<<
>>

features of formation of the Russian approach to legal regulation of personal data

In the Russian right long time the question on legal regulation of personal data remained opened, first of all in respect of special law acceptance in this area. Thus it is impossible to say that the separate aspects connected with processing of personal data, have not been settled.

At the constitutional level it is necessary to mention articles 23 and 24 Constitutions of the Russian Federation of 1993, establishing the right of the individual to inviolability of a private life, personal and family secret, the privacy of correspondence, telephone conversations, post cable and other messages, and also the right of the individual and to access to the information on and a duty of the state bodies and local governments to provide to it possibility of the last. No doubt, these articles, despite the fact that what in them contain only separate aspects of legal regulation of data processing about physical persons, have served some kind of a starting point for the further formation of the legislation on protection of a private life at processing of personal data.

For the first time the term «personal data» (the information on citizens) has been entered into the legislation with Federal act acceptance «About the information, information and about information protection» [377] in 1995 where in article 2 their definition already considered by the author as «data on the facts, events and circumstances of a life of the citizen contained, allowing to identify its person». However detailed regulation of data processing in the specified law, for the clear reasons, did not contain, but its general concept was offered, and also sending to the special legislation which as, on - visible, it was supposed, should be accepted contained. On the basis of the analysis of article 9 and 14, it was essentially possible to come to following basic conclusions about conceptual positions assumed then special law:

- Personal data are the information of the limited access and concern the confidential information [378];

- The list of personal data should be established the federal act;

- Personal data directly are connected with protection of the right to inviolability of a private life, personal both family secret and the rights to the privacy of correspondence, telephone conversations, cable and other messages;

- Gathering, storage, use and distribution of personal data is supposed only with the consent of the individual or under the decree;

- Personal data cannot be used for causing of property and moral harm to the individual;

- Personal data about a racial, national, language, religious and party accessory cannot be used for discrimination (restriction of the rights) physical persons;

- Responsibility for infringements of an order of gathering, storage, use and distribution of personal data is born by owners of information resources, their containing;

- The subject of personal data (individual) has the right to get acquainted with the maintenance of personal data (to have access to them), to demand their specification, and also has the right to know, who and in what purposes uses them, except for cases, statutory;

- Duty to give access to the personal data it is assigned to the owner of the information resources which refusal can be appealed in court.

The federal act based on specified principles and could not appear, and from listed above positions it was necessary to refuse some.

In particular, have been subjected criticism: orientirovannost the law first of all on citizens; an establishment as the basic criterion for allocation of personal data only "identifications"; aspiration to establish the closed list of categories of the information carried to personal data that has already been in detail considered by the author in work chapter 1.

From 1995 for 1998 12 editions of the bill in which the account of remarks and offers of reviewers was carried out have been prepared. The project was twice discussed on section of Scientific and technical council of Committee at the President of the Russian Federation on the politician of information. Twice project has passed the international examination by experts of the Council of Europe. Also at public hearings in the Parliamentary centre of Federal assembly of the Russian Federation, in the Russian-American press centre the project was discussed with participation of representatives of mass media, at a seminar on problems of information safety within the limits of the International congress «the People of Commonwealth Independent G osudarstv on the eve of the third millenium» in St.-Petersburg, on «a round table», spent by branch «Computer science and the right» the International academy of information, etc. [379]

Draught federal law occurrence «About the information of personal character», brought for consideration in the State Duma group of deputies - O.A.Finko, JU.M.Nesterov, G.K.Volkovym, R.G.Gabidullinym, V.E.Tsoem1 became on April, 3rd, 1998 an adjusted total of this work, but and has not been accepted. The bill has been developed on a basis and according to norms of the Instruction 95/46/ЕС the European parliament and the Council of Europe. It contained six heads (general provisions; conditions of legality of work with personal data; the rights of the subject of personal data; the rights and duties of the holder (the owner) on work with files of personal data; state regulation of work with personal data; the Representative by the rights of subjects of personal data at the President of the Russian Federation), thirty six articles.

The name was beaten out already then from the standard terminology as already named law «About the information, information and information protection» contained in quality of the base term «personal data» which also has been used by the Decree of the President of the Russian Federation № 188 «About

L

The statement of the list of data of confidential character ». As a result the mechanism of processing of the personal data has been put in a bill basis, corresponding to the standard European principles and norms

-e

In the field of protection of personal data.

Attempt to offer the list of cases of lawful gathering, processing and use of personal data which was dictated, according to authors, necessity to provide effective protection of the personal rights concerning its personal data was one of features of the bill. The personal data received as a result of activity of subjects of the federal act «About operatively-search activity», on the basis of article 10 have been allocated actually in a special [380 [381] [382] category along with traditionally allocated category of "sensitive data». But nevertheless attempt of introduction of institute of the Representative by the rights of subjects of personal data became the major short story of the bill. For maintenance of effectiveness of this legal institution it was supposed to guarantee independence of its activity. In the bill the way of formation of the named institute is selected at President РФ1.

As a whole the given bill was quite benevolent is met and in scientific circles, in particular for its acceptance expressed O.B.Prosvetova and V.N.Lopatin, though under condition of certain completion further. Despite an obvious urgency of the bill with a view of protection of the rights and freedom of citizens, the bill has actually laid down «on a shelf» as consideration process in Federal assembly has actually stopped its discussion on Council of the State Duma [383 [384] [385] [386] which has accepted subsequently final judgement about its removal already only after work on the new project of the special law in 2006 [387] has begun, having postponed thereby acceptance of legislative measures in considered area for 6 years.

It is necessary to notice, that approximately during this period In parallel inter-parliamentary assembly of the state-participants CIS passes the modelling law «About personal data» which developers became V.N.Lopatin and A.V.Feodor [388], essentially similar by separate positions and the general concept on already mentioned bill «About the information of personal character». However, its acceptance at all has not accelerated acceptance of the Russian law.

Essential changes in the relation to a considered problematics from the Russian legislator have occurred, perhaps, after activization of relations between Russia, the Council of Europe and the European union. Signing the Russian Federation of the Convention of the Council of Europe more than once mentioned here № 108 about protection of the person in connection with the automated processing данных1 became on November, 7th, 2001 the first step to it. It is remarkable, that it

Ratification which has demanded from Russia implementatsii and special law acceptances about protection of personal data, has taken place only later 5 years. The project of the new federal act «About personal data» already was considered practically in parallel with a bill about ratification of the named Convention of the Council of Europe [389 [390] [391].

The new bill about personal data has been prepared by the Government of the Russian Federation and in September, 2005 has arrived in the State Duma. Originally in it a number of positions which have caused set of criticism, first of all from legal experts contained. It concerned positions of article 24 of a variant of the bill following the results of the first reading. In it to creation the uniform base of personal data about the population of Russia - «the State register of the population of the Russian Federation» where identifiers of the personal given all physical persons came under to entering, constantly or temporarily living or sojourning on territory of Russia, in particular, was offered. In quality of "identifiers of personal data» at article 23 analysis

The same variant of the bill personal numbers which are used in information systems by the state and local bodies for convenience of data processing about physical persons were meant a various sort. Such identifiers, certainly, are the individual number the tax bearer (INN) provided by item 84 of Tax code РФ1, and insurance number of the individual personal account in system of obligatory pension insurance according to item 7 ch. 1 federal act «About the obligatory (personified) account in system of obligatory pension insurance» [392 [393] [394], policy number

Obligatory medical insurance. Creation such «the State register of the population of the Russian Federation» explained the government necessity of their specification, noticing, that in it personal identifiers, for example an INN which from the point of view of the law are not will contain only popular personal given, and also

-e

The information of the limited access. However to defend expediency of existence of such uniform database to the government it was not possible. Already at a discussion stage in committees of the State Duma against it have been put forward, as serious, following arguments: first, the operator potentially got in that case access to the information, exceeding its powers; secondly, considering complexities with protection of the confidential information in Russia as a whole, existence of the similar register would create serious threat of not authorised access to the diversified data on the subject; thirdly, register occurrence could cause serious mistrust from the population and raise social intensity. Thus, the offered concept of the state register of the population was represented conditioning for unreasonable restriction and direct infringement of the rights of citizens that contradicts variety of positions of the Constitution of the Russian Federation (article 23, a part 1 and 2; article 24, a part 1; article 55, to a part 2 and 3), as has served its withdrawal from the text of the bill after the second reading.

Further a little serious changes were not brought in the document, and the bill has successfully passed all stages and has been published on July, 29th in «the Russian newspaper» [395], becoming the federal act.

Estimating the bill text as a whole, it is necessary to note its obvious affinity of "the European tradition» as its many legal designs are evidently focused on the Convention № 108 Councils of Europe and with the Instruction 95/46/СЕ. And initial positions on the design and the maintenance so obviously remind positions of last that associations about analogy should cause. It is not necessary to see in such state of affairs something negative, more likely on the contrary, many Russian authors who have been already repeatedly mentioned in work, «the European model» legal regulation of a turn of personal data was considered as a basis for law working out. Besides the previous bill «About the information of personal character» also has been focused on legislative practice of the countries of the European union. Drawing analogies to, certainly, strengths of the accepted federal act «About personal data» can carry prorabotannost legal designs, regarding the description actually a legal regime of processing of personal data, as information of personal character, in respect of definition of principles and conditions of processing, the rights of subjects of personal data, duties of the owner and the operator of systems of personal data. However an obvious minus, certainly, refusal of institute of the independent authorised body on protection of the rights of subjects of personal data - the Representative by the rights of the subject of data was.

Legislative activity in the field of legal regulation of personal data, certainly, has not concentrated only on special law acceptance. During the period since 1995 on the present moment variety of legislative guidelines of branch character which regulated processing of bases of personal data in concrete areas of public work and for which the novel became some kind of a link has been accepted. Such positions mentioning bases of personal data, contain: in the Labour code [396], in chapter 14 «Protection of the personal

L

Data of the worker »; in item 84 of the Tax code of the Russian Federation; in item 85.1 Air

-e

The code of the Russian Federation; in federal acts: «About the individual

(Personified) account in system of obligatory pension insurance »4,« About banks and bank activity »5,« About communication »6,« About a legal status of foreign subjects in the Russian Federation "," About the state

About

To automated system GAS "Elections", «About the state bank about children of the parents who have remained without care» 9, «About certificates of registration» 10, «About compulsory insurance of a civil liability of owners of vehicles» [397], «About a conscription and military service», «About system of the state civil service of the Russian Federation» and many other things.

For the last years it is possible to say and volume, that the concept of "protection of personal data», i.e. protection of the person in the conditions of rapid development of information technologies, also varies and develops, to what numerous and essential enough changes in the legislation on personal data both in Russia, and in the world testify.

In particular, the Russian law on personal data has undergone considerable changes for last 10 years. Even simple arithmetic comparison of volume and the maintenance of the law at the moment of its acceptance (approximately 5500 words and 41000 signs) and operating edition (approximately 9900 words and 72000 signs) says that the law "potjazhelel" almost twice. If the first 5 years the law text practically did not vary, including thanks to that its coming into force was postponed, at first in December 2010 года1,

L

And then to some extent in July, 2011. In many respects it spoke "unavailability" of economy, i.e. operators of personal data to realisation of requirements of the new legislation for that moment, which separate positions at that time time and again were exposed to the sharp criticism from business community and scientific community. Many of these

-e

Problems were a subject of discussions during Parliamentary hearings of Committee on safety of the State Duma of the Russian Federation in October, 2009.

The first essential processing of positions of the law on personal data in July, 2011 when seriously have been processed more than 10 articles of the law became result of this work and there were two more new (item 18.1 and 22.1) [398 [399] [400] [401]. To the greatest degree these changes have concerned the mechanism of the law regarding an establishment of duties of the operator on maintenance of protection of personal data from any wrongful acts with them, and first of all - regarding acceptance of legal, organizational and technical measures on information protection (personal data). The specified positions in aggregate with a number of subordinate legislation already mentioned in work have brought notable clearness in definition of regime requirements to operators at maintenance of confidentiality of personal data.

Further variety of displacings of the law about personal data has been connected with its actual "fine tuning" under existing realities at processing of personal data in the state bodies and the public purposes. As it has appeared, the legislation on personal data was accepted without existing practice and features of processing of personal data at once in several spheres, such as: zhilishchnokommunalnoe хозяйство1, activity of organs of the Prosecutor's Office [402 [403],

Consumer crediting [404], at the decision of questions on citizenship [405].

