Business on personal data: how to succeed and not break the law?

“Data is the oil of the digital economy” is an expression that has already become an aphorism. Indeed, in the modern world, user data has become one of the most valuable and sought-after resources. Thus, according to PwC, in 2018, global revenue from using user data will reach $ 300 billion. As for Russia, according to RBC magazine, in 2017 the turnover of the sale and purchase of personal data in Russia amounted to at least 3.3 billion rubles. Moreover, experts predict further intensive growth of this market.

However, the use of personal data in business does not yet have due legal regulation. Current legislation leaves open the question of data turnover and the possibility of their monetization. Also in judicial practice, universal criteria have not yet been formed, which allow finding a balance between the need to protect the privacy of users and the needs of the business community in the digital economy.

Data: Personal, Large or Large User?

• Personal Information
  

The cornerstone for understanding the term “user data” is the normatively fixed notion “personal data” (hereinafter referred to as “PD”). The concept of PD is “rubber” in nature, which does not allow to unambiguously determine which data specifically refers to personal data. At the same time, the general trend now is an extremely broad approach to the concept of PDN - any information relating to an identified or identifiable person. This can be an IP address, ID, mobile phone number or credit card number.
')
At the same time, it is not a secret to anyone that such information is actively processed on the world wide web, becoming the basis for the success of many business projects (advertising, marketing, scoring). And there are not any unambiguous criteria allowing to draw the boundary between PD and Big data.

• Big data
  

In turn, the concept of “big data” (Big data) is even more controversial in nature and is usually revealed through its characteristics:

• large volume (Volume);
  
• great variety (variety);
  
• high rate of accumulation and processing (Velocity);
  
• accuracy (Veracity);
  
• variability (Variability);
  
• value (Value);
  
• visualization;
  
• viability (Viability).
  

The well-known lawyer and professor A. I. Saveliev writes that “big data can be defined as a dynamically changing array of information that is valuable because of its large volumes and the possibility of efficient and fast processing by automated means, which, in turn, makes it possible use for analytics, forecasting and automation of business processes. "

The managing partner of the Digital Rights Center Sarkis Darbinyan, speaking at the BIG DATA 2018 forum, explains their nature: “Big data is volumetric data flows of heterogeneous data that are constantly generated by users of electronic devices and online services or technical devices, and are also processed in real time. "

So far in Russia there is no common understanding and approach to the regulation of Big Data. In addition, discussions are continuing about who should own Big data and how, using them, not to violate the rights to various categories of legally protected data (PD, trade secrets, confidential information, copyright to the database).

• Large user data
  
  

The “crossing” of PDN and Big Data is sometimes referred to as Big User Data. This term has no legal consolidation, however, the head of Roskomnadzor, Alexander Zharov, defined Large user data as “all user data that collects information systems and devices, user profiles on Internet resources, geolocation data, user behavior data on websites”.

Litigation around business projects on personal data

Business projects using Large User Data inevitably face the challenge of complying with PD legislation. So, the following court cases are illustrative examples: Roskomnadzor vs. NBKI , Roskomnadzor vs. MGTS , "HeadHunter" vs. “Robot Faith” , “HeadHunter” vs. FriendWork and VKontakte vs. "Double Data" .

A unified approach to the use of large user data, including those posted by users on social networks, has not yet been worked out, and the positions of various judicial instances are still chaotic. In addition, the parties do not always operate with the legislation on the protection of personal data, but refer to intellectual rights to the database. For example, the rules on the protection of intellectual property rights to the database were used in the cases of the claims of the company «HeadHunter», as well as in the resonant case of VKontakte against Double Data.

The company Double Data collected and used for commercial purposes user data posted on a social network (surnames, names, places of work and study). The company has not received any additional permits. "Vkontakte" upholds the position that such actions violate the exclusive related right to the database, which has arisen at "Vkontakte" as the manufacturer of such a database with user data. “Double Data”, on the contrary, insists on the openness of data, the impossibility to prohibit the reuse of information and the absence of rights from Vkontakte to the database formed by the users themselves. Today (October 2018) it came to SIPa (cassation instance). CIP agreed with the conclusion of the appeals instance that “from the materials of the case it can be seen as the presence of an object of related right (a database of users of a social network), and the existence of an exclusive right of the company“ In Contact ”to the specified object”. The argument of the defendants about the database as a “by-product” of the activity “V Kontakte” was not recognized by the court as justified. However, the CIP sent the case for a new trial to the court of first instance (the date of the meeting is 12/19/2018), and therefore the battle of VKontakte and Double Data is still ongoing. It is seen that after the final resolution of this case, it will become a practical practice and will be a decisive milestone for business development on user data in Russia.

In addition, Roskomnadzor vs case is important for the further fate of business projects on user data. MGTS, in which the court tried to find a balance between the right of users and the interests of the business. The court brought MGTS company to administrative responsibility, having established that transactions on the "resale" of data on subscribers without their consent violate the right to privacy.

The case of Roskomnadzor vs is also interesting. The NBCH, which, though ended in an amicable agreement, but within the framework of consideration of which, the RF Armed Forces concluded that the data after they are posted by users on a social network do not become publicly available according to the meaning of art. 8 of the Federal Law "On Personal Data".

How is a personal data business implemented in practice?

Due to the lack of clear and unambiguous legal approaches (“rules of the game”) on the use of big data, for many years now there have been “gray” services for the sale of personal data. For example, Dark Web, where various types of personal data are sold: from passport data to medical information and passwords from credit cards. According to the results of the study “Black market databases” of the analytical center “MFI Soft” for 2016, the volume of the market of illegal databases in Russia is more than 30 million rubles. And this figure is only growing.

Nevertheless, one should not assume that the business on personal data is a priori illegal. Legal projects aimed at monetizing personal data users are rapidly developing: Opiria, Handshake, Datacoup, GoodData, Pillar Project, Personal and other services.

Moreover, in the world practice there are also examples of offline projects that use PD as a payment. For example, in the American cafe Shiru you can pay the bill with your personal data (names, phone numbers, email addresses, dates of birth and information about interests).

However, many companies are interested not so much in obtaining PD of a specific subject, as in obtaining an array of data reflecting certain features of a number of subjects. Therefore, the value available to other companies have database PDn, Large user data.

Companies often include data transfer clauses in service contracts or similar. In addition, there are interesting projects for the exchange of PD, implemented through agreements between companies on information interaction in the transfer of personal data or other similar content. For example, such agreements are common in medicine.

Also, when describing projects that work with Large User Data, one cannot but mention the Double Data project and similar ones (Clever Data, Scorista, Scorto, FICO, Equifax Credit Bureau, National Bureau of Credit Histories). These projects, for the most part, use data for resale, as well as for scoring and personalizing advertising. They position themselves as working with open data, defending, in the person of NBCH and Double Data, in court their rights to process Large User Data without any additional permission from both users and companies that process PDs.

Separately, it is worth noting the notorious company Cambridge Analytica, which collected for the analysis of political preferences of voters PD users without their consent, including PD users of the social network Facebook. As a result of such actions, not only a political scandal flared up, but inevitably there were legal consequences for both Cambridge Analytica and Facebook. Cambridge Analytica, Facebook declared bankruptcy, and Facebook was fined 500 thousand pounds sterling (about 600 thousand dollars) for non-observance of the rights of PD subjects: the lack of adequate protection of PD users and the lack of transparency in their processing.

In general, the Cambridge Analytica-Facebook scandal has far-reaching consequences, including for Russia. For example, Facebook has begun to block access to “suspicious” services whose activities allow for risks of violating the law on personal data. For example, recently (at the beginning of October 2018) Facebook blocked more than 66 accounts, profiles, pages and applications of a Russian startup, Social Data Hub, which used to compare itself with Cambridge Analytica, and now positions itself as “specializing in the development of artificial intelligence systems” . However, according to the media, the project is also engaged in commercial analysis of user data for the state.

Interestingly, the Social Data Hub website can be found with the answer of Roskomnadzor about the legality of the operation of such a service. However, this did not prevent Facebook from seeing in the activities of Social Data Hub a violation of Facebook user agreement and signs of illegal use of PD. Facebook deleted the accounts of the startup and its employees, and also sent a letter with the requirements:

• immediately stop processing Facebook user data and destroy this data;
  
• provide Facebook with a complete list of all the data used by the company and the organizations that have access to them;
  
• provide Facebook representatives with access to data stores to verify that they are indeed deleted.
  

The representative of "Vkontakte" also noted that the company sent a complaint letter to Social Data Hub. In turn, project managers deny any violation of the legislation on PD, claiming that they "develop software, but do not sell data."

Legal basis for doing business on personal data

From a legal point of view, business projects on user data are implemented using various legal tools. In many ways, this state of affairs is due to the lack of regulatory regulation of the process of monetization of user data. The law only prescribes the mandatory requirements and conditions under which PDs can be collected and processed.

