CC BY
12DOI: 10.24412/2076-1503-2023-8-330-339 АЛИМОВА Александра Ашрафовна,
NIION: 2018-0076-8/23-631 магистр права, младший юрист,
MOSURED: 77/27-023-2023-8-631 адвокатское бюро «Рыбалкин,
Горцунян, Дякин и партнеры», e-mail: [email protected]
ОБЯЗАННОСТИ ПО ОБЕСПЕЧЕНИЮ БЕЗОПАСНОСТИ ПЕРСОНАЛЬНЫХ ДАННЫХ НА ПРИМЕРЕ РОССИЙСКОГО
ЗАКОНОДАТЕЛЬСТВА
Аннотация. В статье подробно рассматривается деятельность операторов персональных данных в России, в частности, такие аспекты как критерии физического и «виртуального» присутствия в государстве, экстерриториальная защита персональных данных граждан, проблемы правоприменения и вероятность проверок со стороны контролирующих органов, а также ответственность за невыполнение требований законодательства. Предложенный автором анализ может быть успешно использован в практике компаний-операторов персональных данных, в особенности, находящихся за рубежом, при исполнении обязанностей, предписанных законодательством Российской Федерации. В качестве выводов автор обращает внимание на необходимость соблюдения требований, предъявляемых российским законодательством к операторам персональных данных, даже если организация, осуществляющая сбор или обработку персональных данных, не имеет физического присутствия в Российской Федерации. Неисполнение таких обязанностей с большой долей вероятности может привести к блокировке интернет-ресурсов в Российской Федерации, если они не локализованы в этой стране, как это произошло в громких случаях блокировок LinkedIn и Twitter в России.
Ключевые слова: защита персональных данных, безопасность персональных данных, оператор персональных данных.
ALIMOVA Aleksandra Ashrafovna,
Master of Laws, junior lawyer, law firm «Rybalkin, Gortsunyan, Dyakin and Partners»
OBLIGATIONS TO ENSURE THE SECURITY OF PERSONAL DATA ILLUSTRATED BY RUSSIAN LEGISLATION
Annotation. The article examines in detail the activities of personal data operators in Russia, in particular such aspects as criteria of physical and virtual presence in a state, extraterritorial protection of personal data of citizens, problems of enforcement and probability of inspections by regulatory authorities as well as responsibility for failure to comply with statutory requirements. The analysis proposed by the author can be successfully used in the practice of personal data operator companies, especially those located abroad, in the performance of duties prescribed by the legislation of the Russian Federation. In conclusion, the author draws attention to the need to comply with the requirements of provided by Russian legislation to personal data operators, even if an organization that collects or operates with personal data does not have physical presence in the Russian Federation. Non-compliance with such duties may highly likely lead to blockages of Internet resources in the Russian Federation, if they are not localized in that country, as happened in the high-profile cases related to the blockages of LinkedIn and Twitter in Russia.
Key words: data protection, security of personal data, personal data operator.
Introduction
It is known that without knowledge of the legal regulations governing the relevant areas of business, it is impossible to properly build a risk-based and business-oriented information security management
system. Penalties and reputational damage from non-compliance with regulations can significantly alter the plans for functioning and development of an organization: non-compliance with data security regulations can result, for instance, in revocation of
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
license of a financial institution. Non-compliance with the requirements set for the place of primary collection and processing of personal data, in turn, may result in blocking access to the company's website. Failure to comply with critical information infrastructure security standards may even result in imprisonment in some countries. Given that there is a huge number of applicable laws and regulations on the topic, in this article we suggest to focus on the security of personal data illustrated by Russian legislation, which is notable for the fact that its provisions, particularly those relating to the localization of personal data, apply to foreign operators of personal data of Russian citizens as well.
The aim of the present article is to provide an overview of obligations of personal data operators using the example of Russian legislation.
Methods
Both general scientific and specific scientific methods were used in the work on the article.