Among last and most discussed changes in

The legislation on personal data it is possible to name:

- Changes in items 18 of the law establishing a rule about localisation in territory of the Russian Federation of storage and separate processes of processing of personal data about citizens of the Russian Federation [406];

- Acceptance of legislative guidelines about «the right to oblivion», i.e. establishing the right of the individual to demand removal

The inappropriate validity of the information on it from results of search in network Интернет1;

- Acceptance of new edition of article 13.11 KoAP the Russian Federation providing strengthening of administrative responsibility in the field of infringement of the legislation on personal data, both regarding increase in the size of the penalty, and regarding increase in structures of offences [407 [408] [409].

All these numerous changes show the further development of idea of protection of personal data and have been accepted in reply to current threats to the rights and legitimate interests of physical persons at processing of personal data. In particular, the requirement of localisation of bases of personal data about citizens of the Russian Federation and separate processes of their processing has been caused by obvious aspiration to provide protection of data in conditions when taking into account existing business models of the companies actively offering services in a network the Internet, including by means of cloudy services, it is impossible to define unequivocally where as a result data processing and under what jurisdiction of the state is carried out? And, what is important, whether guarantees the last due level of protection of personal data?

In the second case the problem is even more interesting and deeper. For the first time about the right

-e

On oblivion it has been declared in business Google Spain in 2014. Occurrence of the new norm providing for the individual possibility to demand of removal from results of search of search system Google of the reference to the information as which he considers become outdated or irrelevant became a result of its consideration. Such requirement the European court of EU has proved in Instruction positions № 95/46/ЕС, recognising actually search system the operator of personal data and, as consequence, the right of the person to demand the termination of processing of personal data.

The Russian legislation, despite at times the sharp criticism from the party the Internet-soobshchestva1 and some scientists [410 [411] [412], marvellously has quickly accepted similar positions which have become effective since January, 1st, 2016. In 2016 one of the largest Russian Internet companies "Yandex" has published the first results of application «the law on the right to oblivion», having declared, that only in the beginning of 2016 the search system has received

-e

More than 3600 references, having satisfied only 27 % from them. Company Google which accepts for a long time already similar references, as of 2017 has received already more than 730000 inquiries about removal of the information from search, having given the positive answer more than in 40 cases [413]. As a whole polemic about the nature and essence «the rights to oblivion», its influence on Internet development, on balance maintenance between the right to respect of a private life and freedom of expression is still far from end to what periodically appearing publications on this theme [414] testify.

Moreover, corresponding positions about «the right to oblivion» have been included in absolutely new document - General Data Protection Regulation (General rules of regulation of protection of data; further - General rules) [415] which in the near future should come in the stead of the Instruction № 95/46/ЕС.

It is possible to name occurrence of the last one of the most serious and global reforms of the European system of protection of personal data since 1995. The specified General rules became a result of long preparation and the coordination of the text of the new "systematising" law on personal data of EU with the countries-participants. Their text has been prepared in 2011 and definitively has been accepted only in April, 2016. Now there is a so-called transition period for adaptation and harmonisation of texts of national laws about personal data with the termination on May, 25th, 2018 when General rules should become effective.

The reasons of acceptance of General rules have been explained and particularised in the explanatory note [416] anticipating the text of the normative act, among them two cores have been named:

- The general development of an information society with which it is connected

Occurrence of new threats to the rights of the individual at data processing;

- "Fragmentariness" of the national legislation on the personal

EU given in the countries-participants.

Among the most essential changes offered by General rules in comparison with positions of the Instruction 95/46/ЕС, it is possible to name:

1) perfection of the conceptual device and occurrence of new terms;

2) introduction of new principles at processing of personal data - a principle of a transparency and a principle of complex and adequate responsibility of the operator of data;

3) fastening of the right to oblivion and the incorporeal right of the termination of processing and removal of data;

4) obligatory appointment of responsible persons for processing of personal data for public sector and large business etc.

