Comments on the changes in the Federal Law No. 149-ФЗ “On Information, Information Technologies and Information Protection”
Good afternoon, colleagues!
Today I want to comment on the new bill generated by the Ministry of Communications and Mass Media of Russia. I apologize in advance for the huge amounts of legislative text, as I will cite interesting passages in the form of quotations. So that dear readers would not make it difficult for themselves to search for the bill in the Consultant.
The preamble of the project is normal. It is about making changes and amendments to the federal law N 149- “On information, information technologies and on information protection”.
Then you can skip if you are too lazy to absorb bureaucratic speech. But better get a grasp, otherwise it will be too late. The State Duma is "not a place for discussion", so, most likely, the law is waiting for us the same as its draft.
So:
')
2) Article 2 shall be supplemented with paragraphs 18.1 - 18.2 as follows:
"18.1) identifier - a unique designation of information about a person, which is necessary to identify such a person through the use of technical and (or) technological methods .;
18.2) identification, authentication of a person - a set of measures for identifying identifiers and (or) information about a person, matching information with an identifier or verifying information, as well as verifying a person’s identity to an identifier (s) by matching identifier (s) with existing ones information about the person, and determining the reasonableness of the use by the person of the identifier (s), carried out in accordance with this Federal Law, other federal m laws, adopted in accordance with the regulations or agreement of the parties, as a result of which the person is considered to be established. ”; (and where about EDS - I)
3) to add the following articles 14.2 - 14.3:
“Article 14.2. Digital profile
1. A digital profile is a collection of information about citizens and legal entities contained in the information systems of state bodies and organizations that exercise separate public authorities in accordance with federal laws, as well as in a single system of identification and authentication.
A digital profile infrastructure is a set of information systems in a single identification and authentication system that provides access to a digital profile.
2. The digital profile infrastructure is created for the exchange of information in electronic form between individuals, organizations, government bodies, local governments.
3. With the help of a digital profile infrastructure, including, it provides:
1) identification and authentication of individuals and legal entities;
2) access to the digital profile and the provision of information included in the digital profile in electronic form to individuals and legal entities;
3) the provision and updating upon request of state bodies, local self-government bodies, organizations exercising separate public authorities in accordance with federal laws, and other organizations (any other? —You comment) organizations on a natural or legal person contained in a digital profile in including those contained in state information systems, information systems of organizations that exercise separate public powers in accordance with federal laws;
4) obtaining and withdrawing consent for the processing of personal data of citizens and information about legal entities in cases involving receipt of information about a citizen or legal entity using a digital profile infrastructure;
5) the provision of information for the formation of requests for state and municipal services or the performance of state and municipal functions;
6) storing information about citizens and legal entities, including the results of the provision of state and municipal services in electronic form, in the manner established by the Government of the Russian Federation.
4. In the cases stipulated by the legislation of the Russian Federation, the consent of the citizen or legal entity to receive information about them using the digital profile infrastructure is not required. In other cases involving the receipt of information using a digital profile infrastructure, information about a citizen or a legal entity using a digital profile infrastructure is provided with the consent of a citizen or legal entity.
5. Information about citizens and legal entities stored in a digital profile infrastructure is provided to it and updated automatically by state bodies, organizations exercising certain public authorities in accordance with federal laws, through a unified system of inter-agency electronic interaction.
State bodies, organizations exercising separate public authorities in accordance with federal laws are obliged to provide the digital profile infrastructure and update this information on an ongoing basis for a period not exceeding 15 seconds from the date of the introduction of changes to the relevant information.
Responsibility in accordance with the legislation of the Russian Federation for the accuracy, completeness and relevance of the information provided by these authorities and organizations.
6. State bodies, organizations exercising separate public authorities in accordance with federal laws are obliged to provide information on citizens and legal entities that are not contained in the digital profile infrastructure, upon request sent with its use. Such information is provided in electronic form by means of a unified system of interagency electronic interaction within a period not exceeding 15 seconds from the time of the request. The receipt of such information by individuals and legal entities is carried out using a digital profile infrastructure.
7. Interagency information interaction is carried out in order to provide state and municipal services on the exchange of documents and information, including in electronic form, in accordance with the Federal Law "On the organization of state and municipal services."
8. The Regulation on the Digital Profile, the procedure for obtaining and submitting information using the digital profile infrastructure, as well as the composition of the information stored in the digital profile infrastructure, are determined by the Government of the Russian Federation.
9. Organizations' requests for obtaining information about citizens and legal entities using the digital profile infrastructure are carried out both on a grant and on a reimbursable basis. The cases, amount and procedure for making payments for sending relevant requests are entitled to be established by the Government of the Russian Federation.
Article 14.3. Identification and authentication of the person
1. In cases provided for by this Federal Law, other federal laws adopted in accordance with them by other regulatory acts of the Russian Federation or a subject of the Russian Federation or by agreement of the parties, the person may be identified and authenticated by applying, in particular, the main identity document of a citizen. Russian Federation on the territory of the Russian Federation (hereinafter - the citizen’s identity card), or one or more identifiers, allows credible to reliably determine the appropriate individual or legal entity.
2. Requirements for a citizen’s identity card, including permissible forms of a citizen’s identity card, the composition of the citizen’s identity card fields and the information included in the citizen’s identity card, the procedure for entering, changing and excluding such information, as well as the procedure for terminating the citizen’s identity card the procedure for using a citizen's identity card shall be established by the Government of the Russian Federation.
Accounting information included in the certificate of a citizen, is carried out using the state information system, the procedure for the creation, development and operation of which is established by the Government of the Russian Federation. The composition of the information provided in the information system specified in this paragraph, provided from such a system, as well as the position and operator (operators) of the specified information system shall be determined by the Government of the Russian Federation.
3. The assignment of identifiers to a person or a legal entity is carried out in accordance with federal laws, adopted in accordance with a normative legal act, or agreements of the parties.
4. When concluding and executing civil transactions, the parties are entitled to use identifiers in relations with each other in accordance with an agreement between them.
5. Unless otherwise provided by federal law, persons are entitled to identify and authenticate individuals and legal entities using information received from the organization specified in paragraph 6 of this article on the basis and in the manner provided by the agreement.
6. A person who confirms the correctness of the identifier or a previously performed identification and authentication of a person can only be:
a) credit organizations, mobile radiotelephone operators, telecommunications operators, occupying a significant position in the public telecommunications network, who have the right to independently provide telecommunications services for data transmission;
b) operators of state information systems;
c) other organizations that meet the requirements established by the Government of the Russian Federation. The procedure for confirming the compliance of organizations with such requirements is determined by the Government of the Russian Federation.
7. The provision of information by an organization specified in paragraph 6 of this article with a view to identifying and authenticating an individual with the consent of such an individual, which can be given in a form allowing to confirm the fact of its receipt. If the identification and authentication of a person is necessary by virtue of federal law or is required by the person’s application, then unless otherwise provided by federal law, the transaction is not made and (or) it does not enter into other legal relations if such consent has not been given.
8. The result of the identification and authentication of a person using information technology tools may be confirmed by an electronic document provided by means of an information system providing remote identification and authentication of a person. Cases where such confirmation is mandatory shall be determined by the Government of the Russian Federation. ”
Article 2
In the Federal Law “On Personal Data” (Collection of Legislation of the Russian Federation, 2006, N 31, Art. 3451):
1) In clause 5 of part 1 of article 6, the words “execution of the contract” shall be replaced by the words “execution of the transaction”; the words “and also for the conclusion of the contract” shall be replaced by the words “to complete the transaction”; the words “or agreements” shall be replaced by the words “or transactions”; add the following with the text ", as well as for negotiating the relevant transaction";
2) Article 9 shall be supplemented with clause 5.1 as follows:
"5.1 When processing personal data using the digital profile infrastructure, if the subject of personal data requires consent to the processing of personal data, the subject of personal data consents to their processing in the digital profile infrastructure in the form of an electronic document signed by an enhanced qualified electronic signature (my your own comment) or by a simple electronic signature, the key of which was obtained at a personal appearance in accordance with the rules for using simple electronic signature when applying for the receipt of state and municipal services in electronic form, established by the Government of the Russian Federation. The withdrawal of such consent is carried out by the subject of personal data in the infrastructure of a digital profile. ";
Now a few of my arguments on everything copied.