For the purposes of formulating of legal terms and description of properties of legal phenomena in the field of security and processing of personal data, the formal-logical method was used. Furthermore, using the systematic method, the author compared the texts of legal norms of federal laws, analyzed direct and backward linkages of the personal data protection system, identified the functional tasks and the degree of consistency of norms on general and special duties of personal data subjects. The author also used a functional method to clarify the essence of the personal data protection system by examining the functional duties of personal data operators.
As for the specific scientific methods, the formal legal method was used to prepare a systematic description and classification of the personal data controller's duties, while the comparative legal method was used to compare the norms of Russian legislation with the legal norms of foreign jurisdictions.
Results
As a result of this study, the author offers a detailed list of duties of personal data operator under Russian law.
The obligations imposed on the operator by Russian legislation in the field of personal data can be roughly divided into two large groups:
(a) General obligations of the operator: such duties include the adoption, in accordance with the Law on Personal Data [1] and bylaws, of documents and local acts of an operator in the field of personal data processing, which provide general regulation of personal data processing in the organization and establish procedures for the actions of employees of the operator by processing of personal data.
(b) Obligations to ensure personal data security: such measures include actions to be taken by an operator to ensure the direct protection of personal data. Such measures are aimed at establishing control over the processing of personal data, the use of certain means of protection of personal data, the development of measures to protect personal data from unauthorized access, etc.
The general obligations of the personal data operator include the following:
№ Type of general obligation of the operator
1. Compliance with the requirement to localize personal data of citizens of the Russian Federation
2. Appointment of the person responsible for the organization of personal data processing
3. Issuance of documents defining the policy on personal data processing, local acts on personal data processing
4. Education of employees in respect of the provisions of legislation on personal data and local acts of the operator, as well as conducting of appropriate training
5. Sending a notice to the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (hereinafter - Federal Service for Supervision) of the intention to process personal data
6. Sending a notification to the Federal Service for Supervision about cross-border transfer of personal data
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
7. Informing the subject of personal data about the collection of his personal data
8. Responding to requests of subjects of personal data (their representatives)
9. Responding to requests of the Federal Service for Supervision
10. Performing an audit of the compliance of personal data processing with the requirements of personal data legislation
As for the obligations to ensure security of personal data, they include:
№ Type of obligation to ensure security of personal data
1. Determination of threats to the security of personal data during their processing in personal data information systems
2. Assessment of the harm that may be caused to personal data subjects in case of violation of the Law on Personal Data [1]
3. Application of the duly approved conformity assessment procedure for information security facilities
4. Recording of personal data storage devices
5. Establishing rules for access to personal data processed in the information system of personal data, as well as ensuring registration and recording of all actions performed with personal data in the information system of personal data
6. Control over the measures taken to ensure the security of personal data and the level of protection of personal data information systems
7. Evaluation of the effectiveness of measures to ensure the security of personal data prior to the commissioning of the information system of personal data
8. Ensuring interaction with the State system of detection, prevention and elimination of consequences of computer attacks, including informing it about computer incidents that led to the unlawful transfer (provision, distribution, access) of personal data
9. Detection of unauthorized access to personal data and taking measures, including measures to detect, prevent and eliminate the consequences of computer attacks on information systems of personal data and the response to computer incidents in them
10. Restoration of personal data modified or destroyed as a result of unauthorized access
General regulation of the duties of the personal data operator
In accordance to the previous statutory wording of the Law on Personal Data [1], it was possible to conclude that the law applies to foreign persons (due to physical or "virtual" presence). This approach was formed after all operators were obliged to localize
personal data of citizens of the Russian Federation in 2015. Localization here means the operator's obligation to ensure recording, systematization, accumulation, storage, clarification of personal data of citizens of the Russian Federation when collecting personal data, including via the Internet, in databases located in the Russian Federation (paragraph 5 of Article 18
