The Personal Data Act has entered into force. What's next?
On September 1, the Law on Personal Data entered into force. In order to protect the personal data of ordinary Internet users, it introduces a number of restrictions on their processing. From now on, the Russians should be stored and processed only in Russia. This means that large foreign companies that wish to serve the citizens of the Russian Federation are forced to place their equipment in the country or rent it. In case of non-compliance with the requirements of the law, a measure known to users of Runet is provided - blocking.
The law was immediately perceived ambiguous, both in user circles and among industry representatives. Already, some companies in unofficial channels express an unwillingness to comply with the new law. Formally, they could have been blocked on Tuesday. But the “horror stories” about blocked Facebook threaten to become a reality only after at least January 1, 2016.
The new version of the Law on Personal Data, which contains requirements to store and process data of Russians in the country, was signed by the President of the Russian Federation on December 31, 2014. After eight months, the law came into force.
The operator is offered to determine the nationality of the carrier person independently, but if this issue has not been resolved, then it is proposed to apply the law to all data collected in the territory of the Russian Federation. The requirements do not apply to several types of activities, for example, air travel, the issuance of visas and areas regulated by international law. The law does not prohibit cross-border data transfer. The law requires :
')
It was originally planned that the amendments will enter into force on September 1, 2016 - as stated in the first version of the law. However, the State Duma, under pressure from the Information Policy Committee on December 17, 2014, in the third and final reading, changed the date to January 1, 2015. Later, due to the disagreement of the Internet industry and a number of departments, the date was shifted to September 1.
Law unsuccessfully offered to soften in many ways. The Internet Ombunsman, Dmitry Marinichev, offered to allow the storage of personal user data in foreign countries, if the user agrees to this. We are talking about states that have ratified the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data. At the moment, the document has been ratified by 46 countries, including Russia, the UK, France, Germany and Italy with Spain. At the beginning of this summer, participants in the St. Petersburg Economic Forum handed over their proposals to the President of Russia, Vladimir Putin, on the amendment of the new law. The essence of the proposal was not to punish for non-compliance with the law within a year after its entry into force - until September 1, 2016.
The date of September 1 did not suit many companies. For example, she was criticized at the Large Media Communication Forum in Moscow on May 13, 2015. Then it was suggested that the new amendments would be difficult to comply without previously prepared bylaws and documents, and that within three months the companies would not have time to transfer the data. It is difficult to give even some basic definitions.
The definitions of this term vary from country to country. Different companies may have different opinions about what is considered personal data: it can be everything that concerns a person, or it is just something private, because everyone can learn the name and surname. The definition of the term is different even in the media and government structures. For example, at the time of preparing the law, many sources called personal data any data from Russians. In the law itself, the definition is as follows:
The definition of the head of Roskomnadzor, Alexander Zharov, sounds more narrowly: it is a specific set of data that allows you to accurately identify a person - a photo, an email address, last name, first name and patronymic. That is just someone's photo with the caption "Masha", can not be considered a person. Cannot be personal data email address or phone number. In general, in an interview, Zharov slightly replaces many concepts: he considers spam and targeted advertising to be personal data violations, and storing data in Russia is intended to help fight these phenomena. But his definition coincides with the official commentary of Roskomnadzor:
Probably, according to this principle, checks and blocking of websites will be carried out.
Roscomnadzor monitors the failure to comply with the conditions of the law. Failure to comply with the conditions of the site will be blocked by the court. Also, the court may fine the company up to 300 thousand rubles. Amendments to ensure the implementation of locks have already been made to federal law of 07.27.2006 N 149- “On Information, Information Technologies and Information Protection”.
Website blocking will be performed by communication service providers. Lists for blocking will prepare Roskmonadzor. On August 26, the ministry announced its intention to create an appropriate register called the “Register of violators of the rights of personal data subjects”. Records will include the following data:
On August 28, the spokesman for Roskomnadzor, Vadim Ampelonsky, said that any website could be blocked: Facebook and Wikipedia could be added to the registry. (Wikipedia was indeed blocked a few days before.) But this year Twitter, Google and Facebook are blocked for not complying with the new law: they are not in the inspection plans.
