To understand the new law "On Personal Data": the risks are real and imaginary
Makradar Technologies / / December 19, 2019
September 1 shall come into force amendments to the law "On personal data". In varying degrees, they will affect all citizens of Russia. "MakRadar" contacted a number of Russian lawyers and representatives of Internet companies and figure out all the nuances of the law.
By themselves, small corrections, take only half a standard sheet of A4 pages, and anyone can read them directly now. Two major innovations:
- From September 1, all the legal entities that work with personal data of Russians, should store the database in the territory of the Russian Federation - on their own or rented servers.
- An automated information system "Register of the rights of personal data subjects violators."
Personal Data - any information relating to a specific individual. It can be a name, surname, patronymic, year, month, date and place of birth, address, family, social, property status, education, passport number, occupation, income, and other information.
Let us see what is the aforementioned "Register ...", what are the risks for the law representatives of the Internet industry as "costs" implementation of the law for companies and what responsibility violators will incur.
What is the "Register of violators of the rights of personal data subjects'
This registry will include the names of Web sites and pages on the Internet, in which the personal data processing takes place in violation of the law. It can be absolutely any websites: online shops, hotels, airlines, media and others. "Since the law does not specify what kind of violations sites will be included in this register, it can be It suggests that such a violation could serve as any failure to comply with the law provisions on personal data - He speaks Daria DrySenior lawyer "Team 29". - The procedure for maintaining the register will be determined by the Government. It is noteworthy that in this register a site or page can only be made on the basis of a court decision, to fix the violations of the law in the processing of personal data. "
Processing of personal data - the operation with personal data, such as collection, accumulation, storage, update, update, modify, use, distribute, transfer, depersonalization, blocking and destruction.
Who falls under the law
distance selling companies, transport, tour operators and reservation systems, recruitment agencies, service providers, the banking industry and payment systems. According to the July meeting between RAEC, the Russo-British Chamber of Commerce and by Roskomnadzor, more than 54% of IT-companies ready to fulfill all the requirements of the law, even 27% percent said partial availability, 19% were not fully ready. Among the main challenges for the implementation of the law have been named financial problems and lack of technical capacity.
The main risks for business
"We do not see significant risks to the business, - says senior counsel OZON Group Jan Barash. - The provisions on cross-border transfer of personal data is not affected by the amendments, and therefore, the transfer of personal data of Russian citizens to foreign service providers are still It will be possible. " Kirill MityaginPartner Nevsky IP Law said: "The main risk - is not to understand the requirements of the law to the operators and the rules of personal data processing. For example, do not file a notice of inclusion in the register of Roskomnadzor (as of 31.07.2015 in the register for more than 330,000 operators), or avoid distortions in the processing of personal data, which leads to the onset of civil, administrative and even criminal responsibility. "
Possible threats to ordinary Internet users
The main threat for the average user is that his favorite resource can not cope with the cost of the protection of personal data and closes. "Compliance with the law make our project more expensive by 45%, - says the executive director of the service darenta.ruOleg Gribanov. - This is the unavoidable costs, if we want to obey the law, and we are not in any way will not violate it. Exactly how much we spent on the purchase and rental of servers and staff training for work, I can not say it is a commercial secret. " "Today, the servers can be purchased at a price ranging from 40 to 600 thousand rubles, but more or less quality the product will be exactly cost more than one hundred thousand, in addition, the choice will depend on the amount of data stored - explains Alexander Trifonov, Chief expert of the legal service 48Prav.ru. - There is still a possibility of renting a server, offers start at five or six thousand, so that such a budget option can arrange company is not ready immediately to spend several hundred thousand. "
Protection of personal data - a set of administrative measures and technical methods of protection to combat unauthorized use of personal data.
Liability for failure to comply with the law "On Personal Data"
For non-fulfillment of the Protection of Information Law provides for criminal and administrative responsibility. "For the illegal access to computer information protected by law comes the responsibility of art. 272 of the Criminal Code - says the managing director of "YurPartner" company Anton Tolmachev. - But it's heavy artillery. The most common violation of the law "On Personal Data" is an administrative offense, for example, under Article 13.14 of the Administrative Code "Disclosure of information with limited access" or Article 13.12 "Violation of rules of protection information '. " "The company now has administrative responsibility for the violation of personal data processing in the form of a fine of 5 to 10 thousand rubles (Art. 13.11 of the Administrative Code) and for violation of data protection requirements - from 10 to 15 thousand rubles (h. 6 tablespoons. 13.12 of the Administrative Code), "- explains Kirill MityaginPartner Nevsky IP Law.
Russian State Duma plans to adopt amendments to the Code of Administrative Offenses. A minimum fine of 50 000 rubles, and the maximum - 300 000 rubles.
Experience in other countries in the protection of personal data
In the EU, protection of personal data is governed by Directive 95/46 / EC (1995) and a number of follow-up documents, but after "Cases Snowden" it became clear that the legislation in the field of protection of personal data requires serious change. EU Country is now established by the General Regulation on the protection of personal data. It will be such things as: the handler and the recipient of personal data, ID card, online identifier. the concept of "sensitive data" will be introduced, which will include genetic and biometric data of the person, and much more.
Summary
Changes in the legislation regulating processing and protection of personal data are now engaged in almost all countries of the world. The fact that Russia was at the forefront, not more than a coincidence. However, the peculiarity of the Russian approach is always the "right of the state", whereas in Western countries - human rights. Hence the fear that the new law was created primarily for the purpose of monitoring the actions of the citizens, not for the protection of their personal data.