In Russia, a separate law is in force, according to which various organizations and individuals must carry out operations with personal data - Federal Law No. 152. The legislator periodically makes changes to the relevant legal act. In particular, on September 1, 2015, the norms of the Federal Law No. 242 came into force, after the publication of which a number of fundamentally new norms appeared in the Federal Law No. 152. What are they? Who is required to comply with relevant legal provisions?
What is the Federal Law on personal data?
Special attention should be paid to this fundamental point: Law 242-, which entered into force on September 1, 2015, is a normative act that amended another, fundamental source of law - No. 152, adopted in July 2006. Thus, the wording contained in Law No. 242 should be considered solely in the context of those norms that are contained in Federal Law No. 152.
The fundamental legal act, Federal Law No. 152, established in the legislation of the Russian Federation such legal categories as:
- personal data;
- operator of relevant information;
- processing of personal data.
Under the first legal category, the legislator prescribes to understand any information that directly or indirectly refers to an individual. This can be, for example, his full name, personal data, contact information.
The second legal category in the law means a state or municipal authority, organization or individual who independently or in the course of interaction with other entities carries out the data processing procedure, as well as determines their composition and operations with them.
Under the third legal category, the legislator prescribes to understand any operation or its sequence, which is related to personal data and is carried out through the use of automation tools or without them.
The main operations with personal data defined by law No. 152 are: collection, recording, storage, adjustment, use, transfer, blocking, deletion. The indicated legal categories, in principle, at the time of adoption could be considered quite new to the legal system of the Russian Federation. Prior to that, the circulation of personal data was regulated by Russian legislation quite superficially.
The novelty of the Federal Law No. 152
The Law on Personal Data, adopted in the Russian Federation, was thus called upon to bring the domestic legal system closer to international standards for ensuring the confidentiality of information exchange - primarily, presented in electronic form and used in online communications. But Federal Law No. 152 equally created a legal environment to ensure the protection of various offline data.
In accordance with this regulatory act, several classes of personal data were defined that required the use of certain protection algorithms. In addition, the Federal Law No. 152 established the rules according to which the circulation of various data could be carried out in specialized information systems - those that required administrators to be especially highly qualified, as well as obtaining licenses for performing operations with personal data.
Despite the fact that the Federal Law No. 152 was published in 2006, in practice its main provisions have become mandatory for personal data operators to apply only from July 1, 2011. From that moment, as we noted above, various adjustments were periodically made to the corresponding source of law. In particular, those that were approved by the federal authorities through Law 242-FZ. Consider its features in more detail.
Features of the application of a legal act
Federal Law 242- “On Personal Data” (more precisely, “On Amending Acts as Part of the Clarification of Data Processing”) established a provision in accordance with which operators became obligated to process and store information only on servers located on the territory of Russia . Or if this is offline personal data - post it in the databases that are in the Russian Federation. It should be noted that Law 242- contains a number of exceptions to this norm - which, in turn, are reflected in the provisions of Federal Law No. 152.
Another nuance of the application of the law is that through its legislator also introduced amendments not only to the main legal act regulating operations with personal data, but also to other sources. Namely, in laws 149 “On information”, as well as 249 (“On the protection of legal entities and individual entrepreneurs under state and municipal control”).
In the Russian media, information was actively circulated that Roskomnadzor, the agency responsible for ensuring the compliance of the data operators with the provisions of FZ-242 “On the protection of personal data”, in 2016 will conduct inspections of the largest suppliers of IT solutions that operate in the Russian Federation. In particular, it was said that the goal of Roskomnadzor was to find out whether brands such as Microsoft, Vkontakte, HeadHunter, LaModa comply with the requirements of the law in question. It was assumed that the department will carry out about 1 thousand different checks.
Changes about personal data initiated by the federal authorities through the publication of Federal Law No. 242-FZ in the main law could predetermine the need for major operators to significantly update hardware and software. But this problem must be solved by brands, otherwise, if the infrastructure used by them does not meet the requirements of the law in question, Roskomnadzor may impose a fine on the company.
A significant role in the checks is supposed to be played by users of various IT solutions. If they begin to suspect that their data is not completely protected, then information about the service that is involved in operations with the relevant data can be transferred by users directly to Roskomnadzor. Which, in turn, will have to initiate a service check for compliance with the provisions of law 242-FZ.
It will be useful to consider what the scope of the source of law in question is.
Law No. 242: Scope of Source of Law
The main debate in this case is whether the jurisdiction of Federal Law 244 “On the Protection of Personal Data” extends to foreign firms that, on the one hand, provide services to Russian users, and on the other, are located outside the Russian Federation both from a legal point of view and in terms of the infrastructure involved.
The legislator did not approve certain provisions in the law in question that would uniquely determine the geography of its operation. Therefore, in order to find the answer to the question under consideration, it is necessary to refer to other legal acts.
So, in accordance with the law on information in force in the Russian Federation, the use of various types of communication infrastructure in Russia should be carried out taking into account the norms approved in the legislation of the Russian Federation. Thus, if we follow this norm, we can conclude that Federal Law No. 242- still applies only to those services that uniquely involve the infrastructure that is located in Russia.
Definition of the activities of the personal data operator in Russia
The most important criterion for determining the jurisdiction of the considered source of law is the direction of activity of the brand owning a particular service. If this or that site primarily serves Russian users, then it should be considered an object of regulation in terms of applying the provisions of Law No. 242. The fact that the service is aimed at obtaining personal data of citizens of the Russian Federation can be established on the basis that:
- in the structure of the address of the site the domain is used .ru, .su, . or, for example,. Moscow;
- site content is in Russian;
- on the pages of the portal there is the possibility of entering into legal relations with the service using the forms of contracts drawn up in accordance with the Civil Code of the Russian Federation.
In practice, the data operators that fall under the jurisdiction of the Federal Law No. 242 can be a variety of structures - for example, personnel services of enterprises, banks, call centers. All of them are obliged to ensure that their activities comply with the requirements of the law in question.
Law No. 242 in terms of the application of its retroactive force
Law No. 242- on amendments to Federal Law No. 152 was issued later than Federal Law No. 152 itself, as well as previous amendments to it, appeared, however, it necessitated an additional interpretation of the provisions of the main legal act. In particular, there was a discussion among lawyers about whether Law No. 242 should be considered retroactive.
Most popular is the point of view according to which general legal principles should be applied in assessing the legal effect of the considered legal act, according to which retroactive vesting of laws that worsen the situation of certain persons or establish additional obligations for them should not be carried out .
Exceptions may be made in relation to legal acts in which the principle of retroactive effect is fixed directly. Law 242-FZ does not contain such provisions. Therefore, only those participants in the legal relationship who begin to process personal data after the entry into force of the relevant legal act are required to comply with it. That is, from September 1, 2015.
The essence of data collection
Another debatable point characterizing the legal act in question is the definition of the concept of “data collection” based on the wording present in it. What is the complexity of the interpretations in this case? The fact is that, in accordance with the provisions of the Federal Law No. 152, which were amended through the publication of the Federal Law No. 242- on personal data, operators are obliged to ensure the localization of files in the process of collecting the same information. In turn, the essence of this procedure is not clearly defined in the law, which, of course, does not contribute to the effective implementation of its provisions in a number of contexts.
Among experts, the point of view is widespread that it is legitimate to understand “collection” as a process in which the data operator receives them directly from a certain entity or authorized third parties. It turns out that only those personal data that were acquired by the operator upon the fact that he carried out purposeful work to collect relevant data should be localized in accordance with the norms of Federal Law 242. And if, for example, the operator received them accidentally - as an option, in the form of an e-mail, then to localize, as prescribed by law 242-FZ, personal data is not necessary. It is likewise unlawful to consider as the process of data collection their receipt by one firm from another if they are telephones and other contact details of company representatives.
Placement of data abroad under the law No. 242
The next most important nuance that characterizes law enforcement practice when implementing the provisions of Law No. 242 is the possibility of placing data abroad by operators in necessary cases - for example, when it comes to backing up relevant information on servers rented from foreign suppliers. On the one hand, according to Law No. 242-FZ, personal data must be placed on servers located on the territory of Russia. On the other hand, of course, their objective need may arise for placement also on foreign resources.
According to lawyers, cross-border data transfer without violating the provisions of regulatory law is, in principle, possible. Based on what legal provisions can this position be considered legitimate?
When cross-border transmission is legal
The fact is that the law on the localization of personal data 242- does not include provisions on making adjustments to legal acts regulating the cross-border transfer of files containing individualized information about citizens of the Russian Federation and other entities that fall under the protection of law No. 152-. Therefore, this procedure is legal, as well as until the moment when the considered amendments to the law were adopted.
But let’s pay attention once again - cross-border data transfer can be carried out only for the purpose of backing up the corresponding files. Their originals, therefore, must be placed on servers in the Russian Federation. At the same time, the data operator is responsible for the unauthorized use of files by foreign persons on foreign servers. In addition, he will probably have to bring his information systems in line with the requirements established by the rules of law of the state on whose territory the servers are located.
Sanctions for violations of law No. 242
So, we examined what the legislator introduced through the publication of Law 242- changes in the Federal Law No. 152. It will also be useful to consider what sanctions data operators who violate the provisions of the relevant source of law may face.
First, an administrative fine may be imposed on a company that is required to comply with law No. 242. Its value is 500-1000 rubles for officials, as well as 10 times large amounts for legal entities. This penalty is established by Art. 13.11 Administrative Code of the Russian Federation.
Secondly, such sanction can be applied as entering the data operator in the register of violators. It is an automated database, including domain names and page addresses of sites on which personal data is processed with violations. Note that the inclusion of the operator in the appropriate register is based on a court decision. An exception is after its cancellation or upon the fact that the company eliminated violations of the law in question.
Thirdly, access to a site that implements incorrect processing of personal data may be restricted. This procedure is carried out after the personal data subject sends a statement to Roskomnadzor about the need to take measures to block the corresponding resource.
In addition, this document should also be supplemented by a judicial act, which has entered into legal force. After that, Roskomnadzor sends information about violations by the site owner of Law No. 242 to the hosting provider, and if the owner of the resource does not eliminate the violation, it blocks the site.
The procedure for applying sanctions to violators of the provisions of the legal act in question largely depends on law enforcement practice. It makes sense for personal data operators to regularly study it, as well as, for example, various analytical studies of the provisions of Law No. 242-FZ and the comments of lawyers on it. Compliance with the Federal Law No. 152, taking into account relevant amendments to it, is the most important condition for the correct functioning of the relevant information services.