This year, 317 companies will be checked for compliance with the new requirements, 90 of them in September. As Alexander Zharov says , the inspection mechanism will consist in visits of the representative of Roskomnadzor:
It is not known what will stop companies from simply concluding fictitious or valid contracts with Russian data centers without actually transferring personal data.
Roskomnadzor also says that this year they will not check Facebook, Twitter and other major social networking services. The ILV is primarily interested in companies that store a lot of sensitive information: passport data, banking information.
A spokesman for Roskomnadzor, Vadim Ampelyonsky, on September 2 said that the department did not have the opportunity to check Facebook and Google. Facebook has no representative office in Russia, and Google’s office performs marketing functions only. Traditional legal operations (seizure of documents) in such conditions cannot be performed. Most likely, Roskomnadzor will receive complaints from users and ask questions to companies.
At the moment there is not a single giant who officially and openly spoke out against the new law and announced its intention not to comply with its norms. But there are already unconfirmed official reports of the intention to ignore the demands of state bodies. In particular, the newspaper Vedomosti, citing its source, says that on August 24, Thomas Mirup, Facebook's top manager in charge of Scandinavia, Eastern Europe and Russia, spoke with Roshimnadzor’s head Alexander Zharov on high tones and refused to post personal data on the territory Russia. Mirup harshly explained that this is economically unprofitable. He also pointed out the difference in the definition of personal data: in the world's largest social network, information from user accounts is not considered persistent. In turn, Zharov denies such a conversation:
Facebook’s refusal to post personal data in Russia is also denied by a spokesman for Roskomnadzor. Data center market participants know that Facebook does not intend to buy capacity or create their own data centers. One of the largest data centers in Russia has repeatedly offered its services to the American social network, but without success. The technical implementation of the separation of the storage of personal data by region is unlikely: as experts point out, most likely, Facebook stores data by type.
Finally, there are companies that simply did not have time to transfer the required information on time. Only about 10% of the clients of the twenty largest data processing providers in Russia managed to complete the data transfer to the Russian Federation. In any case, the study of two companies at once, Telecom Exchange and 42 Future, says so. “Customers show a fairly high interest in this topic, but they are clearly already late in its implementation. The problem is the lack of understanding of companies, how exactly it is necessary to change the IT infrastructure and business processes, ”the authors note. “Thus, in a number of situations, customers transferred only some of their systems, and for the rest, they stopped activity, waiting for clarifications and additions from regulators,” the study says.
Experts at the ECIPE think tank have calculated that in the case of the most negative scenario, Russia will lose 286 billion rubles from the new law. This is 0.27% of GDP. Investments in the Russian economy will decrease by 1.41%. The recession of the Russian economy will reach 4.1%, taking into account the effect of this new law. Similar laws are already working in Vietnam, China, Indonesia and India - countries where GDP per capita does not exceed $ 5000. ECIPE experts note that Russia will be the first country to introduce full localization of data, with a GDP per capita three times greater than that of these developing countries. Russia may lose its investment attractiveness, as cooperation with a foreign company will require the latest posting of customer information in Russia. And this will entail additional costs. Half of Russia's GDP is provided by the service sector, that is, companies that process a large amount of data. It is known that Brazil abandoned such a law for fear of harming the economy.
The pessimistic forecast of the think tank is easy to criticize: foreign companies rent the computing power of Russian data centers, that is, on the contrary, they bring money. Roskomnadzor, the head of Roskomnadzor, rushes in such extreme optimism: he sees in the technologies of storing and transmitting information the impetus to the development of the national Silicon Valley. The owners of data centers really confirm the growing interest in their services in connection with the new law.
In the case of blocking any major foreign website, you can expect a light form of the Chinese scenario for the development of the local segment of the Network. In China, there is the so-called Great Wall of Fire: it is a firewall on the border of the Chinese Internet that filters all foreign traffic. Many sites are permanently blocked in China, among them there are popular around the world web services. In this case, the market is the largest by the number of inhabitants of the country of the world is divided between local players. The Chinese do not sit on Facebook - it is blocked. Instead, they use QZone, Renren, Pengyou and Kaixin001. The IMDB movie catalog is blocked for a complete list of objectionable documentaries, there is M-time instead. A few copies of Google's Blogger.com boast enviable attendance, thanks in large part to the blocking of the original. Google itself is also blocked, which is in the hands of Chinese Baidu and other local search engines.
On the graph of the distribution of requests, Google’s war with the Chinese government in 2010 and the blockage of 2012 are clearly visible.
Using a VPN in China is not prohibited, but not welcome. Some VPN-enabled services are also blocked. Many Chinese users can bypass and bypass locks. But local substitutes will still be much more popular: Baidu is used by 80%, and the former dominance of the Chinese division of Google has shrunk to a percent. This can happen in Russia: if the same Facebook is blocked, then a small part of its users will continue to go to the site using VPN and Tor, but most will replenish the user base of unlocked social networks.
Site pd-info.ru
Information about the law on the website of the Ministry of Communications and Mass Media
The law was immediately perceived ambiguous, both in user circles and among industry representatives. Already, some companies in unofficial channels express an unwillingness to comply with the new law. Formally, they could have been blocked on Tuesday. But the “horror stories” about blocked Facebook threaten to become a reality only after at least January 1, 2016.
Law
The new version of the Law on Personal Data, which contains requirements to store and process data of Russians in the country, was signed by the President of the Russian Federation on December 31, 2014. After eight months, the law came into force.
The operator is offered to determine the nationality of the carrier person independently, but if this issue has not been resolved, then it is proposed to apply the law to all data collected in the territory of the Russian Federation. The requirements do not apply to several types of activities, for example, air travel, the issuance of visas and areas regulated by international law. The law does not prohibit cross-border data transfer. The law requires :
')
“When collecting personal data, including through the Internet information and telecommunications network, the operator is obliged to ensure recording, systematization, accumulation, storage, refinement (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located in Russian Federation".
It was originally planned that the amendments will enter into force on September 1, 2016 - as stated in the first version of the law. However, the State Duma, under pressure from the Information Policy Committee on December 17, 2014, in the third and final reading, changed the date to January 1, 2015. Later, due to the disagreement of the Internet industry and a number of departments, the date was shifted to September 1.
Law unsuccessfully offered to soften in many ways. The Internet Ombunsman, Dmitry Marinichev, offered to allow the storage of personal user data in foreign countries, if the user agrees to this. We are talking about states that have ratified the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data. At the moment, the document has been ratified by 46 countries, including Russia, the UK, France, Germany and Italy with Spain. At the beginning of this summer, participants in the St. Petersburg Economic Forum handed over their proposals to the President of Russia, Vladimir Putin, on the amendment of the new law. The essence of the proposal was not to punish for non-compliance with the law within a year after its entry into force - until September 1, 2016.
The date of September 1 did not suit many companies. For example, she was criticized at the Large Media Communication Forum in Moscow on May 13, 2015. Then it was suggested that the new amendments would be difficult to comply without previously prepared bylaws and documents, and that within three months the companies would not have time to transfer the data. It is difficult to give even some basic definitions.
What is personal data?
The definitions of this term vary from country to country. Different companies may have different opinions about what is considered personal data: it can be everything that concerns a person, or it is just something private, because everyone can learn the name and surname. The definition of the term is different even in the media and government structures. For example, at the time of preparing the law, many sources called personal data any data from Russians. In the law itself, the definition is as follows:
“Personal data is any information relating to a directly or indirectly determined or designated individual.”
The definition of the head of Roskomnadzor, Alexander Zharov, sounds more narrowly: it is a specific set of data that allows you to accurately identify a person - a photo, an email address, last name, first name and patronymic. That is just someone's photo with the caption "Masha", can not be considered a person. Cannot be personal data email address or phone number. In general, in an interview, Zharov slightly replaces many concepts: he considers spam and targeted advertising to be personal data violations, and storing data in Russia is intended to help fight these phenomena. But his definition coincides with the official commentary of Roskomnadzor:
“So, to the number of data that can not be considered, at least separately from each other as personal, can be attributed: last name, first name, middle name, residential address, email address, telephone number, date of birth. Other identifiers themselves do not uniquely identify a specific individual. Such data should be assigned to personal data only if it is stored and processed together with identifiers, which themselves determine the individual. ”
Probably, according to this principle, checks and blocking of websites will be carried out.
Locks
Roscomnadzor monitors the failure to comply with the conditions of the law. Failure to comply with the conditions of the site will be blocked by the court. Also, the court may fine the company up to 300 thousand rubles. Amendments to ensure the implementation of locks have already been made to federal law of 07.27.2006 N 149- “On Information, Information Technologies and Information Protection”.
Website blocking will be performed by communication service providers. Lists for blocking will prepare Roskmonadzor. On August 26, the ministry announced its intention to create an appropriate register called the “Register of violators of the rights of personal data subjects”. Records will include the following data:
“Domain names and web site indexes that contain illegal information; network addresses that allow identifying sites on the Internet [IP-addresses], an indication of a judicial act that has entered into force on taking measures to restrict access to information, the date and time Roscomnadzor sends information to communication operators for the implementation of measures restricting access to information, and also information on the elimination of violations of the legislation of the Russian Federation in the field of personal data. "
On August 28, the spokesman for Roskomnadzor, Vadim Ampelonsky, said that any website could be blocked: Facebook and Wikipedia could be added to the registry. (Wikipedia was indeed blocked a few days before.) But this year Twitter, Google and Facebook are blocked for not complying with the new law: they are not in the inspection plans.
Checks
This year, 317 companies will be checked for compliance with the new requirements, 90 of them in September. As Alexander Zharov says , the inspection mechanism will consist in visits of the representative of Roskomnadzor:
“The inspector of Roskomnadzor in the course of scheduled inspections will request a contract with a Russian data center or documents confirming the presence of its own data center in our country. The inspection plan is approved by the Prosecutor General’s Office. [...] There may also be unscheduled inspections - as a response measure. For example, if we receive numerous complaints from citizens. ”
It is not known what will stop companies from simply concluding fictitious or valid contracts with Russian data centers without actually transferring personal data.
Roskomnadzor also says that this year they will not check Facebook, Twitter and other major social networking services. The ILV is primarily interested in companies that store a lot of sensitive information: passport data, banking information.
A spokesman for Roskomnadzor, Vadim Ampelyonsky, on September 2 said that the department did not have the opportunity to check Facebook and Google. Facebook has no representative office in Russia, and Google’s office performs marketing functions only. Traditional legal operations (seizure of documents) in such conditions cannot be performed. Most likely, Roskomnadzor will receive complaints from users and ask questions to companies.
What companies have already transferred personal data?
- Alibaba Group , an online trading company and owner of Alibaba.com. The Chinese company leases in the Moscow Linxdatacenter data center about 20 racks (according to other sources - 25-30). Some sources report that there are plans to rent 200 racks. The cost of renting two hundred racks, experts estimate in the amount of from 3 to 4.8 million dollars.
- Booking.com , the most popular tourist site in Russia. June 10, the company announced its intention to comply with the new law. June 31 became aware of the booked Russian data center of the British company IXcellerate. It will store passport data of citizens who book hotels, and data of bank cards used when ordering services.
- Samsung Electronics , an electronics manufacturer. To fulfill the law, DataPro has leased a data center in Moscow. The area of ​​the data center built in 2014 is 16 thousand square meters, it has a total of 3,000 racks.
- There are stories and smaller players. The Doctor at Work service previously leased facilities in the German data center of Leaseweb. The requirement to transfer the personal data of the Russians forced to search for a new host. Many data centers refused to accept the project because of the need to purchase the necessary equipment, and their warehouses were either empty or were frozen due to the unstable exchange rate of the ruble. Searches went from the beginning of December 2014 and continued until mid-2015. We managed to find only three companies. Renting four servers in Germany cost 1077 euros per month or about 19 thousand rubles per server at the December 2014 rate. Rent of nine servers in the new data center cost 2.5 times more expensive: a two-year contract was concluded for 10 million rubles, that is, about 46 thousand rubles per month per server. Prices from other data centers reached 66 thousand per server per month. The advantage of the final situation is independence from currency fluctuations. The service estimates the transfer loss in a million rubles.
- Several other companies. They include Lenov , PayPal, eay , Uber, Citibank and even Google .
Those who refused to comply with the new law
At the moment there is not a single giant who officially and openly spoke out against the new law and announced its intention not to comply with its norms. But there are already unconfirmed official reports of the intention to ignore the demands of state bodies. In particular, the newspaper Vedomosti, citing its source, says that on August 24, Thomas Mirup, Facebook's top manager in charge of Scandinavia, Eastern Europe and Russia, spoke with Roshimnadzor’s head Alexander Zharov on high tones and refused to post personal data on the territory Russia. Mirup harshly explained that this is economically unprofitable. He also pointed out the difference in the definition of personal data: in the world's largest social network, information from user accounts is not considered persistent. In turn, Zharov denies such a conversation:
“I do not know who spread the information that Facebook refused to transfer personal data to Russia. It is not true. The company received all the information they need on the application of the law. I expect to hear their official position in the near future. ”
Facebook’s refusal to post personal data in Russia is also denied by a spokesman for Roskomnadzor. Data center market participants know that Facebook does not intend to buy capacity or create their own data centers. One of the largest data centers in Russia has repeatedly offered its services to the American social network, but without success. The technical implementation of the separation of the storage of personal data by region is unlikely: as experts point out, most likely, Facebook stores data by type.
Finally, there are companies that simply did not have time to transfer the required information on time. Only about 10% of the clients of the twenty largest data processing providers in Russia managed to complete the data transfer to the Russian Federation. In any case, the study of two companies at once, Telecom Exchange and 42 Future, says so. “Customers show a fairly high interest in this topic, but they are clearly already late in its implementation. The problem is the lack of understanding of companies, how exactly it is necessary to change the IT infrastructure and business processes, ”the authors note. “Thus, in a number of situations, customers transferred only some of their systems, and for the rest, they stopped activity, waiting for clarifications and additions from regulators,” the study says.
What will happen next?
Experts at the ECIPE think tank have calculated that in the case of the most negative scenario, Russia will lose 286 billion rubles from the new law. This is 0.27% of GDP. Investments in the Russian economy will decrease by 1.41%. The recession of the Russian economy will reach 4.1%, taking into account the effect of this new law. Similar laws are already working in Vietnam, China, Indonesia and India - countries where GDP per capita does not exceed $ 5000. ECIPE experts note that Russia will be the first country to introduce full localization of data, with a GDP per capita three times greater than that of these developing countries. Russia may lose its investment attractiveness, as cooperation with a foreign company will require the latest posting of customer information in Russia. And this will entail additional costs. Half of Russia's GDP is provided by the service sector, that is, companies that process a large amount of data. It is known that Brazil abandoned such a law for fear of harming the economy.
The pessimistic forecast of the think tank is easy to criticize: foreign companies rent the computing power of Russian data centers, that is, on the contrary, they bring money. Roskomnadzor, the head of Roskomnadzor, rushes in such extreme optimism: he sees in the technologies of storing and transmitting information the impetus to the development of the national Silicon Valley. The owners of data centers really confirm the growing interest in their services in connection with the new law.
In the case of blocking any major foreign website, you can expect a light form of the Chinese scenario for the development of the local segment of the Network. In China, there is the so-called Great Wall of Fire: it is a firewall on the border of the Chinese Internet that filters all foreign traffic. Many sites are permanently blocked in China, among them there are popular around the world web services. In this case, the market is the largest by the number of inhabitants of the country of the world is divided between local players. The Chinese do not sit on Facebook - it is blocked. Instead, they use QZone, Renren, Pengyou and Kaixin001. The IMDB movie catalog is blocked for a complete list of objectionable documentaries, there is M-time instead. A few copies of Google's Blogger.com boast enviable attendance, thanks in large part to the blocking of the original. Google itself is also blocked, which is in the hands of Chinese Baidu and other local search engines.
On the graph of the distribution of requests, Google’s war with the Chinese government in 2010 and the blockage of 2012 are clearly visible.
Using a VPN in China is not prohibited, but not welcome. Some VPN-enabled services are also blocked. Many Chinese users can bypass and bypass locks. But local substitutes will still be much more popular: Baidu is used by 80%, and the former dominance of the Chinese division of Google has shrunk to a percent. This can happen in Russia: if the same Facebook is blocked, then a small part of its users will continue to go to the site using VPN and Tor, but most will replenish the user base of unlocked social networks.
Site pd-info.ru
Information about the law on the website of the Ministry of Communications and Mass Media
Source: https://habr.com/ru/post/355866/
All Articles