreign state”. Those. The binding has changed from the location of the person who owns the server to the geographical location of the server. This project is now undergoing a regulatory impact assessment procedure.
According to the explanations of the Ministry of Communications , in case of cross-border transfer of personal data, the responsibility for their security lies with the receiving party. For example, two data centers with which we closely cooperate are located in the Czech Republic, which signed the 1981 Convention, and belong to a Czech legal entity. In our case, the information will be protected according to Czech laws, which provide more reliable protection against potential risks, including, for example, risks of seizure of equipment.
At the same time, you can transfer personal data without the additional consent of their owners. But lawyers here add that, in accordance with Article 22 of the Federal Law “On Personal Data”, the personal data operator is obliged to notify Roskomnadzor about the presence of a cross-border transfer of personal data, and their subject has the right to receive information about the performed or alleged cross-border data transfer from the operator.
Let's go back to the laws. What is the requirement for the localization of databases with personal data on the territory of the Russian Federation?
Before answering this question, we’ll clarify that all the information collected on the territory of the Russian Federation is recognized by the legislation of Russian citizens if the personal data operator did not specifically specify the issue of citizenship.
The operator “is obliged to ensure the recording, systematization, accumulation, storage, refinement (update, change), extraction of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation”.
Oleg Efimov immediately adds that by “processing personal data” they also understand the collection, use, depersonalization, blocking, deletion, destruction of personal data, which are not subject to database localization requirements.
At the same time, for the purposes of professional journalists, the media, scientific, literary or other creative activity, the Federal Law “On Personal Data” provides for an exception to the rule.
In other cases, the operator undertakes to create databases containing the personal data of Russian citizens, and perform various operations with them in Russia.
Image: NewWay.biz
This legal norm will have to be considered when designing the company's IT infrastructure, but it does not prohibit the transfer of personal data bases to servers in other countries.
Experts comment here is:
Since Russian legislation does not have narrow definitions of databases and precise requirements for how personal data should be stored from a technical point of view, the company working with them has a choice.
Neither the civil code, nor GOST R 20886-85, nor the Model Law on personal data in any way limit the form of data storage and allow you to call everything as a localized database: from full-fledged digital storage of any architecture to Excel spreadsheets or paper files.
Withdrawal of equipment, long-term disconnections, illegal blocking - this list does not exhaust the problems faced by users of Russian hosts. In this context, a foreign server is seen as a solution.
Both from the point of view of the subject of personal data, and from the position of the company operating with its data, the same Czech legislation is perfectly suited for hosting databases with such important information as personal data. For example, access to any information or infrastructure of a client located in this country is possible solely by the decision of a Czech court.
In addition, local legislation allows the use of encryption, which in the Russian Federation would require additional certification.
The international standards in force in the EU ensure the security of databases and unimpeded work with them from the territory of the Russian Federation, which also does not contradict the requirements of the Russian law on the localization of personal data, which aims to ensure the presence of foreign companies in Russia.
Compliance with the requirements of the law for domestic organizations is not as burdensome and, with the right approach, does not prevent the use of foreign hosting services as required by business processes and basic business security considerations.
We hasten to reassure our freedom-loving readers: to store personal data outside Russia is still allowed, but with reservations. And if you want to comply with Russian legislation and, at the same time, protect data from possible administrative attacks of ill-wishers - this post is for you. We formulated the basic “rules of the game”, according to which today the storage and transfer of personal data of citizens of the Russian Federation abroad is carried out.
Personalize it: what is meant by the term "personal data"
Understanding exactly what Russian legislation requires is not easy. True, the Ministry of Communications and Mass Media prepared a memo on the main issues of personal data processing , but you cannot call it clear and intelligible (we draw your attention to this link, anyone can ask a clarifying question to experts of the ministry, do not neglect this possibility). Let's start with the question of what “personal data” is. As cultural people, we must first determine the subject of conversation.
')
The Russian law on personal data states the following:
“Personal data - any information relating to a directly or indirectly determined or determined individual”
This is a copy of article 2 of the Council of Europe Convention on the Protection of Individuals with the Automated Processing of Personal Data of 1981. But, unlike the corresponding paper, this wording is not transparent. And not as modern as tracing paper. What kind of information are we talking about?
The Ministry of Communications and Roskomnadzor avoid clarifying the concept of “personal data”, citing the lack of authority. The position of departmental theorists from jurisprudence in this case boils down to a well-known joke: “two lawyers - three opinions”. So, those who want to understand the question in practice have to independently study legal practice and make decisions at their own peril and risk.
The first thing that catches your eye is that the law “On Personal Data” protects only individuals. Moreover, information about them (from the point of view of the law) becomes “personal data” only if it can be correlated with a specific person with certainty.
How much and exactly what information needs to be collected so that they become personal data is a moot point. In the EU countries, almost any information can become personal data if it allows you to somehow select a person, for example, from the mass of site users.
A good analogy here is the detective work. As soon as information becomes sufficient to indicate a criminal, it turns into personal data, even if the detective does not know the real name of that high gentleman, that he is the only suspect who is smoking a pipe.
Indicative in this regard is the regulation N 2016/679 of the European Parliament and the Council of the European Union “On the protection of individuals in the processing of personal data and on the free circulation of such data, as well as on the repeal of Directive 95/46 / EC, effective from May 25, 2018 ”. " .
In it, the term “personal data” also refers to any information relating to an identified individual, but this term is disclosed in detail:
“An identifiable person is a person who can be identified, directly or indirectly, in particular, through such identifiers as name, identification number, location information, online identifier or through one or more signs characteristic of physical, psychological, genetic mental, economic, cultural or social identity of the specified individual. "
Thus, in Europe, big data can be considered as personal data, if there are enough of them to separate a person from the crowd. Note that Evgeny Chereshnev, the head of Biolink Technologies, introduced the term “Digital DNA” into domestic circulation, which describes a set of “big data”, which makes it possible to accurately identify this particular user. I, as a researcher of new media, use the term “digital footprint” for the same phenomenon.
The Russian Federation shares the basic definition of personal data with European countries, but the approach to compiling their list in the country has been formal for a long time and has been narrower.
Personal data was recognized surname, first name, middle name and phone number, date of birth, date of registration, passport number, TIN, data of the employment contract in various combinations, but not separately.
In addition, specific information is recognized as personal information, such as information about fingerprints , about the human genome, or about its health .
But that's not all. Oleg Efimov, managing partner of the legal partnership " Efimov and Partners ", to whom we turned for advice on the practical side of the issue, clarifies that previously the courts were limited to this, but with a change in the position of Roskomnadzor there was a transition to an expansive interpretation of the term. So, for example, Roskomnadzor unambiguously regards the combination of a name and an email address as personal data.
The updated European legislation also provides for restrictions on the processing of personal data that "reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in trade unions, and data processing regarding health status or sex life." For operations with such information, it is necessary to obtain a separate consent of the subject of personal data.
A similar provision is enshrined in Article 10 of the Law of the Russian Federation “On Personal Data”.
"The processing of special categories of personal data relating to race, nationality, political views, religious or philosophical beliefs, health, intimate life, is not allowed."
These data can be processed with the written consent of the person to whom they belong, as well as if they are publicly accessible or impersonal.
Transfer abroad: what is limited is not prohibited
Russia is among the countries that have signed the Council of Europe Convention on the Protection of Individuals with the Automated Processing of Personal Data of 1981, and therefore can exchange data with other parties to the convention without additional formalities.
Transmission of data to a country not covered by the convention requires the consent of their owner. It can be obtained in writing or requested through the form on the site.
Additionally, the term cross-border data transfer appears in the legal field.
“ Cross-border transfer of personal data - transfer of personal data to the territory of a foreign state to the authority of a foreign state, a foreign individual or a foreign legal entity.”
However, this definition may change. Our expert Oleg Efimov suggests that at the moment there is a draft federal law , where this wording is noticeably simplified: “the cross-border transfer of personal data - the transfer of personal data to the territory of a foreign state”. Those. The binding has changed from the location of the person who owns the server to the geographical location of the server. This project is now undergoing a regulatory impact assessment procedure.
Data integrity
According to the explanations of the Ministry of Communications , in case of cross-border transfer of personal data, the responsibility for their security lies with the receiving party. For example, two data centers with which we closely cooperate are located in the Czech Republic, which signed the 1981 Convention, and belong to a Czech legal entity. In our case, the information will be protected according to Czech laws, which provide more reliable protection against potential risks, including, for example, risks of seizure of equipment.
At the same time, you can transfer personal data without the additional consent of their owners. But lawyers here add that, in accordance with Article 22 of the Federal Law “On Personal Data”, the personal data operator is obliged to notify Roskomnadzor about the presence of a cross-border transfer of personal data, and their subject has the right to receive information about the performed or alleged cross-border data transfer from the operator.
What is meant by localization
Let's go back to the laws. What is the requirement for the localization of databases with personal data on the territory of the Russian Federation?
Before answering this question, we’ll clarify that all the information collected on the territory of the Russian Federation is recognized by the legislation of Russian citizens if the personal data operator did not specifically specify the issue of citizenship.
The operator “is obliged to ensure the recording, systematization, accumulation, storage, refinement (update, change), extraction of personal data of citizens of the Russian Federation using databases located in the territory of the Russian Federation”.
Oleg Efimov immediately adds that by “processing personal data” they also understand the collection, use, depersonalization, blocking, deletion, destruction of personal data, which are not subject to database localization requirements.
At the same time, for the purposes of professional journalists, the media, scientific, literary or other creative activity, the Federal Law “On Personal Data” provides for an exception to the rule.
In other cases, the operator undertakes to create databases containing the personal data of Russian citizens, and perform various operations with them in Russia.
Image: NewWay.biz
This legal norm will have to be considered when designing the company's IT infrastructure, but it does not prohibit the transfer of personal data bases to servers in other countries.
Experts comment here is:
To comply with the law, it is important that the main, most complete and current database of personal data remains on the territory of Russia. On other servers, you can place copies or parts of it. Moreover, in such subsidiary databases, personal data can not only be stored, but also processed, but on condition that the data will be used for the same purposes as in the main database.
Since Russian legislation does not have narrow definitions of databases and precise requirements for how personal data should be stored from a technical point of view, the company working with them has a choice.
Neither the civil code, nor GOST R 20886-85, nor the Model Law on personal data in any way limit the form of data storage and allow you to call everything as a localized database: from full-fledged digital storage of any architecture to Excel spreadsheets or paper files.
In the dry residue
Withdrawal of equipment, long-term disconnections, illegal blocking - this list does not exhaust the problems faced by users of Russian hosts. In this context, a foreign server is seen as a solution.
Both from the point of view of the subject of personal data, and from the position of the company operating with its data, the same Czech legislation is perfectly suited for hosting databases with such important information as personal data. For example, access to any information or infrastructure of a client located in this country is possible solely by the decision of a Czech court.
In addition, local legislation allows the use of encryption, which in the Russian Federation would require additional certification.
The international standards in force in the EU ensure the security of databases and unimpeded work with them from the territory of the Russian Federation, which also does not contradict the requirements of the Russian law on the localization of personal data, which aims to ensure the presence of foreign companies in Russia.
Compliance with the requirements of the law for domestic organizations is not as burdensome and, with the right approach, does not prevent the use of foreign hosting services as required by business processes and basic business security considerations.
Source: https://habr.com/ru/post/342332/
All Articles