Personal data protection mode
Legal regime for the protection of personal data (PD) established by Russian law assumes that the rights of citizens to protect information about their personal life are protected by the state. Laws and other normative acts define the rights and obligations of operators, establish measures of responsibility for violation of legal requirements.
Terminology and legal regulation
For the first time, the term "personal data", which defines a complex of information inherently associated with a person's personality and allows him to be identified, to determine his personal or financial status, appeared in the Russian legal field in the mid-1990s. It was then that the Duma adopted the first law addressing the basic issues of personal data protection. It was the law "On Information" that came into force in 1995. Now it has already lost its power. It was in this regulation that personal data were first classified as personal information. Bans were placed on her illegitimate:
- collection;
- storage;
- using;
- Spread.
The term "personal data" itself did not appear in the law. A little later, in 1997, he first saw the light in Russia in Presidential Decree No. 188. In this document, a definition appeared, in which PD meant data on facts, events and circumstances of a person's private life, making it possible to reliably identify his personality.
The data protection design proposed by the information law was broadly in line with the model developed and successfully operated in Europe. There was one difference - in European countries, individual rights and confidentiality of personal information were protected as a single object, in Russia it was decided to focus on the protection of personal data in isolation from human rights. This concept is reflected in the Law on Personal Data.
In 1999, at the level of the Assembly of CIS countries, a model law on personal data was adopted, further specifying the definition. A little later, in 2005, Russia ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. This document was developed and adopted back in 1981. The fact of ratification meant that domestic legislation had to be amended in such a way as to comply with the provisions of the Convention. Since the national law was conceptually structured in a slightly different way than the Convention, its norms were reflected in the law, while the adopted regulations of the Government, ministries and departments built the legal framework in such a way that the regulation really corresponded as much as possible to the internal model of personal data protection.
It should be noted that at the time of the ratification of the Convention, European law in terms of protecting the information rights of the individual had already gone ahead. Directives of the Council of Europe were adopted, which introduced the following principles:
- when protecting personal data, the rights of individuals and the interests of companies must be balanced;
- the applied protection mechanism should not interfere with business.
Russian legislation did not keep pace with these changes. The existing regulatory system and law enforcement practice for the protection of personal data significantly complicate the work of entrepreneurs, especially in terms of the use of automation tools. That said, it cannot be clearly argued that this level of regulation brings real benefits to those individuals whose personal data and privacy are protected in this way.
European regulatory system
The states that have adopted the norms of the Convention on the Protection of Personal Data without adjusting towards strengthening regulation by adopting bylaws do not complicate the work of business entities with additional obligations. The national regime of legal regulation only requires them to fulfill the following necessary conditions:
- organization of a proper information protection system and its automated processing;
- training employees in handling confidential information.
The company is completely free in its decisions, it independently chooses:
- system of applied personal data protection measures;
- hardware and technical solutions;
- the quality standards of the organization of security systems by which it is guided;
- architecture of building information systems.
It is the operator who can assess the presence and relevance of threats and, based on this assessment, plan his organizational activities for the protection of personal data. In most of the laws regulating this area and in force in the countries of the European Union, there is a special norm that directly says about the prohibition to require the use of technical protection measures that are not economically expedient.
Russian regulatory system
The Russian personal data regulation system is based on the following principles:
- the operator of personal data is any organization or entrepreneur that receives and processes them not in connection with purely personnel records management;
- each operator must send a notice of the start of data processing activities to Roskomnadzor;
- the department has the right to check compliance with legislation on the protection of personal data;
- upon each receipt of data from an individual, the operator must sign his consent;
- technical means of protection and software at a certain level of protection must be certified and attested.
All this creates legal chaos and unnecessary administrative barriers that hinder the work of small businesses. Experts believe that some of the by-laws adopted in the field of personal data protection are formal in nature and have nothing to do with solving practical problems of protecting personal information.
The common norm for European countries and Russia is the requirement to obtain consent to the processing of personal data. A feature of this document is the right of the subject to revoke it at any time in which he considers that the activity of a particular operator does not provide adequate data protection. In case of withdrawal of consent, the operator is obliged to destroy the information entrusted to him.
In early versions of the law, the process for revoking consent looked like this:
- the subject of personal data revokes his permission;
- the operator is obliged to destroy all information within three days from the date of receipt of such notification;
- the company notifies the citizen of the destruction.
This mechanism is unrealizable in practice, taking into account the peculiarities of the workflow and business processes of operators such as mobile providers or banks. As a result, the period was increased to 30 days and allowed the operator to continue processing data in some cases.
Biometric data processing is carried out without the consent of the citizen, if it is necessary in connection with:
- the operation of international treaties;
- the work of law enforcement and judicial authorities;
- in cases provided for by special laws, for example, on terrorism.
There are situations when, under the current legislation, a citizen is obliged to disclose his personal data. This could be due to tax filing and similar cases. Access to data in Russian law is difficult and poorly regulated. Sometimes they are not provided at the request of government agencies, for example, the Federal Antimonopoly Service of the Russian Federation, which has to be regulated by court decisions. Problems also arise for notaries, for example, in the case of specifying the place of residence of the testator, which often leads to the possibility of fraud and the establishment of an inheritance case in a convenient notary office.
The legal regime for the protection of personal data is not a frozen system. Legislation changes, some of its norms are adjusted in the course of law enforcement practice. But knowledge and compliance with the rules is mandatory for all organizations that work with information affecting the personal rights of citizens.
10.12.2020
