Personal data is information about a particular individual. Users enter this information on various Internet servers daily. In 2015, a law was signed on the storage of personal data. According to this act, information about citizens of the Russian Federation can be stored only in Russia. What does it mean? And what threatens non-compliance with this law?
Background
Back in 2006, the Federal Law on Personal Data was adopted, designed to regulate the specific relations of individuals with so-called operators. Its purpose was to protect Internet users from unwanted processing and transfer of personal data to a third party.
The operator is a fairly broad concept. It can be a state body, a legal entity, or an individual. An operator is one who, for whatever purpose, enters personal data about a person in his database. Of course, he does not have the right to disclose the data and use it for purposes that are unknown to the person who provided it. Such actions are unethical, and they have also been illegal for the past ten years.
From September 1, 2015, after the law on the storage of personal data on the territory of Russia was signed, the operator is no longer entitled to use foreign servers in his work. In order to understand who these changes are primarily related to and what impact they have, one should deal with the basic concepts.
Personal Information
There is a misconception that this concept means information that is contained in the passport and other important documents. In fact, personal data are various information about a person. This may not necessarily be a passport number or series. Such data are first name, last name, date of birth, email address. Thus, if the business owner creates a corporate website containing a form for registering visitors, he becomes the operator of personal data. He can use the information received only for the implementation of the activity, which is known to those who provided it. The disclosure of personal data involves administrative or criminal liability, depending on the gravity of the crime.
Confidentiality of information
An operator can disseminate information about a person only with his consent. Such actions are unlawful. Non-disclosure of personal data is an important condition for the processing of information. Its main principles are contained in the second chapter of the law. The operator has the right to distribute only the information contained in publicly available sources, for example, address and phone books.
Personal data can be divided into general, biometric and special. General are contained in a passport, diploma, military ID, employment record. Special information includes racial, religious, political affiliation.
Biometric data are the biological and physiological characteristics of a person. These also include photos and videos. Thus, the transfer of such files to a third party can be identified as the disclosure of personal data. Exceptions are group photos.
Treatment
In legislative acts , phrases are found whose meaning may not always be clear. One of them is the processing of personal data. This term refers to the actions that the operator performs on the information received, namely personal data. He accumulates them, stores, refines, uses, depersonalizes, blocks and destroys. The operator is entitled to all of this. He breaks the law only when the disclosure of personal data occurs, that is, the transfer of personal information to a third party.
Since September 1, 2015, significant restrictions have been introduced in this area of activity. The law on the storage of personal data does not allow, for example, the owner of the website to store the received data on foreign servers. Even if he uses them solely for good purposes.
Depersonalization
This action is performed in order to hide the ownership of the personal data of a person (in the legislative act he is referred to as the subject). This is a kind of personal data protection. There are several ways to depersonalize:
- replacement of part of the information;
- digital data replacement:
- reduction of information;
- distribution of information on different servers.
Subject
A person has the right to access his personal data. The rights of the subject of personal data imply the possibility of an individual whose data is stored in the database to require the operator to clarify, change, and, if necessary, destroy it. Each person has the right to require the provision of information if they do not contain data of other entities.
Other concepts
All data about a person is stored in databases. Using certain tools, they are processed and used by the operator. This technology is called a personal data information system. Today everyone uses it, from small businessmen to state executive bodies. They are also entrusted with the protection of personal data. Monitoring compliance with the requirements stipulated by law is carried out by Roskomnadzor, the FSB and the FSTEC.
Cross-border data transfer is the transfer of information to an individual or legal entity of a foreign state.
The Federal Law on personal data ensures the integrity of an individual, his family and personal life. The new law pursues the same goals, but it creates certain inconveniences for many operators.
Data storage in Russia
In their activities, each operator should now use only those databases that are stored in Russia. Why are such restrictions created? The law mentioned above primarily affects the security of personal data. But nothing is said about its scope.
All areas of activity in Russia should be carried out in compliance with the legislation of the Russian Federation. However, on the World Wide Web, any actions are cross-border and virtual in nature, which complicates control over the work of operators. At the same time, the fact that the website is accessible to residents of Russia does not say at all that Russian law should apply to it. Storage of databases on Russian servers facilitates control over the activities of operators.