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
of the Law on Personal Data [1]). Ministry for Digital Technology [19] и Federal Service for Supervision [20] have indicated that the extension of the scope of the Law on Personal Data to foreign organizations, in particular the localization requirement, is determined based on the following criteria:
1) the physical presence (for foreign companies - a branch / a representative office in the territory of Russian Federation) or
2) the virtual presence, as evidenced by compliance with one of the following criteria:
(a) use of a geographical domain name associated with the Russian Federation (.ru, .rf., .su) or its individual regions (e.g., .moscow). This criterion is self-sufficient and may be applied regardless of the presence of other criteria. This criterion is also met when a domain in the Russian zone is used for redirection (redirect) to another domain not associated with the Russian Federation;
(b) availability of a Russian-language version of the Internet resource. It is worth noting that this very criterion was applied in the LinkedIn case, in which a Russian court found LinkedIn violating the localization provisions of the Law on Personal Data [24]. The Supreme Court of the Russian Federation similarly applied this criterion in the case of Twitter concerning the company's violation of the localization requirement [25]. The localization of a website must be purposeful and not represent the use of automatic translation systems. This requirement is satisfied if at least one of the additional criteria is met:
(i) the possibility of concluding and executing a contract with a Russian resident, in particular, the delivery of goods or digital content to the territory of Russia;
(ii) the possibility of making settlements in Russian rubles;
(iii) the use of contextual or banner advertising in Russian that includes a link to the relevant Internet resource (this criterion was applied in the above mentioned LinkedIn case [24]);
(iv) other circumstances which clearly indicate the intention of the owner of the website to include the Russian market in its business strategy. For example, the presence on the Internet resource of feedback methods related to the territory of the Russian Federation.
The Law on Personal Data [1] indicates that the operator of personal data is any person, that independently or jointly with others organizes and (or) performs processing of personal data, as well as determines the purpose of processing of personal data, the composition of personal data to be processed, the actions (operations) performed with personal data. Consequently, even before the adoption of the Law No. 266-FZ [2] foreign organizations hav-
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
ing the physical or virtual presence in the Russian Federation were required to perform the duties of the operator established by the Russian legislation on personal data, in particular: to localize personal data of citizens of the Russian Federation, to provide an appropriate legal basis for processing personal data, to adopt a policy for processing personal data and publish it on the Internet, to appoint a person responsible for processing of personal data, conducting regular audits and inspections, etc.
Law № 266-FZ [2] of 01.09.2022 states that the provisions of the Law on Personal Data [1] "apply to the processing of personal data of citizens of the Russian Federation, carried out by foreign legal entities or foreign individuals, based on agreements to which citizens of the Russian Federation are parties, or on any other agreements between foreign legal entities, foreign individuals and Russian citizens or on the consent of a citizen of the Russian Federation to process his personal data". The inclusion in the Law on Personal Data of a general rule stating that it applies to foreign operators raises the question of which operator's obligations under the Law on Personal Data apply specifically to foreign entities.
In the explanatory memorandum to the draft law № 266-FZ the author of the bill confirmed that these provisions provide for the extraterritorial application of Russian legislation on personal data for the protection of personal data of citizens of the Russian Federation even abroad [22]. In addition, as a general rule, a person who processes personal data on behalf of the operator (hereinafter - the processor) is liable only to the operator [1]. At the same time, since the entry into force of the Law № 266-FZ [2] on 01.09.2022, a foreign processor is liable to the subject of personal data along with the operator [1]. Consequently, foreign processors along with foreign operators are also included in the scope of the Law on Personal Data [1].
Problems of enforcement and inspections by regulatory authorities
The author of the draft Law No. 266-FZ indicated that in order to ensure the extraterritorial effect of the Law on Personal Data, Federal Service for Supervision would receive the authority to intervene in the processing of personal data of Russian citizens in other countries. At the moment, there are no explanations from the regulatory authorities on this matter, and the mechanism for conducting inspections in relation to foreign operators without physical presence in the Russian Federation is unclear.
Previously, the procedure for conducting control measures in the field of personal data gave the Federal Service for Supervision the right to inspect personal data information systems. Information systems
of personal data include, among other things, technical means. Therefore, previously the Federal Service for Supervision could theoretically verify the compliance with the obligation to ensure personal data security.
However, in the course of inspections the Federal Service for Supervision usually limits itself to studying local acts and other documents adopted by an operator, as it does not have specialists who could check the actual implementation of obligations to ensure the security of personal data. Thus, the Federal Service for Supervision does not check the actual implementation of personal data security obligations by operators.
At the same time, the Law on Prosecutor's Office provides to the prosecution bodies with the authority to supervise the implementation of all laws in force on the territory of the Russian Federation, including those related to commercial entities [8]. In this regard, a hypothetical possibility can be assumed to verify the compliance with the requirements of the Law on Personal Data with regard to the obligation to ensure personal data security by the prosecution authorities.
In accordance with the Regulation on the control of personal data [10], Federal Service for Supervision may conduct inspections of operators in the following forms:
1) inspection of the Internet resources of an operator;
2) desk audit (request for documents);
3) field inspection.
In relation to foreign organizations that do not have physical presence in the Russian Federation, it seems difficult to conduct field inspections. Thus, for these purposes, the Russian legislator imposed on foreign IT-companies, which had only "virtual" presence in the Russian Federation, the obligation to establish a physical presence in the form of a branch / representative office / subsidiary [7]. The physical presence of such companies subsequently allows the regulatory authorities to carry out on-site inspections.
Law No. 266-FZ does not provide for the creation of such a physical presence by foreign operators. Moreover, imposing such an obligation may be extremely burdensome for foreign operators. Consequently, it appears that the Federal Service for Supervision will be able to exercise control over foreign organizations only in the form of inspections of the Internet resources of foreign operators and sending them requests for relevant documents.
An effective mechanism of a possible response of the regulatory authorities to violations of Russian legislation on personal data by a foreign operator could be the Law on Information [6], which establishes since September 1, 2015 a procedure for
restricting access (blocking) to Internet resources, on which the relevant violations are found. In order to limit access to information on the Internet processed in violation of Russian law in the field of personal data, a corresponding register was created, which is currently maintained by the Federal Service for Supervision [23].
The basis for inclusion in this register is a judicial act that has entered into legal force and established a violation of personal data legislation by the operator. The Law on Information [6] does not contain a list of specific violations that may serve as grounds for inclusion in the register of offenders. In this regard, any information, the posting of which on the Internet site violates the rights of the owner of personal data or is a consequence of non-compliance with any duty imposed on the personal data operator, and which has not been eliminated in the process of interaction with the Federal Service for Supervision, may cause the blocking of such information resource. This procedure for blocking, established by the Law on Information [6], was used, in particular, in the cases of Linke-dIn [24] and Twitter [25] (both social networks did not ensure the localization of personal data of citizens of the Russian Federation on the territory of the Russian Federation). In this regard, in case of imposing obligations on a foreign organization under the Law on Personal Data [1], and the subsequent failure to comply with such obligations, there is a risk of blocking the information resources of a foreign organization in the Russian Federation.
In addition, the violation of legislation on personal data may lead to administrative responsibility under the Code of Russian Federation on Administrative Offences [9], in particular - result with the imposition of an administrative fine. However, it seems difficult to enforce collection of such fine in respect of foreign organizations that do not have a physical presence in the territory of the Russian Federation.
General Review of Personal Data Operator Obligations
The Personal Data Law establishes a general obligation for operators and other persons granted access to personal data to ensure the confidentiality of personal data. The Personal Data Law recognizes the autonomy of the operator in determining the composition and the list of measures to perform the duties imposed on it by the legislation on personal data. However, with the adoption of Law No. 266-FZ [2] the list of such measures formulated in the Personal Data Law has become mandatory.
Moving on to a detailed discussion of the duties of the personal data operator, we propose to begin with a brief description of the first category of such duties, namely, the general duties of the personal data operator.
