Belarus has submitted a draft law on the protection of personal data - what is “inside”?
At the end of the spring, the GDPR regulation came into force in the EU. A month ago, a law was signed in the United States that obliges companies to inform customers and authorities about data “leaks” no later than one month after the incident occurred.
This year, new bills related to PD also appeared in Belarus. First, in April of this year, parliamentarians adopted amendments to the law on the media, obliging users to pass identification before posting comments on the forums. And now the authorities have submitted a draft law on personal data.
Under the cat we tell about its essence and the reaction of the community.
/ Pxhere / PD
The draft law was proposed at the National Center for Legislation and Legal Research of the Republic of Belarus ( NCLI ). In June, a delegation from the Center went to Paris to meet with members of the French Data Protection Commission ( CNIL ) in order to learn from their European colleagues and immediately put it into practice.
The draft law was presented in early July. It contains six chapters and twenty-two articles, which describe the rules for working with PD in Belarus. Discussion of the bill will last until August 11 of this year.
The main actors in the document are the subject and operator of personal data. A PD is a person whose data is collected, stored or processed. A PD operator is a company or an individual entrepreneur processing PD in Belarus. Directly under the personal data the regulator understands any information on the basis of which a person can be identified. This information, including, can be biometric (fingerprints) and genetic indicators (DNA).
These and other definitions can be found in the first article on pages 1 and 2 of the official document .
According to the text of the bill, the subject of PD has the right to:
The operator of PD, in turn, is obliged to obtain from the subject consent to the processing of PD, explain for what purpose this data is used and protect them from compromise.
Article 17 ( pp. 16-17 of the document ) lists the measures necessary for this. Among them: the creation of security policies, the establishment of procedures for access to PD, the introduction of technical and cryptographic protection of information and others. It also noted that for this, companies will need to be guided by the provisions of the Operational Analytical Center under the President of the Republic of Belarus ( OAC No. 62 ) - this is the state body of Belarus regulating information protection activities.
The list of requirements for creating an information protection system established by the OAC is rather complicated and includes more than 50 items. And the organization of the necessary security mechanisms takes time and money. Based on this, it can be assumed that it will be difficult for small and medium-sized businesses to independently fulfill all the conditions.
However, the new law states that the operator may entrust the collection, processing and distribution of PD to a third party, that is, transfer it to an outsourcing. This third party may be, for example, a cloud provider that will monitor compliance with the security requirements of personal data.
For example, we in 1cloud recently placed our equipment in the data center beCloud, located in the suburbs of Minsk. This data center is Tier III certified, which ensures the safety and availability of data and information systems in accordance with the legislation of the Republic of Belarus.
Initially, our decision to place our “hardware” in the Belarusian data center was not related to the new draft law - this was what customers of Belarus asked us earlier. The fact is that according to the Decree of the President of the Republic of Belarus No. 60 and the Resolution of the Council of Ministers of the Republic of Belarus No. 644Commercial sites in the Republic of Belarus should be located on the equipment located in the country. However, now these tasks have been added to processing PDs, some of which can be “delegated” to the local cloud provider:
Note that operators do not need to register in any registry. There is no need to store the data of Belarusians locally (according to the new draft law), but it is important to take into account the requirements of the same Decree No. 60 and Decree No. 644 - regardless of the domain, all legal entities or individual entrepreneurs in Belarus should go to the Belarusian hosting. In addition, companies will have to appoint a PD protection officer (as in the GDPR) who will be responsible for organizing work with personal data (this can be either an individual employee or a whole department).
The size of fines "for inconsistency with the letter of the law" has not yet been spelled out, however, it is known that violators will be held liable in accordance with legislative acts and will reimburse moral and material damage to the subjects of AP (Art. 20, pp . 18-19 ).
If user data is stolen, the operator must inform the regulator of a “leak” within three days after the incident became known. However, if the incident was minor and does not harm the rights of the subject of the AP, then you will not have to report it. The regulator in this case is the authorized body for the protection of the rights of the subjects of the PD. According to Article 18 on pp. 17-18, he will protect the rights of owners of personal data, consider their complaints, and also ensure that operators comply with the requirements of the law (for example, deleting or blocking inaccurate data).
The law will affect all organizations that work with PD (IP, legal entities, site owners and others): they will need to create policies to work with PD, assign a DPO, implement protective measures, and so on.
The requirements of the law will apply to both automated data processing and manual processing when information is collected in catalogs and filing cabinets.
However, the law provides for a number of exceptions. For example, obtaining consent for the treatment of PD is not required if the life and health of the subject is in danger. The exception also applies to journalists when they conduct their legitimate professional activities, and scientists who conduct statistical research (with the mandatory depersonalization of data). A complete list of exceptions can be found in articles 6, 9official document.
/ Flickr / Book Catalog / CC
People who participated in the public discussion of the submitted law, note that some of the wording in the bill is “lame”. One of the users, for example, complained about the redundancy of terms for operations with PD. It is not completely clear why each time it is necessary to single out such concepts as “collection, processing and storage”, when only the term “processing” can be used, as is done in the GDPR or the RF law .
Another of the users of the Legal Forum of Belarus noted the discrepancy in the requirements for the protection of PD in paragraphs 3 and 5 of Article 17. The third paragraph prescribes the organization of technical and cryptographic protection to be guided by the OAC order, but in the fifth paragraph it is stated that the classification (and, accordingly, the degree of protection) of information systems will be determined by a different state body.
More users felt that the definition of operator PD does not give an idea of who he is, and what he does. They also noted that the draft law lacks legal norms establishing the powers of the president and the Council of Ministers of the Republic of Belarus in this area, and hoped that in the future, appropriate amendments, clarifications and changes would be made in the text.
Discussion of the bill will last until August 11. After that, if the law is passed, the operators will have a year to prepare for its entry into force.
This year, new bills related to PD also appeared in Belarus. First, in April of this year, parliamentarians adopted amendments to the law on the media, obliging users to pass identification before posting comments on the forums. And now the authorities have submitted a draft law on personal data.
Under the cat we tell about its essence and the reaction of the community.
/ Pxhere / PD
The essence of the bill
The draft law was proposed at the National Center for Legislation and Legal Research of the Republic of Belarus ( NCLI ). In June, a delegation from the Center went to Paris to meet with members of the French Data Protection Commission ( CNIL ) in order to learn from their European colleagues and immediately put it into practice.
The draft law was presented in early July. It contains six chapters and twenty-two articles, which describe the rules for working with PD in Belarus. Discussion of the bill will last until August 11 of this year.
The main actors in the document are the subject and operator of personal data. A PD is a person whose data is collected, stored or processed. A PD operator is a company or an individual entrepreneur processing PD in Belarus. Directly under the personal data the regulator understands any information on the basis of which a person can be identified. This information, including, can be biometric (fingerprints) and genetic indicators (DNA).
These and other definitions can be found in the first article on pages 1 and 2 of the official document .
According to the text of the bill, the subject of PD has the right to:
- Give your consent to the processing of PD and withdraw it;
- Require changes to be made to PD, as well as delete or stop their processing;
- Receive information that his PD were transferred to a third party;
- Submit complaints to the regulator to the operator.
The operator of PD, in turn, is obliged to obtain from the subject consent to the processing of PD, explain for what purpose this data is used and protect them from compromise.
Article 17 ( pp. 16-17 of the document ) lists the measures necessary for this. Among them: the creation of security policies, the establishment of procedures for access to PD, the introduction of technical and cryptographic protection of information and others. It also noted that for this, companies will need to be guided by the provisions of the Operational Analytical Center under the President of the Republic of Belarus ( OAC No. 62 ) - this is the state body of Belarus regulating information protection activities.
The list of requirements for creating an information protection system established by the OAC is rather complicated and includes more than 50 items. And the organization of the necessary security mechanisms takes time and money. Based on this, it can be assumed that it will be difficult for small and medium-sized businesses to independently fulfill all the conditions.
However, the new law states that the operator may entrust the collection, processing and distribution of PD to a third party, that is, transfer it to an outsourcing. This third party may be, for example, a cloud provider that will monitor compliance with the security requirements of personal data.
