International personal data protection system
The human right to the protection of personal information is one of the fundamental in the modern information world. Methods of processing it using technical means and their vulnerability make it possible to access confidential information of third parties, which may harm the person and his interests. In the context of regular and active cross-border interaction, the task of protecting personal data ceases to be only a national problem; international legislation is required that could unify the understanding and standards in force in the field of personal data protection.
In Russia, the protection of information about citizens is regulated by the Labor Code of the Russian Federation, special legislation, departmental norms that determine the classes of protection, the rights and obligations of operators, and liability for unlawful processing and distribution of personal data. In most cases, Russian domestic norms are in line with generally accepted international practice. Despite the creation of national communication networks, the Internet continues to be a single information space. Only national law can not create that profile of regulation that will protect internal resources from encroachments of subjects whose activities are regulated by the norms of other states. Also, national law cannot regulate standards for cross-border exchange of information.
This leads to the need to create a unified international system for the protection of personal data. An additional task is to correlate the Russian system with the international one, eliminate mutually exclusive norms, introduce those provisions that are lacking today or they no longer correspond to changing realities.
Currently, there are three equally important trends in international data protection law:
- The right to the protection of personal data is recognized as one of the constituent parts of a single fundamental system responsible for protecting human rights. The norms regulating this area are adopted within the framework of legal acts of a general humanitarian nature and adopted within the framework of the UN and other organizations that are comprehensively responsible for this area. Within this framework, the concept of information human rights has been developed.
- Technical and organizational norms governing the standards and processes of information processing and data protection within the framework of a single information space are adopted at the level of the European Union governing bodies - the Council of Europe and the European Commission and governing bodies working within the EAEU and other international organizations. This group of norms is of a practical nature, and it is it that directly regulates preventive and protective measures and liability for violation of an individual's right to the protection of personal data. The ideological and practical know-how developed by the European Union is accepted by countries outside the European world and is willingly included in national law.
- Treaties and conventions concluded between two or more countries also sometimes include norms addressing the protection of information about their citizens, transferring them to competent authorities, procedures for the exchange of personal data of citizens between representatives of the member countries of the agreements.
At the same time, there is no single system and terminology, therefore, standards may be different at different levels of regulation.
The human right to protect information about oneself originates from the common source of the priority of the interests of the individual, which appeared as a result of the French Revolution. In modern times, fundamental human rights have been enshrined in the Universal Declaration, adopted in 1948. It states that people have the right to protection from interference with privacy and privacy of correspondence. It cannot be violated without legal grounds. The ability to violate these secrets is limited not only by citizens and companies, but also by government agencies. With an extended interpretation, it is established that personal data within the framework of this concept are part of personal life, and any encroachment on them against the will of a person is not allowed to any third parties. In addition, information about oneself is a kind of asset that has a certain value, and from this point of view, it is also subject to protection.
Regulation of the humanitarian order
This norm was concretized by the later adopted International Covenant of 1966, which limited the scope of regulation only to public life, and the European Convention of 1950. On the basis of these documents and public consensus, a kind of concept of information rights was created. It includes:
- the right to access any information;
- the right to protection of privacy information, including financial data, information about health and social status;
- the right to protection of information belonging to the state and business.
International law is now based in most cases on generally accepted concepts that are not officially enshrined. But it is they that become the basis for the development of legal acts that are more utilitarian in nature. Now there is not a single international agreement, convention or treaty in the field of protecting information about a citizen, which would be ratified by the Russian Federation and have priority over national legislation. Bilateral agreements on the exchange of information contain singular rules concerning particular issues.
Regulation at the level of international institutions
If framework agreements regulate a wide sphere of relations without giving specific concepts and standards, resolutions and other documents issued by the governing bodies of international organizations become binding on their members. Within the framework of the second direction, numerous rules governing the personal data protection system are created at different levels and for different regions. Governance institutions offer their own mechanisms for scrupulous and detailed regulation of the ways and methods of working with data received from citizens. Over the past few years, along with the development of the Internet and technologies, numerous documents have been adopted to regulate this area. Among them:
- European Convention for the Protection of Natural Persons in Matters Relating to Automatic Processing of Personal Data, adopted by the Council of Europe in 1985. It covers the collection and processing of information about a person and her life, standards for their storage, rules for providing access to them, recommended methods of technical and hardware protection of information. The document is both systemic and practical, while remaining fully within the framework of the Declaration. Interestingly, its rules directly exclude any processing of information about such subtle issues as race, religion, opinions in politics, without the presence of legal grounds. Russia adopted this document for itself in 2001.
- The 1979 European Parliament resolution "On the protection of individual rights in connection with the progress of informatization" defines the main ideological directions of regulation of this area in relation to the EU member states. She recommended that the European Commission and the European Council immediately develop a package of acts that would protect data on individuals at risk due to the development of technological progress. The resolution indicates in which direction it is necessary to develop legislation in the field of protection of personal information rights. This document became the basis for the adoption of several important decrees and directives. These include the Recommendations “On guidelines for the protection of privacy in the interstate exchange of personal data”, as well as the directive defining the basic principles for regulating the scope of confidentiality of information. The recommendations, despite their optional name, are actively used in all EU countries by both companies and individuals.
These acts concretize attention on issues such as:
- unified requirements for methods of automated data processing, applied principles and technologies;
- rights and obligations of owners of personal data and operators admitted to their processing. Access rights to them are also regulated;
- requirements for situations of cross-border data transfer, restrictions on transfer and situations when refusal to transfer is unacceptable;
- responsibility for violation of human rights to protect information about oneself.
The regulations apply only to the European Union and do not apply to non-aligned countries of the world, where the protection of personal data is governed by their own national legislation. Nevertheless, the depth of their elaboration led to the fact that they formed the basis of national standards, including issues related to the features of automated data processing.
The creation of the document at the organizational level had two goals:
- to unify the laws of the OECD member countries. It was assumed that national laws would be brought in line with it;
- avoid blocking international exchanges of personal data. Such blocking could be related to the absence of bilateral agreements regulating the cross-border transfer of information, and the directive could become the legal basis for it.
It was assumed that the norms of the directive will become mandatory for application both at the state level and in the private sector. They relate to those groups of personal data that pose a threat to human rights or as a result of their processing processes that allow the loss of information, or because of situations of their use that can cause harm to a person.
Within the framework of the post-Soviet space, the model law "On Personal Data" was approved in 1999 by the CIS Assembly. He introduces the term "personal data", which means information about a person placed on a material medium, which is reliably identified with a specific person. These may include not only personal information, but also all information about the family, career, business, accounts and deposits, health. The document covers the standards for regulating the processing of personal data, explains how the rights and obligations of operators are determined.
This set of regulatory legal acts most fully regulates the international system for the protection of personal data, but does not solve the main problem - the general unification of the rules and regulations for their processing and transfer.
The third mechanism for introducing norms on the protection of personal data into the international legal space is to enshrine them in international treaties concluded between two or more countries. Among the agreements in which the rules on the protection of personal data may be met:
- double taxation treaties;
- agreements on the exchange of information in various fields, public, legal, cultural, even in the fight against cyber terrorism;
- agreements on cooperation in various fields.
An example of such a document is the Agreement between the Government of the Russian Federation and the Government of the Republic of Cyprus, dedicated to the avoidance of double taxation. Concluded in 1998, with the latest amendments from 2010, it establishes the following parameters for international cooperation regarding the protection of personal data:
- member states are obliged to provide each other with all information regarding the implementation of the agreement. These data represent information about companies and individuals, their financial transactions and tax payments. But they are provided only to bodies related to the collection of tax payments;
- only public information is provided, which is not a commercial or professional secret;
- you cannot refuse to respond to a request only for the reason that the information is held by a bank, another financial institution, nominee holder, trustee, or contains information about the property status of a person.
The chaotic regulation system gives rise to the need for unification of international norms on the protection of personal data within the framework of one document issued by the organization, the right to regulate the legal space is confirmed by most countries.
The practical aspect of the need for international protection of personal data
From a business point of view, the protection of personal data is of interest to the majority of citizens in the sense of protecting information about their property status, assets and deposits located outside national borders. Moreover, this question is of interest to investors who would like to guarantee the safety of information about their accounts and deposits in Russia.
But even more important is the issue of the protection of personal data of employees of enterprises and organizations and its legal regulation at the international level. In this area, the main burden of work falls on the International Labor Organization (ILO), created at the UN. But at the moment it has not developed a single codified and ratified normative legal act regulating these issues.
Most of the relevant topics are governed by common understanding and customary law. So, it is assumed that all data received by the organization during the procedure for hiring an employee should be subject to protection. It:
- information obtained when collecting information about the employee, including using the resources of the security services;
- information provided by an employee of the company about himself independently;
- data obtained as a result of testing and questioning.
This information is not formally protected by legislation on the protection of personal data, and their protection is determined only by guidelines of a recommendatory nature. In this case, the recommendations have three independent meanings:
- their violation is condemned at the public and private levels, within the framework of political and social systems;
- they serve as the basis for the development of national legislation;
- on them the law enforcement practice of international courts is built.
In addition to ILO recommendations, codes of practice are issued containing recommended regulations for various labor law issues. Codes of practice are supposed to be oriented towards the development of national legislation, enforcement acts, collective agreements. These acts have no independent normative significance, and states have no obligations to implement them. As part of the protection of employee information, the ILO Code of Practice on the Protection of Employee Personal Data has been issued. The 14th chapter of the Russian Labor Code has almost completely repeated the relevant recommendations of the ILO Code, which suggests that their incorporation into national legislation was successful.
International regulation of the protection of personal data is not yet uniform. A single document has not been adopted at the UN level; many norms are purely advisory in nature. But it is interesting that when developing normative acts on the protection of personal data at the level of collective agreements or internal standards of the organization, there is no need to expect the incorporation of the ILO's recommendatory norms into national legislation, they can be used provided that they do not contradict national law.