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
Compliance with the requirement to localize
personal data of citizens of the Russian Federation
This requirement is critical especially for foreign personal data operators.
A personal data operator must localize personal data of citizens of the Russian Federation. This obligation has arisen since 01.09.2015. When collecting personal data, including on the Internet, an operator must ensure the recording, systematization, accumulation, storage, clarification (updating, changing), and extraction of personal data of citizens of the Russian Federation using databases located in the Russian Federation.
Collection is a deliberate process of obtaining personal data by an operator directly from the subject of personal data or through specially engaged third parties for this purpose. So, if an operator receives such data accidentally (not as a result of deliberate activity), such as a result of receiving letters by e-mail or other mail, which contain personal data, it will not be considered collection. Moreover, if an operator receives personal data of citizens of the Russian Federation from another operator, it is also not considered a collection, and therefore a data operator does not have to localize such data in the Russian Federation.
Localization of personal data means the use of databases located in the Russian Federation when collecting such data. The Civil Code of the Russian Federation (hereinafter - the Civil Code) [3] defines a database as a set of independent materials presented in an objective form, systematized in such a way that these materials can be found and processed by means of software. Federal Service for Supervision gives a broader definition of a database: Federal Service for Supervision understands a database as an ordered array of data, independent of the type of tangible medium, and the means used to process it (archives, file cabinets, electronic databases). Therefore, Federal Service for Supervision refers to tables in Excel or Word format, containing personal data of citizens, as databases.
In order to comply with the obligation of personal data localization, an operator of personal data must ensure that the personal data is located and updated in databases on the territory of the Russian Federation, and the subsequent transfer of personal data to a database abroad would not be a violation of this obligation. Parallel operation of databases on the territory of Russia and a foreign country, as well as parallel entry of collected personal data into the Russian database and a foreign database is unacceptable.
Operators themselves establish ways to determine whose personal data (of Russian citizens or not)
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
they are processing. They can implement different ways to determine citizenship: to provide a special field for citizenship in the user registration form; to create a localized version of such an online resource specifically for the Russian Federation and thereby store and process personal data of all users who register on it; to use geolocation technologies and identification of user status by IP-address or cell phone number. A scheme of personal data information systems with their locations, as well as IP-tracing results, showing where personal data of users entering the Internet resource are stored, can serve as evidence of the duty of localization.
Let us look closer at some other general duties of the operator of personal data.
Appointment by a legal entity of a person responsible for the organization of personal data processing
The organization needs to appoint a person responsible for organizing the processing of personal data. In practice, most often directors of security services, technical directors, and heads of human resources are appointed as responsible persons. The responsible person receives instructions directly from the executive body of the organization that operates with personal data (for example, the CEO) and is accountable to him/her. Such person in charge does not have to be connected to the operator through an employment relationship. An employee of another organization or a specialized organization with the appropriate technical expertise will also be suitable for these reasons.
Sending a notice to the Federal Service for Supervision of the intention to transfer personal data across borders
An operator of personal data must notify the Federal Service for Supervision of their intention to process personal data. From 01.03.2023 an operator is also obliged to notify the Federal Service for Supervision of their intention to transfer personal data across borders before such transfer begins. In order for the transfer to qualify as a cross-border transfer, it must meet the following criteria:
1) personal data enters the territory of a foreign country;
2) personal data are transferred to the control of a foreign person;
3) this transfer is the result of purposeful activity of the operator.
Informing the subject of personal data when collecting his personal data
When collecting personal data, an operator must provide the subject of personal data at his/her request with the following information:
1) confirmation of the fact of personal data processing by an operator;
2) the legal basis and purpose of personal data processing;
3) the purposes and methods of processing of personal data applied by an operator;
4) the name and location of the operator, information about persons (excluding the operator's employees) who have access to personal data or to whom personal data may be disclosed by agreement or by law;
5) processed personal data pertaining to the respective personal data subject, the source of their obtaining;
6) terms of personal data processing, including the terms of their storing;
7) the procedure of exercising by the personal data subject of his/her rights provided by the Law on personal data;
8) information on the performed or expected transborder transfer of data;
9) the name and address of the processor (if
any);
10) information on how the operator performs their duties as personal data processor.
A very important issue is the following: if a personal data operator received personal data not as a result of collection, they must send the following information to the subject of personal data without request:
1) the name of the operator and the address or their representative;
2) the purpose of personal data processing and its legal basis;
3) the list of personal data;
4) the intended users of personal data;
5) the rights of the subject of personal data established by the Law on personal data;
6) the source of obtaining personal data.
A personal data operator does not have to preventively notify the subject of personal data about the beginning of the processing of their personal data only in the following cases:
1) the subject of personal data is notified about the processing of his personal data by another operator, from whom an operator received the personal data;
2) an operator received personal data on the basis of the law or in connection with the performance of the contract, which party or beneficiary or guarantor of which is the subject of personal data;
3) an operator processes personal data for statistical or other research purposes, for professional activities of a journalist or scientific, literary or other creative activities, if the rights and legitimate interests of the subject of personal data are not violated;
4) providing the subject of personal data the above information violates the rights and legitimate interests of third parties.
Responding to requests from subjects
of personal data (their representatives)
It is obligatory to provide the following information at the request of the subject of personal data (their representative):
1) confirmation of the fact of personal data processing by a specific operator;
2) the legal basis and purpose of personal data processing;
3) the purposes and methods of personal data processing applied by an operator;
4) name and location of an operator, information about persons (excluding operator's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement or by law;
5) processed personal data pertaining to the respective personal data subject, the source of their obtaining;
6) terms of personal data processing, including the terms of their storing;
7) the procedure of exercising by the personal data subject of their rights provided by the Law on personal data;
8) information on the performed or expected transborder transfer of data;
9) the name and address of the processor (if
any);
10) information on how the operator carries out his general responsibilities, as well as on the implementation of security measures.
An operator must provide this information to the subject of personal data (their representative) within 10 (ten) working days from the date of application or receipt of the request [1, Article 14]. They can extend this period, but not more than 5 (five) working days, provided that the subject of personal data is sent a reasoned notice stating the reasons for the need to extend this period.
An operator must also satisfy the subject of personal data to clarify / block / delete their personal data, if such data is incomplete, outdated, inaccurate, illegally obtained or not necessary for the stated purpose of processing. An operator must provide the subject of personal data (his or her representative) the opportunity to become familiar with the processed personal data.
If improper processing of personal data has been detected, an operator must block the improperly processed personal data relating to that personal data subject immediately from the date of such request for the period of verification. An operator must then cease such processing within a period not
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
exceeding three (3) business days from the date of discovery of the unlawful processing. If an operator cannot ensure the lawfulness of the processing of personal data, they must, within a period not exceeding 10 (ten) working days from the date of detection of unlawful processing of personal data, destroy such personal data. An operator shall notify the subject of personal data or their representative about the elimination of violations or destruction of personal data.
If inaccurate personal data was revealed, an operator is obliged to immediately block this personal data from the moment of such treatment for the period of verification, if the blocking of personal data does not violate the rights and legitimate interests of the personal data subject or third parties. In case of confirmation of inaccuracy of personal data, an operator shall clarify personal data within 7 (seven) working days from the date of submission of clarified information and remove blocking of personal data.
When it comes to specific responsibilities to ensure personal data security, the decree on protection requirements establishes a classification of security levels of personal data depending on what security threats are relevant to them. Next, we suggest considering a few specific examples of measures to ensure the security of personal data.
Development of a personal data security threat model
The "Personal Data Security Threat Model for Processing Personal Data in Personal Data Information System" document must be developed and updated as necessary. It is acceptable to develop one information security threat model for several information systems of the same type. If the information systems used by the operator are not of the same type, a separate threat model must be developed for each of such systems.
Assessment of the harm that may be caused to personal data subjects in case of violation of the Law on Personal Data
A personal data operator must conduct a harm assessment to determine the most relevant risks associated with the violation of the rights of personal data subjects during the processing of personal data. As of March 1, 2023, the Federal Service for Supervision must approve the requirements for this harm assessment. At present, these requirements have been drafted. According to the draft, the degree of harm is assessed as "high" / "medium" / "low". Examples of high-damage violations include personal data processing by the operator without the consent of the personal data subject, ignoring requests from the personal data subject (his representative) or disclosure to third parties and distribution of personal data to more than 20,000 (twenty thousand) subjects of per-
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
sonal data without their consent. Medium level violations include, for example, failure to comply with the obligation to inform the subject of personal data on the beginning of the processing of their data, if such data was obtained from another operator, ignoring requests from the Federal Service for Supervision or disclosure to third parties and distribution of personal data from 1,000 (one thousand) to 20,000 (twenty thousand) subjects of personal data without their consent. In turn, examples of low level violations are disclosure to third parties and distribution of personal data of less than 1,000 (one thousand) subjects of personal data without their consent, or failure to provide notice to the Federal Service for Supervision of the intention to process personal data, or providing incomplete (unreliable) information in such notice.
Recording of personal data storage media
Personal data carriers must be kept in a secure place: a safe or a locked metal cabinet. The records must be kept with a special registration number assigned to each personal data carrier. Documentary evidence of the fulfillment of this obligation is maintaining a log of personal data storage media.
Establishing rules for access to personal data processed in the information system of personal
data, as well as ensuring registration and recording of all actions performed with personal data in the information system of personal data
It is necessary to organize personal data processing so that only such persons who need access to personal data due to business necessity and labor duties have access to it. From the technical point of view, this is implemented by establishing models of access differentiation to information systems of personal data, as well as by ensuring registration and recording of all actions performed with personal data in the information system of personal data. There are two basic models of access differentiation (according to the Order of the Federal Service for Technical and Export Control of the Russian Federation of February 18, 2013 № 21 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems [26]):
1) mandate-based access differentiation;
2) discretionary delimitation of access.
In the mandated model, ordinary users have no control over security policy settings. This model is less flexible and more time consuming to configure security policies, but achieves a high level of security manageability. In the discretionary model, management of subjects' access to information is based on the fact that users have some control over security policy settings. At the same time, the formation and assignment of roles of employees in the organization
should be based on the principle of granting the minimum rights and powers necessary to perform job duties.
Control over measures taken to ensure personal data security and the security level of personal data information systems
Alongside a general audit of personal data processing, periodic technical audits of information security, including a check of threats, compliance of measures taken to the security level, are required. Based on the results of such audit, if necessary, additional measures to protect personal data should be taken. The decree on protection requirements stipulates that the operator carries out such control independently and (or) with the involvement on a contractual basis of legal entities and individual entrepreneurs licensed to carry out activities on technical protection of confidential information. Such control shall be conducted at least once every three (3) years.
Restoration of personal data modified or destroyed as a result of unauthorized access thereto
Information stored in the information system of personal data must be backed up. Documentary evidence of the implementation of this obligation is the fixing of the personal data recovery procedure in the policy on personal data processing or in an independent regulation.
Conclusion
To conclude, national legislation provides a broad list of obligations for personal data operators. Non-compliance with such duties may lead to unpleasant consequences, resulting even in blockages of companies' Internet pages, if they are not localized in the proper country. Under Russian law, the duties of personal data operator can be divided in two main categories: general obligations of an operator, including such duties as the adoption of proper documentation and establishing relevant procedures for employees of a personal data operator, and more specific obligations to ensure personal data security - concrete actions that should be taken in order to properly protect the sensitive personal data.
