GDPR protects your personal data very well, but only if you are in Europe

Comparison of approaches and practices of personal data protection in Russia and the EU

In fact, for any action performed by the user on the Internet, some form of manipulation of the user's personal data occurs.

We do not pay for many services we receive on the Internet: for searching information, for email, for storing our data in the cloud, for communicating on social networks, etc. However, these services are only conditionally free: we pay for them with our data which these companies then monetize, mainly through advertising.

Currently, data on gender, age and place of residence, search history -
the basis for the online advertising industry, which amounts to billions of dollars and euros. That is, from a legal point of view, personal data are materials for doing business. Accordingly, companies are making great efforts and spend considerable resources to obtain and process personal data. Surveys conducted in 2018 show that users, understanding the value of their personal data, are becoming more and more unhappy with how companies treat their personal data.

Regulation in the segment of using these users has not yet taken shape and lags behind the development of technologies not only in Russia, but throughout the world, so the balance of interests of consumers and companies in the model “money - service - data - money” is being built today by both Regulators and tacit agreements between society and companies. Regulators limit the capabilities of IT companies and expand the rights of users: they introduce new laws that give users greater control over the information they provide.

It is interesting to compare the approaches of regulators in European countries and Russia. In Russia, the main regulations governing the treatment of personal data is the Federal Law on the Protection of Personal Data (152-FZ) plus the Code of Administrative Offenses, which directly establishes a specific amount of fines for violating the procedure for handling personal data. Administrative fines since July 1, 2017 increased significantly. At the same time, new fines were established depending on the type of the offense committed. Thus, officials can be fined in the amount of 3,000 to 20,000 rubles, individual entrepreneurs in the amount of 5,000 to 20,000 rubles, organizations in the amount of 15,000 to 75,000 rubles. Moreover, they can be held accountable for different types of offenses. Accordingly, for different violations on the same company may impose several different penalties. But responsibility is provided precisely for non-compliance with formal requirements, for example, if the necessary papers are missing. With the real protection of information is not always directly related. For example, the leak itself is not a basis for penalties, unless other laws are violated. Interestingly, a significant number of violations in the field of handling personal data contain the composition provided for by article 19.7 of the Code of Administrative Offenses of the Russian Federation: “Failure to submit or late submission to the state body (Roskomnadzor) - his legitimate activities .. ". Interestingly, much greater responsibility is provided not for violating the procedure for handling personal data (as indicated above, it is an average of 30-50 thousand rubles), but for not providing (delay, incomplete presentation) information on the procedure for handling personal data in Roskomnadzor relies a fine of up to 200,000 rubles. Those. in the legislation of Russia and in the practice of its application the trend “the main thing that the suit would sit” prevails and the needs of the state bodies in various reports. The real rights of users and the security of their personal data on the Internet are poorly protected. The same amount of fines does not correlate in any way with the amount of benefits received by some companies in violation of the treatment of personal data on the Internet and does not encourage them to comply with these rules.

In the EU, a slightly different picture. Since May 2018 in Europe, work with personal data has been regulated by the rules for processing personal data established by the General Data Protection Regulation ( EU Regulation 2016/679 of April 27, 2016 or the GDPR - General Data Protection Regulation). The regulation is directly applicable in all 28 EU countries. The Regulation provides EU residents with the possibility of full control over their personal data. In accordance with the GDPR, citizens and EU residents are significantly entitled to very large rights to control their personal data. European users have the right to request confirmation of the processing of their data, the place and purpose of processing, the categories of personal data processed, to which third parties personal data are disclosed, the period during which the data will be processed, as well as to specify the source of the organization’s personal data and require their correction. Moreover, the user has the right to demand the termination of the processing of their data.

Since May 2018 Responsibility in the form of fines for violation of the rules for processing personal data: according to the GDPR, the fine reaches 20 million euros (about 1.5 billion rubles) or 4% of the company's annual global income.

The most important thing is that all this works, companies violating the rights of users are held accountable and very serious. For example, on January 21, 2019, the French National Informatics and Civil Rights Commission (CNIL) decided to fine US GOOGLE LLC for 50 million euros for breaking the GDPR. The amount of the penalty is very large. This clearly shows what threatens non-compliance with the requirements of the GDPR. What was the punishment for? The French commission has determined that with the initial configuration of a mobile device on the Android (Google) operating system, the user does not receive complete information about what Google does with its personal data. The company has not fulfilled its obligations to ensure the transparency of the processing of personal data and informing the subjects (articles 12 and 13 of the GDPR). User data retention periods are not precisely regulated. The company lacked the necessary legal basis for the data processing to be carried out (article 6 of the GDPR). Google was also accused of improperly obtaining the consent of users to the processing of their data to personalize advertising.

Other examples: the penalty from the German regulator LfDI chat application for dating Knuddels - 20.000 euros, the Portuguese hospital Barreiro Hospital was accused of improperly controlling access to critical personal data (a fine of 300 thousand euros) and a violation of security and data integrity (another 100 thousand euros ). Authorities in the UK issued a warning to a Canadian analytic research company. The company was ordered to stop processing personal data of citizens, otherwise it faces a fine of 20 million Euros. Canadian company AggregateIQ, which is engaged in digital marketing and software development, imputed a fine in the amount of 170,000,000 pounds sterling. A cafe in Austria was fined € 5,280 for illegal video surveillance (the camera captured part of the sidewalk). Those. Any organization covered by the GDPR should not be limited, according to Russian tradition, only to the development of regulatory documentation.

By the way, the feature of the GDPR is that its action applies to all companies that process personal data of residents and EU citizens, regardless of the location of such a company, therefore, Russian companies should be attentive to this Regulation if their services are focused on the European market