The most common basis for PD processing is the subject’s consent. Obtaining such consent, its “purchase”, lies at the heart of most legal business projects based on user data. It is important to understand that the implementation of such a purchase is far from the classic civil legal understanding of the contract of sale. In addition to directly obtaining consent for a certain property remuneration, PD processing is possible in the execution of contracts concluded with users related to the provision of any goods and services (in most cases, providing access to content on the Internet).

In addition, recently projects are gaining popularity, including ICO-projects, the main purpose of which is to ensure the legal monetization of PD. For example, the platform Opiria . This project allows users to provide consent for the processing of their PD in exchange for PDATA tokens. According to the developers, this platform is a “global decentralized market where companies can buy personal data directly from consumers without intermediaries”. At the same time, Opiria guarantees users the ability to control and manage their personal data in accordance with the requirements of the legislation on personal data.

At the same time, intermediation in business on personal data does not lose its relevance. Many companies are trying to resell or exchange PD. But such projects will comply with the law only when the relevant consents are received for the transfer of PD to third parties and their subsequent processing.

A case in point is the English case of DeepMind , which concluded a PD exchange agreement with the UK National Health Service. However, the parties did not provide for obtaining consent for the transfer and processing of PD of patients by the DeepMind service, and therefore a violation of the legislation on PD was established. Although this case is based on the norms of foreign law, its findings are applicable in Russian realities. We observed a similar position, for example, in the previously mentioned case of the sale of data on its subscribers to MGTS.

In general, in Russia for all business projects on PD, it is extremely important to comply with the general requirements of the legislation on PD. In particular, it is necessary:

• limit the processing of PD to specific, predetermined goals;
  
• limit the volume of data to be processed to the minimum necessary amount for the implementation of the stated goals of their processing;
  
• Do not combine databases containing PDNs that are processed for purposes that are not compatible with each other;
  
• destroy or de-personalize PD upon the achievement of processing objectives or in the event of the loss of the need to achieve these objectives (except as expressly provided by law);
  
• determine the legal basis for PD processing (in most cases this will be the consent of the PD subject, but there may also be an agreement, a legal norm, PD accessibility, otherwise );
  
• comply with the requirements for the form of consent to the processing of PD;
  
• stop processing or ensure the termination of the processing of a PD by another person in the event that the subject withdraws consent to the PD processing.
  

As for projects in the field of Large user data, there are even more controversial legal issues.

• Firstly, there is no single approach to understanding Big Data.
  
• Secondly, legislation only partially regulates the processing of Big Data.
  
• Thirdly, there is no unambiguous position on the use of PDs that are publicly available and impersonal PDn.
  
• Fourth, it is difficult to determine the real value of Large User Data.
  
• Fifth, the aggregation of Large user data by any company may generate this company's intellectual rights to the database. As a result, a conflict of rights arises. A commercial relationship in this area are in their unpredictability like a lottery.
  

It is possible that the situation on the Russian market will change after the final resolution of the Vkontakte dispute against Double data and / or the adoption of any of the initiatives currently being discussed (for example, the bill on the regulation of big data, the bill on the use and transfer to other persons of impersonal personal data, the initiative on the creation of a special platform for managing consent for PD processing).

Also currently in the State Duma is a bill that aims to define the rules regarding such a new object of civil rights as digital rights. The bill proposes to regulate the use of Big data in contractual relations, namely, to fix in the Civil Code of the Russian Federation the construction of an agreement on the provision of information services (Article 783.1). This agreement may provide for the non-disclosure of information to third parties during a certain period. In addition, the bill proposes to expand the concept of “database” based on the need to protect databases based on Big Data.

Final Recommendations

Thus, it is obvious that every year there are more and more business projects in which user data plays a fundamental role. Large user data can be the most valuable intangible asset, and can also become a toxic liability for the company if the wrong approach to the turnover and protection of such data. Economists estimate that such projects are an integral component of the digital economy, and their number will only grow. And even now, despite the emerging legal obstacles, it is quite possible to build a business on user data, if you approach the data responsibly and follow simple recommendations:

• comply with applicable laws;
  
• in the case of uncertainty in the regulatory framework, try to take into account the rights of all stakeholders to the maximum extent possible;
  
• follow judicial practice and legislative initiatives;
  
• timely consult with lawyers in any incomprehensible situation.