The Law "On Personal Data" all that you wanted to know, but were afraid to ask

  • Tutorial
In September 2015, the Federal Law on Personal Data underwent major changes. We will now carefully consider them in order to understand how all this will work in the realities of the Runet. Our lawyers spoke many times about PD and before the changes came into force. And now the time has come, and everything that used to only be debated in theory has now been put into operation. Alas, we have not yet broken through with a report on the main channels of the country, and all that remains for us is to write here. So let's get started.

Of course, you need to start with the fact that now when collecting personal data (abbreviated as PD, nobody knows why this is the case, but we will use what is), on the Internet or offline, the operator must provide recording, systematization, storage and clarification personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation. This question has already made a lot of noise on the Web. And everyone has already discussed many times that servers with databases of personal data of citizens should be located on the territory of Mother Russia. In this regard, many questions arose and rumors, and the "ducks", of course, too. Citizens asked themselves: “Where can we get so many high-quality servers? But will the lack of competition worsen the already "very" situation with domestic servers? " It is true. But we are not talking about that now.

Who should be considered an operator? As before, this is a legal or natural person organizing or carrying out PD processing. But what exactly is hidden behind this PDN? And this is any information that relates directly or indirectly to a specific individual (that is, personal data can be considered not only the name and passport number, but also the phone number and e-mail of this person).
All this mess with the localization of the storage of citizens' data in Russia is a legislative novelty. Therefore, the law is somewhat contradictory. For example, its provisions can be interpreted too broadly and ambiguously, and, most importantly, it is not clear how the new norms should work in practice.
The main stumbling block looks mysterious - “personal data bases should not be stored abroad”but the law spells out the possibility of transferring personal data to other countries (which can provide adequate protection for the rights of PD subjects), called cross-border data transfer. And it seems that this requirement applies only to Russian companies and does not apply to foreign jurisdictions. That is, the requirement to store personal data in Russia should not apply to organizations registered abroad and collecting personal data of citizens of the Russian Federation. The Ministry of Communications and Mass Media came to our aid and explained that when carrying out activities on the Internet it is impossible to clearly define geographical boundaries, which means that it is necessary to identify a number of signs by which this or that resource can be attributed to “used on the territory of the Russian Federation”.
Of course, it cannot be ruled out that the law, which proposed broad interpretations and criteria, will be applied selectively and the Federal Law “On Personal Data” will be directed to foreign Internet resources, the activities of which are also directed to the territory of Russia (online stores , marketplaces, platforms, etc.) that may be blocked on the territory of the Russian Federation if the requirements of the Russian law on personal data are not observed. Just around this issue the main srach rose noise and din in social networks. People are terribly afraid of losing their friends on FB and followers on Twitter. They can be understood, but we are again distracted from the main thing.

The Ministry of Communications and Mass Media shared with the world the signs of a resource that is obliged to store all our personal data in the Russian Federation, we bring them to you, dear readers.
Roskomnadzor will use two main criteria:
  1. Use of a domain name associated with the Russian Federation or a constituent entity of the Russian Federation (.ru, .rf, .su, etc.).
  2. The availability of the Russian version of the website. And besides, there is the possibility of making settlements in rubles, the possibility of fulfilling an agreement concluded on such an Internet site in Russia, or the use of advertising in Russian.

By the way, it is highly likely that regulatory authorities will turn their keen eye especially on domestic companies working with foreign services.

Let's move on. From the text of article 18 of the Federal Law "On Personal Data" it follows that
When collecting PD, the operator is obliged to ensure the storage of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation.

And this means that personal data obtained as a result of organizing the collection of such data, and not as a result of accidental contact with it, are subject to storage in the Russian Federation. Accordingly, receiving contacts, for example, couriers of one organization by another organization, transferred during the work process, will not be a collection of personal data. And if you received a business card in a personal meeting with an employee of a certain company, then you scored this data in CRM, and even included it in the mailing list, then, excuse me, this can already be considered PD processing. However, the law here does not provide exact wording and there is no judicial practice yet. Therefore, it is possible to discuss this question for a long time and tedious, but still not come to the exact answer. Therefore, together with you we will wait for clarifications from above.

It is impossible to consider articles of the Federal Law “On Personal Data” separately. A simple example: if the requirement to localize individual PD processing processes from Article 18 is considered together with Art. 12 on cross-border data transfer, while still taking into account the definitions from Article 3: “transfer of personal data to a foreign state to a foreign person: to a foreign state authority, foreign individual or foreign legal entity”, in total we get the following: Citizen PD originally entered into the database on the territory of the Russian Federation and updated in it (the “primary database”), you can later transfer it to databases located abroad (“secondary databases”), with their admins. All this, of course, must be done in compliance with the provisions on cross-border data transfer.

The next thing I would like to say is the “Register of violators of the rights of subjects of personal data” (in the picture above the name of the portal of Roskomnadzor), which will contain data on those resources that process personal data in violation of the law. For the time being, it is possible to get into the register only by a court decision on the basis of an application submitted either by the PD subject or by Roskomnadzor. As a measure, restriction of access to the operator’s site was chosen. And in order to implement this measure, there must be a regulated order. Roskomnadzor did not keep itself waiting and has already approved such an order according to the “registry - hosting provider” scheme.
We bring it as is:
  1. Sending a notification to the hosting provider about a violation of the legislation of the Russian Federation in the field of personal data.
  2. Submission by the hosting provider of the registry operator a request for exclusion of information about the domain name or page indexes of Internet sites, a network address that allows identifying sites containing information processed with violation of the rights of personal data subjects from the registry.
  3. Forwarding to the hosting provider by the registry operator a notification about exclusion from the registry of a domain name or page index of a website, as well as a network address.
  4. Receiving from the hosting provider the registry operator the information necessary for organizing interaction within the framework of the registry.

In turn, the provider will be able to obtain the following information from the registry: domain name, network address, page of the site on which information is processed in violation, case number and date of adoption of the judicial act, on the basis of which data on the information resource were included in the registry.

That’s all with us.

Keep money in savings banks data in the territory of the Russian Federation and do not forget to ask for the consent of users each time to collect and process their personal data. Otherwise, Roskomnadzor will find you, even if you are personally in Bali.

Also popular now: