Photo: Yuri Smityuk / TASS
The state Duma Committee on constitutional legislation approved for adoption in the first reading amendments to the law On personal data protection which require personal data operators to inform the authorities about their leaks
The state Duma Committee on constitutional legislation approved for adoption in the first reading amendments to the law “On personal data”, submitted to the Duma in 2013, a group of senators, told RBC representative of the Committee. This information was confirmed by Deputy Chairman of the Federation Council Committee on constitutional legislation Lyudmila Bokova, one of the authors of the amendments.
The bill clarifies the requirements for operators of personal data (employers, service providers, banks, Internet shops and other Internet sites, companies, developing loyalty programs, etc.). In particular, they have an obligation to notify the competent authority in case of improper disclosure or leakage of personal data. The notification procedure is not described; as reported Ludmila Bokov, the authors intend to make the necessary clarifications “directly from the data controllers”. According to her, it is expected that efforts will be focused “only on unauthorized access.” The Senator also said that the right to about the leak are notified and the personal data subjects. It is not excluded that such amendments be prepared for the second reading of the draft.
The number of leaks of confidential information increased in 2016 compared to the previous 80%, according to the latest report of the analytical center InfoWatch, specializing in cyber security. Total in the country over the past year there were 213 such cases in the world — 1556. Most often leaks are related to identity theft, accounting for 85.6% of all cases in the world.
The Russian Association for electronic communications (RAEC), which includes the largest companies of the Runet, the amendment was supported. As told RBC senior analyst RAEC Karen Ghazaryan, the West already has a similar practice: the companies defined the term and procedure under which they are required to notify the user that his personal information is compromised; otherwise, the operator will be fined. In Russia, for the violation of the statutory procedure for collection, storage, use, or dissemination of personal information is a warning or a fine of up to 500 rubles for citizens, up to 1 thousand rubles for officials and up to 10 rubles for legal entities. Developers of amendments consider that it is necessary to increase the penalty for leaking data.
Photo: Vladimir Gerdo / TASS
As said, the development Manager of “Kaspersky Lab” Cyril, Kertsenbaum, in the United States since 2002 and European Union since 2009 are required to disclose the facts of leaks of personal data, not only the authorities but also the users. “This measure is one of the few that actually protected the rights of personal data subjects, in contrast to penalties. The requirement allows citizens time to learn about the disclosure of personal data and to take in that regard adequate measures. This will give a huge plus in the fight against card fraud when card data is compromised by, but in the absence of mandatory notice people don’t know that you need to reissue cards,” said Kertsenbaum. He is convinced that in this no risk, the amendment will only hasten the tightening of regulations for the storage and processing of personal data.
Director on work with state bodies “Megaphone” Dmitry Petrov agreed that the notice about the leaks is the norm, borrowed from the legislation of the European Union. According to him, the history of “MegaFon” leaks of personal data the company had. “I hope we will never have reason to report leaks, — said Petrov. — But it is rather a declarative measure. Practice of the latest developments in the information environment shows that the personal data operators know that they had a leak from the outside.” While Petrov insists that most of the personal data operators now realize that this is one of the main assets for them. “Leakage of such data is a damage to the business because the customers are the heart of business, loss of data on them — the threat of reputation. First and foremost, therefore, operators are protecting them, and not because the law binds them,” said Petrov.
Representatives of MTS and “VympelCom” have refused official comments. Source RBC in one of these companies noted that “in Russia today a few hundred thousand of personal data operators and coordinate with the competent authorities the decision about the security threat will be difficult technically, and criteria for making such decisions no.”
To remove the confidentiality mark
The bill also proposed to change the definition of biometric personal data, to expand the list of cases where a possible cross-border transfer of personal data. Senators propose to introduce the concept of “processor” of personal data. It is not proposed to require compliance with the confidentiality of personal data, if their subject has made them publicly available (for example, if the user has published their data in social networks) or if it is anonymised personal data. Also removed the requirement of confidentiality in respect of data subject to publication according to the law, such as the revenue officials.
Now the legislation does not explicitly list exceptions to the confidentiality requirements, which leads to different interpretations, said the representative of one of the largest operators of personal data.
As explained Ludmila Bokov, the application of the law on personal data protection has identified a number of gaps that need to be addressed. “The amendments will allow to apply modern technologies biorecognition the person will be removed the operations with the data collected outside of Russia, as well as konkretisiert measures to protect personal data,” she said.
One of the participants of the telecommunications market pointed out among the reasons why the Parliament revisited the legislation four years ago, “General interest in the subject of personal data in recent years, and the activity of the authors of the bill, as well as a common desire of lawmakers “to rake introduced in the state Duma projects.”
In 2013, Roskomnadzor issued a negative opinion on these amendments, said his spokesman Vadim Ampelonskiy. He noted that since part of the provisions of the project have been integrated in the legislation, and in the rest position of Roskomnadzor remains the same. Ampelonskiy did not specify which provisions do not agree in the Department.