GDPR protects your personal data very well, but only if you are in Europe


    Comparison of approaches and practices for the protection of personal data in Russia and the EU


    In fact, with any action committed by the user on the Internet, there is in one way or another the manipulation of the user's personal data.


    We do not pay for many services that we receive on the Internet: for searching for information, for e-mail, for storing our data in the cloud, for communicating on social networks, etc. However, these services are only conditionally free: we pay for them with our data which these companies then turn into money, mainly through advertising.


    Currently, data on gender, age and place of residence, search history is the
    basis for the online advertising industry, which amounts to billions of dollars and euros. That is, from a legal point of view, personal data are materials for doing business. Accordingly, companies are making great efforts and spending considerable funds to obtain and process personal data. Surveys conducted in 2018 show that users, realizing the value of their personal data, are more and more dissatisfied with how companies deal with their personal data.


    Regulation in the segment of the use of user data has not yet taken shape and lags behind the development of technologies not only in Russia but throughout the world, therefore, the balance of interests of consumers and companies in the model “money - service - data - money” is built today by both Regulators and tacit agreements between society and companies. Regulators restrict the capabilities of IT companies and expand the rights of users: they introduce new laws that give users more control over the information they provide.


    It is interesting to compare the approaches of regulators in European countries and Russia. In Russia, the main regulatory acts governing the handling of personal data is the Federal Law on the Protection of Personal Data (152-FZ) plus the Code of Administrative Offenses, which directly establishes the specific amount of fines for violating the procedure for handling personal data. Administrative fines from July 1, 2017 increased significantly. At the same time, new fines were established depending on the type of offense committed. So, officials can be fined in the amount of from 3,000 to 20,000 rubles, individual entrepreneurs - in the amount of 5,000 to 20,000 rubles, organizations - in the amount of 15,000 to 75,000 rubles. Moreover, they can be held liable for various offenses. Respectively, for different violations on one company may impose several different fines. But responsibility is provided specifically for non-compliance with formal requirements, for example, if the necessary papers are missing. With real information protection this is not always directly related. For example, a leak per se is not a basis for penalties unless other laws are violated. Interestingly, a significant number of identified violations in the field of handling personal data contain the composition provided for in Article 19.7 of the Code of Administrative Offenses of the Russian Federation: “Failure to submit or untimely submission to the state body (Roskomnadzor) - information (information), the provision of which is prescribed by law and is necessary for implementation by this body his legitimate activities .. ". Interesting, that a lot more responsibility is provided not for violation of the procedure for handling personal data (as mentioned above this is an average of 30-50 thousand rubles), but for failure to provide (delay, incomplete presentation) of information on the procedure for handling personal data to Roskomnadzor relies Fine up to 200,000 rubles. Those. in the legislation of Russia and in the practice of its application, the prevailing trend is “the main thing that the suit would sit” and the needs of the state were satisfied. bodies in various reports. The real rights of users and the security of their personal data on the Internet are poorly protected. The same amount of fines does not correlate with the amount of benefits received by some companies in case of violation of the treatment of personal data on the Internet and does not stimulate compliance with these rules. incomplete presentation) of information on the procedure for handling personal data to Roskomnadzor is subject to a fine of up to 200,000 rubles. Those. in the legislation of Russia and in the practice of its application, the prevailing trend is “the main thing that the suit would sit” and the needs of the state were satisfied. bodies in various reports. The real rights of users and the security of their personal data on the Internet are poorly protected. The same amount of fines does not correlate with the amount of benefits received by some companies in case of violation of the treatment of personal data on the Internet and does not stimulate compliance with these rules. incomplete presentation) of information on the procedure for handling personal data to Roskomnadzor is subject to a fine of up to 200,000 rubles. Those. in the legislation of Russia and in the practice of its application, the prevailing trend is “the main thing that the suit would sit” and the needs of the state were satisfied. bodies in various reports. The real rights of users and the security of their personal data on the Internet are poorly protected. The same amount of fines does not correlate with the amount of benefits received by some companies in case of violation of the treatment of personal data on the Internet and does not stimulate compliance with these rules. The real rights of users and the security of their personal data on the Internet are poorly protected. The same amount of fines does not correlate with the amount of benefits received by some companies in case of violation of the treatment of personal data on the Internet and does not stimulate compliance with these rules. The real rights of users and the security of their personal data on the Internet are poorly protected. The same amount of fines does not correlate with the amount of benefits received by some companies in case of violation of the treatment of personal data on the Internet and does not stimulate compliance with these rules.


    The EU has a slightly different picture. Since May 2018, in Europe, work with personal data has been regulated by the rules for the processing of personal data established by the General Data Protection Regulation ( EU Regulation 2016/679April 27, 2016 or GDPR - General Data Protection Regulation). The regulation has direct effect in all 28 EU countries. The regulation provides EU residents with the opportunity to have complete control over their personal data. According to the GDPR, significantly EU citizens and residents have very broad rights to control their personal data. European users have the right to request confirmation of the fact that their data has been processed, the place and purpose of processing, the categories of personal data being processed, to which third parties personal data are disclosed, the period during which the data will be processed, as well as to specify the source of personal data received by the organization and require their correction. Moreover, the user has the right to demand the termination of the processing of his data.


    Since May 2018, the Responsibility in the form of fines for violation of the rules for processing personal data: according to GDPR, fines reach 20 million euros (about 1.5 billion rubles) or 4% of the company's annual global income.


    The most important thing is that it all works, companies violating user rights are held accountable and very serious. For example, on January 21, 2019, the French National Informatics and Civil Rights Commission (CNIL) decided to fine the American company GOOGLE LLC for 50 million euros for violating GDPR. The amount of the fine is very large. This clearly illustrates the threat of non-compliance with GDPR requirements. What was punished for? The French commission determined that during the initial configuration of a mobile device using the Android (Google) operating system, the user does not receive full information about what Google does with its personal data. The company has not fulfilled its obligation to ensure transparency in the processing of personal data and informing entities (Articles 12 and 13 of the GDPR). The storage periods of user data are not regulated precisely. The company did not have the necessary legal basis for the data processing (article 6 GDPR). Google was also accused of improperly obtaining user consent to process their data to personalize ads.


    Other examples: a fine from the German regulator of LfDI, the Knuddels dating chat application - 20,000 euros, the Portuguese Barreiro Hospital was accused of improperly managing access to critical personal data (a fine of 300 thousand euros) and violation of security and data integrity (another 100 thousand euros ) UK authorities have issued a warning to a Canadian analytic research company. The company was obliged to stop processing personal data of citizens, otherwise it would face a fine of 20 million Euros. Canadian company AggregateIQ, which is engaged in digital marketing and software development, was imposed a fine of 17,000,000 pounds. Cafes in Austria were fined € 5,280 for illegal video surveillance (the camera seized part of the sidewalk). T.


    By the way, the peculiarity of GDPR is that its effect applies to all companies processing personal data of residents and citizens of the EU, regardless of the location of such a company, therefore Russian companies should carefully consider these Regulations if their services are focused on the European market


    Also popular now: