Judicial practice on personal data protection
Various violations of the law on personal data, written orders of Roskomnadzor and protocols on bringing to administrative responsibility force legal entities to resort to court protection. The existing judicial practice is heterogeneous, but quite interesting. We can already say that the courts have developed a unified position regarding certain violations of the law on the protection of personal data. Disputes fall into different categories, and many of them are based on a misunderstanding by citizens, organizations and government bodies of the law on personal data.
The personal data protection system itself has already become the subject of judicial challenge. The most interesting disputes fall for the consideration of the Constitutional and Supreme Courts, less systemic, but significant ones remain at the district level. Knowledge of the practice of applying the law by courts will help operators and individuals to avoid the risks of violating the law and understand that in certain cases it will be impossible to obtain judicial protection.
So, recently, the Constitutional Court of the Russian Federation held a hearing on the constitutionality of a rule of law prohibiting operators from providing personal data processed by them to third parties. The applicant, who asked for information about his colleagues and was refused by the operator to provide personal data, appealed to the Constitutional Court, considering that such a refusal violated his right to defense, and the rule of law was unconstitutional. The court (ruling No. 1158-O) refused the applicant, stressing that the right of a citizen to protect information about his private life is unconditional.
A significant part of disputes about the unlawful distribution of personal data are disputes with the media, which often publish information about the personal life of citizens. The Supreme Court ruled that Roskomnadzor has the right to decide to close a media outlet if it regularly disseminates information about the private life of citizens and otherwise violates legislation on personal data. So, one of the newspapers of the Krasnodar Territory several times published not only the name and surname of the minor, but also the number of the school in which she studies. After receiving a written warning from the department, the publication of personal data of minors, including the law on the media, did not stop. The activity of the newspaper was terminated by the decision of the regional court, the Supreme Court of the Russian Federation in Decision No. 18-APG 15-7 considered the violation to be significant, and this decision was legitimate.
In addition to closing the newspaper, for violation of the law on personal data, civil liability in the form of compensation for moral damage may occur. The court in St. Petersburg and the Leningrad region found it a violation of the law to publish a photograph of a citizen and information about him without obtaining his consent to disseminate personal data. The court recovered moral damage from the Komsomolskaya Pravda newspaper in favor of the citizen for publishing his personal data.
The provision of personal data at the request of government agencies also remains a stumbling block. The law explicitly prohibits their distribution, and sometimes operators, in order to avoid the risks of receiving an order from Roskomnadzor, refuse to transfer them to state bodies, including the FAS RF. In one of these cases, the FAS asked the mobile operator for information about the owner of the telephone number from which numerous advertising messages were received. The organization was fined for refusing to provide personal data. The court considered that the FAS acted in accordance with the law, and the telecom operator was obliged to provide the requested personal data.
Such disputes are rare, the first trial took place in 2016, the second in 2015. More often, there are less significant, but practical cases concerning the illegal distribution of personal data or other ways of using them.
An important systemic issue for organizations and enterprises that hire employees and sell products through online stores is the need to notify Roskomnadzor of the start of personal data processing in the following three cases:
- the company processes the personal data of people looking for work, namely: collects resumes, analyzes them, enters the data obtained by analyzing the resumes into its information bases;
- uses special software, with the help of which it processes the personal data of job seekers and employees;
- uses similar programs to process customer data received via telecommunication channels.
The Fourth Arbitration Court of Appeal in all three cases found that notifying about the start of the personal data processing activity was not necessary.
Other categories of disputes
Every citizen in everyday life is faced with a situation in which he provides his personal data. This is the creation of a personal account in the online store, filling out a questionnaire for obtaining a discount card, issuing a subscription to the pool. Sometimes, at the same time, consent to the processing of personal data is filled in, sometimes organizations providing services forget about this requirement of the law. Few people think about how carefully the data transferred to the operator is stored. But one situation constantly raises controversy and questions. Is the provision of personal data the presentation of a passport at the checkout of the store and the execution of an application when returning the goods? The court considered that this situation was not a violation of personal data legislation. The situation arose at the request of a citizen to the Federal Antimonopoly Service of the Russian Federation, which considered that entering passport data in the application for the return of goods and in the receipt slip is the processing of personal data that is not carried out in accordance with the requirements of the law. The shop was fined. The court did not attribute this situation to the illegal processing of personal data and canceled the fine.
The situation with photographs is just as interesting. A photo as an object containing biometric information can be classified as personal data. In one of the cases it was established that in order to use a photo to issue a pass to the pool, it is necessary to obtain the consent of the citizen to receive his personal data. If since 2013 this situation was considered only as a controversial position of Roskomnadzor, and few of the organizations perceived this as a recommendation for action, then after a court decision confirming it, in each of the situations when a photo is used to issue a pass or personal file, it will be necessary to issue consent to processing personal data.
Quite often, when signing a consent to the processing of personal data, citizens pay attention to the fact that they agree to transfer their information to third parties. These third parties are not always specified in detail. Rospotrebnadzor very often corrected banks that did not specify such lists. Recently, four courts of appeal supported the position of Rospotrebnadzor, drawing the attention of banks to the fact that the list of persons to whom personal data is transferred must be specific.
But systemic problems are not solved as often as typical problems arise for medical or educational institutions, whose managers, when providing their professional services, do not always issue their clients' consent to the processing of personal data. So, in one of the clinics of the Samara region, during medical examinations, the personal data of citizens were entered into outpatient cards, while consent to such processing was not obtained from them. For this violation, the magistrate's court brought the director of a medical organization to responsibility under Art. 13.1 of the Administrative Code and fined 500 rubles. The regional court completely agreed with the peace. Thus, now a medical organization, when providing any type of medical care, in which personal data of patients are obtained for inclusion in outpatient records or in reporting, is obliged to draw up a consent.
If we consider the practice of applying this norm throughout the country, we can see that cases of prosecution are still isolated and violators get off with minimal fines.
Plaintiffs and Defendants
Regardless of how the practice is shaped, it is necessary to analyze the typical plaintiffs and defendants in disputes in these categories. There are two categories of plaintiffs:
- citizens who consider their rights to the protection of personal data and to receive them infringed and send claims to organizations;
- state bodies defending their right to bring personal data operators to justice.
Legal entities - personal data controllers - usually act as respondents. Only in disputes about in which case it is not necessary to notify Roskomnadzor do they become plaintiffs and successfully win disputes. If a legal entity becomes a defendant in disputes related to personal data, then most often it constantly interacts with an unlimited number of individuals and does not always accurately comply with the norms of legislation on personal data, in some cases it illegally transferring it to third parties. Such defendants include:
- newspapers and other media;
- the shops;
- mobile operators.
Often, a similar situation becomes the subject of legal proceedings if a private person drew attention to it, and does not fall into the field of view of the court and Roskomnadzor in dozens of other cases when consent to the processing of personal data is required. The interest of a private person often becomes compensation for moral damage in material form, for him it does not matter which legislation, on consumer rights or on the protection of personal data, has been violated.
Analyzing judicial practice, one can see that very often the courts correct state bodies that misinterpret their rights. But just as often they stand up for the protection of the interests of citizens and the protection of the secrets of their personal life, prohibiting the unlawful dissemination of personal data.