May 30, 2018 at 17:47

Protection of personal data of 3 billion people - similarities and differences in legislation in the BRICS countries



    At its meeting on October 26, 2017, the Russian Security Council instructed the Ministry of Communications and the Ministry of Foreign Affairs of Russia to initiate, within the framework of BRICS (Brazil, Russia, India, China and South Africa), the discussion on the creation of its own “system of duplicate root "domain name servers (DNS), independent of the control of [international organizations] ICANN, IANA and VeriSign, and capable of serving the requests of users of these countries in case of failures or targeted impacts."

    In the light of these events, we would like to consider the issue of the consistency of the laws of the BRICS countries in data protection issues. Further, we will focus on the protection of personal data: on the basis of what laws are protection based and what are the main disadvantages.

    A small digression into the basics.

    BRICS is a group of five countries: Brazil, Russia, India, China, and the Republic of South Africa.

    July 9, 2015 at the VII BRICS summit, held in Ufa, the Ufa Declaration was adopted. The declaration is voluminous, it touches on many topical issues globally, but we will touch upon only one point in which relations to information and communication technologies are declared. So, paragraph 33 of the Ufa Declaration notes:

    • the need to strengthen cooperation in the field of ICT, including the Internet
    • the decision to create within the BRICS working group on cooperation in the field of ICT
    • the need to form a system
    • to ensure the confidentiality and protection of user personal information

    “We reiterate the inadmissibility of using ICTs and the Internet to violate human rights and fundamental freedoms, including the right to privacy, and reaffirm that the rights that a person has outside the Internet must also be protected in it.”

    The full text of the declaration can be found here .



    Highlights of Personal Data Protection in the BRICS Countries


    PD protection in the Russian Federation


    To date, the Russian Federation among the BRIC countries has advanced the farthest in this regard, we note the main points that have been done in the framework of the issue of defense of PD.

    Legislation has been formed in the field of PD protection, which includes:

    • norms of the Constitution (Articles 23, 24);
    • special law - Federal Law of the Russian Federation of July 27, 2006 No. 152-ФЗ “On Personal Data”;
    • norms of industry laws;
    • regulations.

    In addition, a special authorized body has been created, the activity of which ensures:

    • the effective functioning of a centralized system of control and supervision over the implementation of legal requirements;
    • consideration of appeals of subjects of personal data;
    • maintaining a register of PD operators;
    • information work with citizens and PD operators.

    It should also be noted that a uniform law enforcement practice is gradually being formed. At the moment, a PD protection system that meets international standards exists in Russia and it is operational.

    If you do not have sufficient clarity regarding the processing of personal data in accordance with regulatory legal acts of the Russian Federation and would like to have a more complete understanding of the law, we recommend that you familiarize yourself with our White Paper on Federal Law No. 152 .

    PD protection in China


    Everything is complicated here. There is no special general law on the protection of PD. However, let's look at the main points.

    The PRC Constitution guarantees the protection of the dignity of the individual and the secrecy of correspondence. Provisions for the protection of PD are contained in separate legal acts, we will now briefly review them.

    On November 5, 2012, the “Guidelines for the Protection of Personal Information in the Information System for the Provision of Public and Commercial Services” was adopted, in which the following definition was given:

    Personal data - any information about a specific individual that alone or in combination with other information allows him to identify

    The management establishes the duty of the PD operator to obtain the consent of the PD subject for processing and to inform him of the purpose of the processing, the shelf life, measures to protect the PD and so on.

    As for the localization of PD, we are told about it in Article 5.4.5:

    In the absence of a clearly expressed consent of the subject of the PD, regulatory permission or the consent of the authorized bodies, the operator of the PD should not transfer the PD to any person who is abroad, including any individuals living abroad, or any organizations and companies that are registered abroad.

    Also, personal data are also mentioned in the law on consumer protection adopted on October 25, 2013:

    Article 29. When collecting and using personal data of individuals, entrepreneurs are required to follow the principles of legality, validity and necessity, to explicitly inform about the purpose, methods and limits of the collection and use of information and obtain the consent of the consumer.

    Entrepreneurs are required to take technical and other necessary measures to ensure the security of information and prevent the disclosure or leakage of consumer PD.

    A serious administrative fine is provided for non-compliance with the law.

    In addition, there are a number of legal acts that in one way or another affect the protection of the subjects of PD.

    • The PRC Law on Tort Liability in 2009, which protects the right to privacy and, in particular, provides for the responsibility of a medical institution for the distribution of PD without the consent of the subject of PD
    • "The decision to strengthen the protection of information on the Internet", adopted by the Parliament of China on 12.28.2012
    • “Regulation on telecommunications and the protection of personal information of Internet users”, adopted July 19, 2013
    • On March 15, 2015, “Responsibilities for Violating the Rights and Interests of Consumers” came into force, developed and adopted by the State Administration for Industry and Commerce of China (SAIC).

    The last mentioned act is of particular interest with regard to the definition of personal data in the context of consumer protection. According to the Measures, the following data are related to consumer PD:

    1. name;
    2. floor;
    3. profession;
    4. Date of Birth;
    5. passport ID;
    6. address;
    7. Contact Information;
    8. information on income and property;
    9. health information;
    10. consumer habits.

    On June 1, 2017, the Cybersecurity Law entered into force. The Cybersecurity Law is the first consolidated law regulating almost all the problems in this area in China. Including, of course, it applies to PD.

    The storage of personal data and other important data should be provided exclusively in the territory of the PRC (Article 37).

    The Law on Cybersecurity confirms the obligations of network operators regarding the protection of personal information, which are determined by existing legislation and regulatory requirements, including the right to monitor compliance with the principle of legality, the need and relevance of the collection and use of personal data, as well as the right to monitor the implementation of “information and receipt requirements consent ”(Article 41) on the use of personal data only for those purposes for which the relevant person has consented (Article 41), the right to take measures to protect the security of personal data (Article 42) and protect the individual right to evaluate and correct personal information (Article 43).

    In addition, the Law on Cybersecurity also includes some new rules regarding the protection of personal data, including requirements for notification of violation of data protection (Article 42), anonymization of data as an exception to the requirements for informing and obtaining consent (Article 42), as well as the individual’s right to demand from network operators to amend or delete his personal data in case information about him is erroneous or is used for purposes inconsistent with him (Article 43).

    The main problems of PD protection in China include the following:

    • lack of an authorized body for the protection of PD;
    • lack of a single special law on PD;
    • lack of a single conceptual framework (well, this is not going smoothly with us either);
    • the basic rules for protecting PD are contained in legal acts that are advisory in nature (e.g., the Guide);
    • lack of notice on processing PD and the register of operators involved in processing PD.

    PD protection in Brazil


    The Brazilian Constitution protects human dignity, privacy and privacy of correspondence. As well as in China, there is no general law on the protection of PD and provisions on the protection of PD are contained in separate legal acts.

    Brazilian Internet Law (Marco Civil da Internet) of 04.23.2014 .:

    • It establishes the general principles of using the Internet, the rights and guarantees of users, the obligations of providers and the rules for providing services on the Internet.
    • The law contains a large number of rules regarding the protection of privacy and personal data.
    • To process APs on the Internet, you must obtain the voluntary and informed consent of the user.
    • PD processing is allowed only for a specific purpose, which is indicated in the user agreement or in the rules for using Internet services

    As for the localization of PD. Initially, the draft law contained requirements for the storage of PD of Brazilian citizens in the state. In subsequent editions, the provision was excluded, but the President’s right was introduced to issue decrees on this issue. In the adopted final version of the law, the issue of data localization is not raised. The exclusion of this requirement from the law was the result of lobbying by international corporations and the United States.

    Of particular interest is the decision in the Law on the issue of jurisdiction (Article 11). The general rule is as follows:

    Internet providers and Internet application providers are required to comply with Brazilian laws, including the protection of PD, if at least one of the collection, storage or processing of PD takes place within the state territory of Brazil.

    But there are additional conditions:

    1. The general rule applies to PD collected in Brazil and to the content of communications if at least one of the terminals is located in Brazil
    2. The general rule applies even when such activities are carried out by a foreign legal entity, provided that:
    a) a foreign legal entity provides services to an unlimited number of persons in Brazil;
    or
    b) at least one of the members of a group of foreign companies is established in Brazil.

    PD protection in Brazil, the main problems:

    • lack of an authorized body for the protection of PD;
    • lack of a single special law on PD;
    • lack of a unified definition of personal data;
    • lack of definition of special categories of PD (sensetive personal data);
    • lack of protection of PD in certain industries and fields, with the exception of the Internet;
    • lack of notice on processing PD and the Register of operators involved in processing PD.

    PD Protection in India


    Section 21 of the Indian Constitution guarantees everyone the right to life and personal freedom.

    There is no special general law on the protection of PD in India.

    The Information Technology Act 2000 contains a special article on the protection of special categories of personal data (Article 43A). The operator of the PD is obliged to apply the necessary measures to protect the PD and is liable for damage caused due to data leakage.

    There are “Rules on the practice and procedure for ensuring the security of special categories of personal data and information” adopted in 2011. According to them:

    Personal data - any information that relates to an individual and which, in combination with other information at the disposal of the personal data operator, can identify this individual.

    The special categories of PD include (paragraph 3 of the Rules):

    • passwords
    • financial information (including bank account and credit card details);
    • health data;
    • sexual orientation;
    • biometric data.

    Localization of special categories of PD. According to rule 7, cross-border transfer of PD of Indian citizens can be allowed only when it is necessary to fulfill the contract between the legal entity and the PD subject or when the subject has given his consent to the transfer of data.

    Rules for protecting confidentiality and personal data are contained in several industry laws in India, including insurance and banking laws.

    The main problems of PD protection in India:

    • lack of an authorized body for the protection of PD;
    • lack of a single special law on PD;
    • lack of notice on processing PD and the Register of operators involved in processing PD.

    conclusions


    Unlike the Russian Federation, both the legislation and the practice of protecting PD from other BRICS countries are lagging behind. At the same time, in recent years in all BRICS countries there has been observed:

    • interest in the development of PD protection system in connection with new information threats of the digital age
    • adoption of new regulations
    • introduction or plan to establish a special authorized body for the protection of PD subjects
    • striving to implement best practices and international principles and standards

    We hope that Russia will continue to improve the system of legislation, introducing best practices and avoiding unnecessary prohibitive measures.
    Tags:

    Also popular now: