Business on personal data: how to succeed and not break the law?
“Data is the oil of the digital economy” is an expression that has already become an aphorism. Indeed, in the modern world, user data has become one of the most valuable and sought-after resources. Thus, according to PwC, in 2018, global revenue from the use of user data will reach $ 300 billion. As for Russia, according to RBC magazine, in 2017 the turnover of the sale and purchase of personal data in Russia amounted to at least 3.3 billion rubles. Moreover, experts predict further intensive growth of this market.
However, the use of personal data in business does not yet have due legal regulation. Current legislation leaves open the question of data turnover and the possibility of their monetization. Also in judicial practice, universal criteria have not yet been formed, which allow finding a balance between the need to protect the privacy of users and the needs of the business community in a digital economy.
- Personal Information
The cornerstone for understanding the term “user data” is the normatively fixed notion “personal data” (hereinafter referred to as “PD”). The concept of PD is “rubber” in nature, which does not allow to unambiguously determine which data specifically refers to personal data. At the same time, the general tendency now is an extremely broad approach to the concept of PDN - any information relating to an identified or identifiable person. This can be an IP address, ID, mobile phone number or credit card number.
At the same time, it is not a secret to anyone that such information is actively processed on the world wide web, it becomes the basis for the success of many business projects (advertising, marketing, scoring). And any unambiguous criteria allowing to draw the border between PD and Big data is not worked out.
- Big data
In turn, the concept of “big data” (Big data) is even more controversial in nature and is usually revealed through its characteristics:
- large volume (Volume);
- great variety (variety);
- high rate of accumulation and processing (Velocity);
- accuracy (Veracity);
- variability (Variability);
- value (Value);
- viability (Viability).
The well-known lawyer and professor A. I. Saveliev writes that “big data can be defined as a dynamically changing array of information that is valuable because of its large volumes and the possibility of efficient and fast processing by automated means, which, in turn, makes it possible use for analytics, forecasting and automation of business processes ".
Speaking at the BIG DATA 2018 forum, the managing partner of the Digital Rights Center, Sarkis Darbinyan, explains their nature: “Big data is volumetric data flows of heterogeneous data that are constantly generated by users of electronic devices and online services or technical devices, and are processed in real time. "
So far in Russia there is no common understanding and approach to the regulation of Big Data. In addition, there are ongoing discussions about who should own Big data and how, using it, not to violate the rights to various categories of legally protected data (PD, trade secrets, confidential information, copyright to the database).
- Large user data
Business projects using Large User Data inevitably face the challenge of complying with PD legislation. So, the following court cases are illustrative examples: Roskomnadzor vs. NBKI , Roskomnadzor vs. MGTS , "HeadHunter" vs. “Robot Faith” , “HeadHunter” vs. FriendWork and VKontakte vs. "Double Data" .
A unified approach to the use of large user data, including those posted by users on social networks, has not yet been worked out, and the positions of various judicial instances are still chaotic. In addition, the parties do not always operate with the legislation on the protection of personal data, but refer to intellectual rights to the database. For example, the rules on the protection of intellectual property rights to the database were used in the cases of the claims of the company “HeadHunter”, as well as in the resonant case “VKontakte” versus “Double Data”.
The company “Double Data” collected and used for commercial purposes user data posted on a social network (surnames, names, places of work and study). The company has not received any additional permits. Vkontakte is upholding the position that such actions violate the exclusive related right to the database, which has arisen for Vkontakte as the manufacturer of such a database with user data. “Double Data”, on the contrary, insists on the openness of data, the impossibility to prohibit the reuse of information and the absence of rights from Vkontakte to the database formed by the users themselves. Today (October 2018) it came to SIPA (cassation instance). CIP agreed with the conclusion of the appellate court, that “it is seen from the case file as the presence of an object of related right (a database of users of a social network), and the existence of an exclusive right of the company“ V Kontakte ”to the specified object”. The argument of the defendants about the database as a “by-product” of the activity “V Kontakte” was not recognized by the court as justified. However, the CIP sent the case for a new consideration to the court of first instance (the date of the meeting is 12/19/2018), and therefore the battle of VKontakte and Double Data is still ongoing. It is seen that after the final resolution of this case, it will become a practical practice and will be a defining milestone for business development on user data in Russia. However, the CIP sent the case for a new consideration to the court of first instance (the date of the meeting is 12/19/2018), and therefore the battle of VKontakte and Double Data is still ongoing. It is seen that after the final resolution of this case, it will become a practical practice and will be a defining milestone for business development on user data in Russia. However, the CIP sent the case for a new consideration to the court of first instance (the date of the meeting is 12/19/2018), and therefore the battle of VKontakte and Double Data is still ongoing. It is seen that after the final resolution of this case, it will become a practical practice and will be a defining milestone for business development on user data in Russia.