“If the equipment of the cloud provider is located in large data centers with strict access control and redundancy systems, this automatically closes part of the requirements of the regulations relating to physical data protection, security of virtual infrastructure and auditing,” says Sergey Belkin, head of development at 1cloud .
For example, we in 1cloud recently placed our equipment in the data center beCloud, located in the suburbs of Minsk. This data center is Tier III certified, which ensures the safety and availability of data and information systems in accordance with the legislation of the Republic of Belarus.
Initially, our decision to place our “hardware” in the Belarusian data center was not related to the new draft law - this was what customers of Belarus asked us earlier. The fact is that according to the Decree of the President of the Republic of Belarus No. 60 and the Resolution of the Council of Ministers of the Republic of Belarus No. 644Commercial sites in the Republic of Belarus should be located on the equipment located in the country. However, now these tasks have been added to processing PDs, some of which can be “delegated” to the local cloud provider:
“By shifting some of the tasks onto the shoulders of the vendor, the company saves time and resources, getting an opportunity to concentrate on improving business processes,” notes Sergey. “However, it is important to remember that in addition to physical security, attention should also be paid to the infrastructure features of the cloud provider’s data center: refrigeration facilities, duplication of critical systems, and the availability of backup components all affect the resiliency of data center systems.”
Fines and penalties
Note that operators do not need to register in any registry. There is no need to store the data of Belarusians locally (according to the new draft law), but it is important to take into account the requirements of the same Decree No. 60 and Decree No. 644 - regardless of the domain, all legal entities or individual entrepreneurs in Belarus should go to the Belarusian hosting. In addition, companies will have to appoint a PD protection officer (as in the GDPR) who will be responsible for organizing work with personal data (this can be either an individual employee or a whole department).
The size of fines "for inconsistency with the letter of the law" has not yet been spelled out, however, it is known that violators will be held liable in accordance with legislative acts and will reimburse moral and material damage to the subjects of AP (Art. 20, pp . 18-19 ).
If user data is stolen, the operator must inform the regulator of a “leak” within three days after the incident became known. However, if the incident was minor and does not harm the rights of the subject of the AP, then you will not have to report it. The regulator in this case is the authorized body for the protection of the rights of the subjects of the PD. According to Article 18 on pp. 17-18, he will protect the rights of owners of personal data, consider their complaints, and also ensure that operators comply with the requirements of the law (for example, deleting or blocking inaccurate data).
Exceptions
The law will affect all organizations that work with PD (IP, legal entities, site owners and others): they will need to create policies to work with PD, assign a DPO, implement protective measures, and so on.
The requirements of the law will apply to both automated data processing and manual processing when information is collected in catalogs and filing cabinets.
However, the law provides for a number of exceptions. For example, obtaining consent for the treatment of PD is not required if the life and health of the subject is in danger. The exception also applies to journalists when they conduct their legitimate professional activities, and scientists who conduct statistical research (with the mandatory depersonalization of data). A complete list of exceptions can be found in articles 6, 9official document.
/ Flickr / Book Catalog / CC
Opinions about the bill
People who participated in the public discussion of the submitted law, note that some of the wording in the bill is “lame”. One of the users, for example, complained about the redundancy of terms for operations with PD. It is not completely clear why each time it is necessary to single out such concepts as “collection, processing and storage”, when only the term “processing” can be used, as is done in the GDPR or the RF law .
Another of the users of the Legal Forum of Belarus noted the discrepancy in the requirements for the protection of PD in paragraphs 3 and 5 of Article 17. The third paragraph prescribes the organization of technical and cryptographic protection to be guided by the OAC order, but in the fifth paragraph it is stated that the classification (and, accordingly, the degree of protection) of information systems will be determined by a different state body.
More users felt that the definition of operator PD does not give an idea of who he is, and what he does. They also noted that the draft law lacks legal norms establishing the powers of the president and the Council of Ministers of the Republic of Belarus in this area, and hoped that in the future, appropriate amendments, clarifications and changes would be made in the text.
Timing
Discussion of the bill will last until August 11. After that, if the law is passed, the operators will have a year to prepare for its entry into force.
What else do we write in the 1cloud corporate blog:
- How secure data is in the cloud
- Everything you need to know about net neutrality principles
- Overview of our new products: Cisco UCS B480 M5