First of all, it pleases the fact of the emergence of such bills. The amount of information that is concentrated in the hands of the state and corporations is rapidly growing and is gradually moving into a new quality that allows you to control the masses of people at a new level. And they won't even notice. And here, of course, prescribing at least some algorithms of access to the digital profile of a citizen by the state, corporations and OTHER (other and how to define) organizations is wonderful. Apparently, in the “brave new world” access to digital profiles will be the main authority and the main source of money.
Once the colonialists in the colonies simply stupidly robbed and confiscated everything, then the colonial’s unrestricted access to the sales markets became a sign of the colony, and now it’s a matter of the fact that the colony is a country, all digital data and profiles of which are available for processing and analyzing then by. People will perform in their cozy smartphone and desktop realities only those actions that are beneficial to large foreign uncles. Russia still has hope that the "big uncles" will at least be ours. I would very much like to see in the law the order of access to digital profiles of citizens, but somehow it becomes uncomfortable to live.
But it is necessary to write more about authentication technologies directly in the law. That is, they have given their consent to the processing of personal data using enhanced EDS, and this is excellent. But in my opinion, and “identification, authentication of a person” should be prescribed by law about the use of EDS. Nothing more secure than iron gizmo plus the password from the head has not yet been invented. And the fact that they did not indicate this opens up scope for any ungodly type of face authentication through face recognition.
Today I want to comment on the new bill generated by the Ministry of Communications and Mass Media of Russia. I apologize in advance for the huge amounts of legislative text, as I will cite interesting passages in the form of quotations. So that dear readers would not make it difficult for themselves to search for the bill in the Consultant.
The preamble of the project is normal. It is about making changes and amendments to the federal law N 149- “On information, information technologies and on information protection”.
Then you can skip if you are too lazy to absorb bureaucratic speech. But better get a grasp, otherwise it will be too late. The State Duma is "not a place for discussion", so, most likely, the law is waiting for us the same as its draft.
So:
')
2) Article 2 shall be supplemented with paragraphs 18.1 - 18.2 as follows:
"18.1) identifier - a unique designation of information about a person, which is necessary to identify such a person through the use of technical and (or) technological methods .;
18.2) identification, authentication of a person - a set of measures for identifying identifiers and (or) information about a person, matching information with an identifier or verifying information, as well as verifying a person’s identity to an identifier (s) by matching identifier (s) with existing ones information about the person, and determining the reasonableness of the use by the person of the identifier (s), carried out in accordance with this Federal Law, other federal m laws, adopted in accordance with the regulations or agreement of the parties, as a result of which the person is considered to be established. ”; (and where about EDS - I)
3) to add the following articles 14.2 - 14.3:
“Article 14.2. Digital profile
1. A digital profile is a collection of information about citizens and legal entities contained in the information systems of state bodies and organizations that exercise separate public authorities in accordance with federal laws, as well as in a single system of identification and authentication.
A digital profile infrastructure is a set of information systems in a single identification and authentication system that provides access to a digital profile.
2. The digital profile infrastructure is created for the exchange of information in electronic form between individuals, organizations, government bodies, local governments.