In addition, Roskomnadzor vs case is important for the further fate of business projects on user data. MGTS, in which the court tried to find a balance between the right of users and the interests of the business. The court brought MGTS company to administrative responsibility, having established that transactions on the “resale” of data on subscribers without their consent violate the right to privacy.
The case of Roskomnadzor vs is also interesting. The NBCH, which, though ended in an amicable agreement, but within the framework of the consideration of which, the RF Armed Forces concluded that the data after they were posted by users on a social network do not become publicly available according to the meaning of art. 8 of the Federal Law "On Personal Data".
Due to the lack of clear and unambiguous legal approaches (“rules of the game”) on the use of big data, for many years now there have been “gray” services for the sale of personal data. For example, Dark Web, where various types of personal data are sold: from passport data to medical information and passwords from credit cards. According to the results of the study “Black market of databases” of the analytical center “MFI Soft” for 2016, the volume of the market of illegal databases in Russia is more than 30 million rubles. And this figure is only growing.
Nevertheless, one should not assume that business on personal data is a priori illegal. Legal projects aimed at monetizing personal data users are rapidly developing: Opiria, Handshake, Datacoup, GoodData, Pillar Project, Personal and other services.
Moreover, in the world practice there are also examples of offline projects that use PD as a payment. For example, in the American cafe Shiru you can pay the bill with your personal data (names, phone numbers, email addresses, dates of birth and information about interests).
However, many companies are interested not so much in obtaining PD of a specific subject, as in obtaining an array of data reflecting certain attributes of a number of subjects. Therefore, the value available to other companies have database PDn, Large user data.
Companies often include data transfer clauses in service contracts or similar. In addition, there are interesting projects for the exchange of PD, implemented through agreements between companies on information interaction in the field of personal data transfer or other similar content. For example, such agreements are common in medicine.
Also, when describing projects that work with Large User Data, one cannot but mention the Double Data project and similar ones (Clever Data, Scorista, Scorto, FICO, Equifax Credit Bureau, National Bureau of Credit Histories). These projects, for the most part, use data for resale, as well as for scoring and personalizing advertising. They position themselves as working with open data, defending, in the person of the NBCH and Double Data, in court their rights to process Large User Data without additional permission from both users and companies that process PDs.
Separately, it is worth noting the notorious company Cambridge Analytica, which collected for the analysis of political preferences of voters PD users without their consent, including PD users of the social network Facebook. As a result of such actions, not only a political scandal flared up, but inevitably there were legal consequences for both Cambridge Analytica and Facebook. Cambridge Analytica, Facebook declared bankruptcy, and Facebook was fined 500 thousand pounds sterling (about 600 thousand dollars) for non-observance of the rights of PD subjects: the lack of adequate protection of PD users and the lack of transparency in their processing.
In general, the Cambridge Analytica-Facebook scandal has far-reaching consequences, including for Russia. So, the Facebook company began to block access to “suspicious” services whose activities allow for the risks of violating the law on personal data. For example, recently (at the beginning of October 2018) Facebook blocked more than 66 accounts, profiles, pages and applications of a Russian startup, Social Data Hub, which used to compare itself with Cambridge Analytica, and now positions itself as “specializing in the development of artificial intelligence systems” . However, according to the media, the project is also engaged in commercial analysis of user data for the state.
Interesting what's on siteSocial Data Hub can be found with the response of Roskomnadzor on the legality of the operation of such a service. However, this did not prevent Facebook from seeing in the activities of Social Data Hub a violation of the Facebook user agreement and signs of illegal use of PD. Facebook deleted the accounts of the startup and its employees, and also sent a letter with the requirements:
- immediately stop the processing of Facebook user data and destroy this data;
- provide Facebook with a complete list of all the data used by the company and the organizations that have access to them;
- provide Facebook representatives with access to data stores to verify that they are indeed deleted.
The representative of "Vkontakte" also noted that the company sent a complaint letter to Social Data Hub. In turn, project managers deny any violation of the legislation on PD, claiming that they "develop software, but do not sell data."