In addition to General rules reform of the European model of protection of personal data has mentioned also sphere of law-enforcement activity. In the general package of changes together with Rules the special instruction regulating questions of processing personal given bodies, competent to spend criminal prosecution and investigation has been accepted, and also to carry out execution of punishments under criminal law [417]. Occurrence of this document somewhat is in itself "novelty", considering, that earlier the Instruction 95/46/ЕС did not extend action of the mechanism about protection of data to such case, naming it among exceptions. Now, on the contrary, the countries of Europe will receive the uniform document regulating substantive provisions about data processing by law enforcement bodies. The offered mechanism and its key principles is very similar to Instruction positions 95/46/ЕС and General rules, but in a little truncated kind and is more likely directed on guaranteeing observance of a principle of legality at processing of personal data. Among interesting "novelties" it is necessary to note desire to divide the personal data processed by law enforcement bodies, on a number of categories, proceeding from features of the subject which they concern. In particular, new positions order to national law enforcement bodies and the countries-participants to do distinction between personal data of the suspects, the sustained (victims) convicted and other participants of criminal trial that is not deprived sense and demands the further studying and judgement.

If to speak about development and perfection of the national legislation and practice in the field of protection of personal data in the countries of Europe it is possible to note the general tendency on active attraction to working out of branch norms about protection of the personal given self-regulating organisations and associations of businessmen for concrete sectors of economy. As an example of it the information placed on a site of Information commissioner Velikobritanii1 where detailed instructions and managements on the organisation of system of protection of personal data in various sectors of economy that the organisation could organise competently and correctly the business processes according to the European and national norms about protection of data are resulted can serve. Similar sections of a site and an activity direction are at many authorised bodies on protection of the rights of subjects of personal data in the European countries: The commission on protection of a private life of Belgium [418 [419], the National commission on computer science and freedom in France [420], the Commissioner on protection of data in Ireland [421], the National commissioner on protection of data of Portugal [422] etc.

Essential difference in current activity, activity on protection of the rights of subjects of personal data and activity under the control and supervision of observance of the legislation on personal data at these bodies just considers interaction with operators and subjects of personal data on granting of consultations about application of the legislation on personal data. As an example fresh enough statistics of the National commission on computer science and freedom where a key indicator is not the quantity of checks, or quantity of the constituted reports and receipts in the state budget that is characteristic for its Russian analogue [423], and in bolshej can serve degree quantity of the consultations rendered to citizens and the organisations, quantity of the given out permissions and quantity of the conclusions on projects of normative acts various уровня1.

One more extremely interesting direction of activity of the National commission on computer science and freedom is the organisation of voluntary accreditation of business processes of the companies-operators from the point of view of their conformity to the legislation on personal data and delivery

L

It of a special sign on conformity (Label CNIL), that raises trust degree to it from consumers of services and checking body. So in

-e

To particular for 2016 by the Commission it has been given out such 92 signs on conformity which can be used the companies by granting of the services and take places on their sites. Besides possibility to receive such sign on conformity the interested organisations, and more often their associations, can turn into the Commission for reception of approval of the internal corporate rules of processing of personal data [424 [425] [426] [427]. Such procedure provides the big transparency of activity of associations of businessmen and their participants for control and supervision body and allows them to bring the business processes into accord with the legislation on personal data.

Certainly, it is far not all occurring changes in the foreign legislation and practice, but taking into account the Russian experience they would be, at a sight of the author, the most useful and actual for the further studying and possible adaptation to the Russian realities.

<< | >>
A source: Bundin Michael Vjacheslavovich. the PERSONAL INFORMATION of the LIMITED ACCESS GIVEN In SYSTEM. The DISSERTATION on competition of a scientific degree of the master of laws. Moscow - 2017. 2017

More on topic features of formation of the Russian approach to legal regulation of personal data:

  1. § 3. Registration of the Russian model of a konstitutsionno-legal protection of personal data: doktrinalnyj the approach
  2. § 1. Legal preconditions of formation of the Russian model of a konstitutsionno-legal protection of personal data
  3. Chapter 2. Prospects of formation of the Russian model of a konstitutsionno-legal protection of personal data
  4. Features of a legal regime of information systems of personal data
  5. CHAPTER 3. FORMATION OF THE RUSSIAN AND FOREIGN LEGISLATION ON PERSONAL DATA
  6. legal nature of personal data
  7. § 1. Legal bases of the German model of a konstitutsionno-legal protection of personal data
  8. § 3. The basic lines of the German model of a konstitutsionno-legal protection of personal data
  9. confidentiality as a legal regime element Personal data
  10. Organization-legal problems of realisation of the right to safety of the information on a private life and personal data