The law on the storage of personal data provides for the processing of personal data only on Russian Internet resources. But there are exceptions. They relate to foreign servers directed to the territory of the Russian Federation. The Russian-language site or domain name may indicate such an orientation. However, since the Russian language is quite widespread outside the Russian Federation, the following elements are additionally considered: the possibility of settlement in Russian rubles, the conclusion of agreements in the Russian Federation. Thus, foreign entrepreneurs include Russian consumers in their business strategy. And the action of the law on personal data is also aimed at their activities.
Foreign servers
So, the law now only allows the storage of personal data on Russian servers. Databases located outside the Russian Federation cannot be processed. The State Duma adopted a law on this ban. However, this document gives rise to many problems. And above all, difficulties relate to entrepreneurial activity.
Experts in the field of electronic communications believe that this can lead to the departure of global Internet resources, and he, in turn, to significant economic losses. First of all, we are talking about airline reservation sites.
Discomfort for entrepreneurs
Experts believe that the new law will negatively affect the activities of many Russian companies. Each of its violators from September 1, 2016 falls into the black list of Roskomnadzor. This list today consists of pirated sites and sites that promote illegal activities or actions that do not comply with moral and ethical standards (violence, suicide, child porn, extremism). The ban on these resources is understandable. But many enterprises that carry out absolutely legitimate activities may not be able to transfer their bases to Russian resources by the indicated date.
Another goal of this law is to ensure the security of personal data from the actions of American intelligence agencies. Foreign authorities are obliged to provide all available information to these government agencies. However, ensuring the security of personal data from penetration by employees of foreign special services, the law creates many inconveniences and problems for small, medium and large Russian enterprises.
Storage Services
Most companies today sell by resorting to online marketing. One of the main tools is email newsletter. Owners of corporate websites use online services to inform their customers about the various events that are held in their companies. This scheme is so widespread that today it is difficult to imagine the development of any business without it. There is still a misconception that site owners are not operators, since they do not store personal data. This is for them do special online services. But the site owner processes and generates user data. Therefore, he is an operator and in the near future is obliged to transfer all the information he has about Internet users to Russian resources. It is not easy to do this, and such actions, first of all, are fraught with considerable financial costs.
Retroactive Law
The established legal principles suggest that the operators' personal data bases already created before the date of signing the law are not a violation. However, the use of personal data involves updating and changing it. The law, however, states that the operator is now entitled to process this information only on a Russian server.
Collection of information
The operator must localize all data on a Russian server. And these actions, according to the wording in the law, are closely related to the collection of personal data. This term is used to mean targeted information about individuals. It is usually provided by the Internet user himself. But it often happens that the data comes in by accident. For example, as a result of receiving various letters. The collection of information also does not constitute data on one legal entity received by another organization. Such information is contact, and its processing is necessary for the implementation of joint activities.
Data transfer outside the Russian Federation
The law does not affect cross-border data transmission. The provisions that were formulated back in 2006 have not lost their force. And therefore, operators, as before, have the right to transfer data entered in the database created on the territory of the Russian Federation to others located abroad. However, such actions require compliance with certain standards. First of all, the operator must make sure that the country in whose territory the data will be transferred has adequate protection for the personal information of Internet users.
The impact of the new law on the banking sector
Many purchases are made online today. The buyer often pays for goods by credit card. Cellular companies and payment systems are usually located on foreign servers. The Russian payment system is not yet available. And without it, observing the law will not be easy.
However, some large companies still store information on the territory of the Russian Federation. And exchanging data with foreign partners, they resort to anonymization.
Data center
Currently, a new data center is being built in the Moscow region, which will become the largest in Russia. Large companies are investing in this project because they cannot underestimate the importance of storing personal data. However, these works are associated with some difficulties. It’s impossible to build a data center quickly.
Experts believe that the new law needs to be finalized. Otherwise, he will not be able to act in full force. Its main drawback is another ban, from which small and medium-sized businesses can especially suffer. And this area today is already in a rather poor state. One way or another, the new law has many opponents, but there are those to whom it is not afraid.