From a legal point of view, business projects on user data are implemented using various legal tools. In many ways, this state of affairs is due to the lack of regulatory regulation of the process of monetization of user data. The law only prescribes the mandatory requirements and conditions under which PD can be collected and processed.
The most common basis for PD processing is the subject’s consent. Obtaining such consent, its “purchase”, lies at the heart of most legal business projects based on user data. It is important to understand that the implementation of such a purchase is far from the classical civil understanding of the contract of sale. In addition to directly obtaining consent for a certain property remuneration, PD processing is possible in the execution of contracts concluded with users that provide for the provision of any goods and services (in most cases, providing access to content on the Internet).
In addition, recently projects are gaining popularity, including ICO-projects, the main purpose of which is to ensure the legal monetization of PD. For example, the platformOpiria . This project allows users to provide consent for the processing of their PD in exchange for PDATA tokens. According to the developers, this platform is a “global decentralized market where companies can buy personal data directly from consumers without intermediaries.” At the same time, Opiria guarantees users the ability to control and manage their personal data in accordance with the requirements of the legislation on personal data.
At the same time, intermediation in business on personal data does not lose its relevance. Many companies are trying to resell PD or exchange them. But such projects will comply with the law only when the relevant consents are received for the transfer of PD to third parties and their subsequent processing.
A case in point is the English case of DeepMind , which concluded an agreement on the exchange of PD with the National Health Service of Great Britain. However, the parties did not provide for obtaining consent for the transfer and processing of PD of patients by the DeepMind service, and therefore a violation of the legislation on PD was established. Although this case is based on the norms of foreign law, its findings are applicable in Russian realities. We observed a similar position, for example, in the previously mentioned case of the sale of data on its subscribers to MGTS.
In general, in Russia for all business projects on PD it is extremely important to comply with the general requirements of the legislation on PD. In particular, it is necessary:
- limit the processing of PD to specific, predetermined goals;
- limit the volume of data to be processed to the minimum necessary amount for the implementation of the stated goals of their processing;
- Do not combine databases containing PDNs that are processed for purposes that are not compatible with each other;
- destroy or depersonalize PD upon the achievement of processing objectives or in the event of the loss of the need to achieve these goals (except as expressly provided by law);
- determine the legal basis for PD processing (in most cases this will be the consent of the PD subject, but there may also be an agreement, a legal norm, the general availability of PD, otherwise );
- comply with the requirements for the consent form for PD processing;
- to stop processing or to ensure the termination of the processing of a PD by another person in the event that the subject withdraws consent to the PD processing.
As for projects in the field of Large user data, there are even more controversial legal issues.
- Firstly, there is no single approach to understanding Big Data.
- Secondly, legislation only partially regulates the processing of Big Data.
- Thirdly, there is no unambiguous position on the use of PDs that are publicly available and impersonal PDn.
- Fourth, it is difficult to determine the real value of Large User Data.
- Fifth, the aggregation of Large user data by any company may generate this company's intellectual rights to the database. As a result, a conflict of rights arises. A commercial relationship in this area are in their unpredictability like a lottery.
Perhaps the situation will change in the Russian market after the final resolution of the dispute "Vkontakte" against the «Double data» and / or taking any of the discussed current initiatives (for example, a bill on the regulation of large data, the bill on the use and transfer to others impersonal PD, initiative on the creation of a special platform for managing consent for PD processing).
Also currently in the State Duma is a bill, which aims to define the rules regarding such a new object of civil rights as digital rights. The bill proposes to regulate the use of Big data in contractual relations, namely, to fix in the Civil Code of the Russian Federation the construction of an agreement on the provision of information services (article 783.1). This agreement may provide for the non-disclosure of information to third parties within a certain period. In addition, the bill proposes to expand the concept of a “database” based on the need to protect databases based on Big Data.
Thus, it is obvious that every year there are more and more business projects in which user data plays a fundamental role. Large user data can be the most valuable intangible asset, and can also become a toxic liability for the company if the wrong approach to the turnover and protection of such data. Economists estimate that such projects are an integral component of the digital economy, and their number will only grow. And even now, despite the legal obstacles that arise, it is quite possible to build a business on user data, if you approach the data responsibly and follow simple recommendations:
- comply with applicable laws;
- in the case of uncertainty in the regulatory framework, try to maximally take into account the rights of all stakeholders;
- follow judicial practice and legislative initiatives;
- timely consult with lawyers in any incomprehensible situation.