3. With the help of a digital profile infrastructure, including, it provides:
1) identification and authentication of individuals and legal entities;
2) access to the digital profile and the provision of information included in the digital profile in electronic form to individuals and legal entities;
3) the provision and updating upon request of state bodies, local self-government bodies, organizations exercising separate public authorities in accordance with federal laws, and other organizations (any other? —You comment) organizations on a natural or legal person contained in a digital profile in including those contained in state information systems, information systems of organizations that exercise separate public powers in accordance with federal laws;
4) obtaining and withdrawing consent for the processing of personal data of citizens and information about legal entities in cases involving receipt of information about a citizen or legal entity using a digital profile infrastructure;
5) the provision of information for the formation of requests for state and municipal services or the performance of state and municipal functions;
6) storing information about citizens and legal entities, including the results of the provision of state and municipal services in electronic form, in the manner established by the Government of the Russian Federation.
4. In the cases stipulated by the legislation of the Russian Federation, the consent of the citizen or legal entity to receive information about them using the digital profile infrastructure is not required. In other cases involving the receipt of information using a digital profile infrastructure, information about a citizen or a legal entity using a digital profile infrastructure is provided with the consent of a citizen or legal entity.
5. Information about citizens and legal entities stored in a digital profile infrastructure is provided to it and updated automatically by state bodies, organizations exercising certain public authorities in accordance with federal laws, through a unified system of inter-agency electronic interaction.
State bodies, organizations exercising separate public authorities in accordance with federal laws are obliged to provide the digital profile infrastructure and update this information on an ongoing basis for a period not exceeding 15 seconds from the date of the introduction of changes to the relevant information.
Responsibility in accordance with the legislation of the Russian Federation for the accuracy, completeness and relevance of the information provided by these authorities and organizations.
6. State bodies, organizations exercising separate public authorities in accordance with federal laws are obliged to provide information on citizens and legal entities that are not contained in the digital profile infrastructure, upon request sent with its use. Such information is provided in electronic form by means of a unified system of interagency electronic interaction within a period not exceeding 15 seconds from the time of the request. The receipt of such information by individuals and legal entities is carried out using a digital profile infrastructure.
7. Interagency information interaction is carried out in order to provide state and municipal services on the exchange of documents and information, including in electronic form, in accordance with the Federal Law "On the organization of state and municipal services."
8. The Regulation on the Digital Profile, the procedure for obtaining and submitting information using the digital profile infrastructure, as well as the composition of the information stored in the digital profile infrastructure, are determined by the Government of the Russian Federation.
9. Organizations' requests for obtaining information about citizens and legal entities using the digital profile infrastructure are carried out both on a grant and on a reimbursable basis. The cases, amount and procedure for making payments for sending relevant requests are entitled to be established by the Government of the Russian Federation.
Article 14.3. Identification and authentication of the person
1. In cases provided for by this Federal Law, other federal laws adopted in accordance with them by other regulatory acts of the Russian Federation or a subject of the Russian Federation or by agreement of the parties, the person may be identified and authenticated by applying, in particular, the main identity document of a citizen. Russian Federation on the territory of the Russian Federation (hereinafter - the citizen’s identity card), or one or more identifiers, allows credible to reliably determine the appropriate individual or legal entity.
2. Requirements for a citizen’s identity card, including permissible forms of a citizen’s identity card, the composition of the citizen’s identity card fields and the information included in the citizen’s identity card, the procedure for entering, changing and excluding such information, as well as the procedure for terminating the citizen’s identity card the procedure for using a citizen's identity card shall be established by the Government of the Russian Federation.
Accounting information included in the certificate of a citizen, is carried out using the state information system, the procedure for the creation, development and operation of which is established by the Government of the Russian Federation. The composition of the information provided in the information system specified in this paragraph, provided from such a system, as well as the position and operator (operators) of the specified information system shall be determined by the Government of the Russian Federation.
3. The assignment of identifiers to a person or a legal entity is carried out in accordance with federal laws, adopted in accordance with a normative legal act, or agreements of the parties.
4. When concluding and executing civil transactions, the parties are entitled to use identifiers in relations with each other in accordance with an agreement between them.
5. Unless otherwise provided by federal law, persons are entitled to identify and authenticate individuals and legal entities using information received from the organization specified in paragraph 6 of this article on the basis and in the manner provided by the agreement.
6. A person who confirms the correctness of the identifier or a previously performed identification and authentication of a person can only be:
a) credit organizations, mobile radiotelephone operators, telecommunications operators, occupying a significant position in the public telecommunications network, who have the right to independently provide telecommunications services for data transmission;
b) operators of state information systems;
c) other organizations that meet the requirements established by the Government of the Russian Federation. The procedure for confirming the compliance of organizations with such requirements is determined by the Government of the Russian Federation.
7. The provision of information by an organization specified in paragraph 6 of this article with a view to identifying and authenticating an individual with the consent of such an individual, which can be given in a form allowing to confirm the fact of its receipt. If the identification and authentication of a person is necessary by virtue of federal law or is required by the person’s application, then unless otherwise provided by federal law, the transaction is not made and (or) it does not enter into other legal relations if such consent has not been given.
8. The result of the identification and authentication of a person using information technology tools may be confirmed by an electronic document provided by means of an information system providing remote identification and authentication of a person. Cases where such confirmation is mandatory shall be determined by the Government of the Russian Federation. ”
Article 2
In the Federal Law “On Personal Data” (Collection of Legislation of the Russian Federation, 2006, N 31, Art. 3451):
1) In clause 5 of part 1 of article 6, the words “execution of the contract” shall be replaced by the words “execution of the transaction”; the words “and also for the conclusion of the contract” shall be replaced by the words “to complete the transaction”; the words “or agreements” shall be replaced by the words “or transactions”; add the following with the text ", as well as for negotiating the relevant transaction";
2) Article 9 shall be supplemented with clause 5.1 as follows:
"5.1 When processing personal data using the digital profile infrastructure, if the subject of personal data requires consent to the processing of personal data, the subject of personal data consents to their processing in the digital profile infrastructure in the form of an electronic document signed by an enhanced qualified electronic signature (my your own comment) or by a simple electronic signature, the key of which was obtained at a personal appearance in accordance with the rules for using simple electronic signature when applying for the receipt of state and municipal services in electronic form, established by the Government of the Russian Federation. The withdrawal of such consent is carried out by the subject of personal data in the infrastructure of a digital profile. ";
Now a few of my arguments on everything copied.
First of all, it pleases the fact of the emergence of such bills. The amount of information that is concentrated in the hands of the state and corporations is rapidly growing and is gradually moving into a new quality that allows you to control the masses of people at a new level. And they won't even notice. And here, of course, prescribing at least some algorithms of access to the digital profile of a citizen by the state, corporations and OTHER (other and how to define) organizations is wonderful. Apparently, in the “brave new world” access to digital profiles will be the main authority and the main source of money.
Once the colonialists in the colonies simply stupidly robbed and confiscated everything, then the colonial’s unrestricted access to the sales markets became a sign of the colony, and now it’s a matter of the fact that the colony is a country, all digital data and profiles of which are available for processing and analyzing then by. People will perform in their cozy smartphone and desktop realities only those actions that are beneficial to large foreign uncles. Russia still has hope that the "big uncles" will at least be ours. I would very much like to see in the law the order of access to digital profiles of citizens, but somehow it becomes uncomfortable to live.
But it is necessary to write more about authentication technologies directly in the law. That is, they have given their consent to the processing of personal data using enhanced EDS, and this is excellent. But in my opinion, and “identification, authentication of a person” should be prescribed by law about the use of EDS. Nothing more secure than iron gizmo plus the password from the head has not yet been invented. And the fact that they did not indicate this opens up scope for any ungodly type of face authentication through face recognition.
Source: https://habr.com/ru/post/450048/
All Articles