One of the most important duties is an obligation to localize personal data of citizens of the Russian Federation. This means, the operator is obliged to ensure recording, systematization, accumulation, storage, clarification of personal data of Russian citizens in databases located in the Russian Federation, even if such an operator has no physical presence in Russian territory. The criteria of usage of a geographical domain name associated with the Russian Federation or having a Russian-language version of the Internet resource will already bear evidence of the
virtual presence of an operator in the territory of Russian Federation.
There are some practical problems of the enforcement of norms of law and holding of inspections by regulatory authorities. Even though the rules of Russian legislation provide that Federal Service for Supervision should receive the authority to intervene in the processing of personal data of Russian citizens in other countries, at the moment the mechanism for conducting inspections in relation to foreign operators without physical presence in the Russian Federation is unclear.
Список литературы:
[1] Federal Law of the Russian Federation of 27.07.2006 № 152-FZ (as amended on 14.07.2022) "On Personal Data" (in the text of the article - the Law on Personal Data).
[2] Federal Law of the Russian Federation of 14.07.2022 № 266-FZ "On Amending the Federal Law "On Personal Data", certain legislative acts of the Russian Federation and repealing part fourteen of Article 30 of the Federal Law "On Banks and Banking Activities".
[3] Civil Code of Russian Federation (part four) of 18.12.2006 № 230-FZ.
[4] Federal Law of the Russian Federation of 06.04.2011 № 63-FZ "On electronic signatures".
[5] Federal Law of the Russian Federation of 27.12.2002 № 184-FZ "On Technical Regulation".
[6] Federal Law of the Russian Federation of 27.07.2006 № 149-FZ "On Information, Information Technologies and Information Protection" (in the text of the article - the Law on Information).
[7] Federal Law of the Russian Federation of 01.07.2021 № 236-FZ "On the activities of foreign persons in the information and telecommunications network "the Internet" on the territory of the Russian Federation".
[8] Federal Law of the Russian Federation of 17.01.1992 № 2202-1 "On Prosecutor's Office of the Russian Federation".
[9] Code of the Russian Federation on Administrative Offences of 30.12.2001 № 195-FZ.
[10] Decree of the Government of the Russian Federation № 1046 dated June 29, 2021 "On Federal State Control (Oversight) of Personal Data Processing".
[11] Decree of the Government of the Russian Federation of November 1, 2012 № 1119 "On approval of the requirements for the protection of personal data during their processing in personal data information systems".
[12] Decree of the Government of the Russian Federation № 211 of March 21, 2012 "On Approval of the List of Measures to Ensure the Fulfillment of Obligations Under the Federal Law "On Personal Data"
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
and Regulatory Legal Acts Adopted Thereunder by Operators Who Are State or Municipal Bodies".
[13] Order of the Federal Service for Technical and Export Control of the Russian Federation (hereinafter - FSTEC) of February 18, 2013 № 21 "On approval of the composition and content of organizational and technical measures to ensure security of personal data during their processing in personal data information systems".
[14] Order of the Federal Security Service of the Russian Federation (hereinafter - FSS) of 10.07.2014 № 378 "On approval of the composition and content of organizational and technical measures to ensure security of personal data during their processing in personal data information systems using cryptographic information protection tools, necessary to meet the requirements established by the Government of the Russian Federation to personal data protection for each level of protection".
[15] Order of the Federal Service for Technical and Export Control of the Russian Federation of 03.04.2018 № 55 "On Approval of the Regulation on the Information Protection Equipment Certification System".
[16] Order of the Federal Security Service of the Russian Federation of 09.02.2005 № 66 "On Approval of the Regulations on the Development, Production, Implementation and Operation of Encryption (Cryptographic) Means of Information Protection (Regulations PKZ-2005)".
[17] Instruction of the Bank of Russia № 3889-U dated December 10, 2015 "On Determination of Personal Data Security Threats Relevant to the Processing of Personal Data in Personal Data Information Systems".
[18] Methodology for information security threat assessment, approved by the Federal Service for Technical and Export Control of the Russian Federation. 05.02.2021.
[19] Processing and storage of personal data. Changes as of 01.09.2015 (Ministry for Digital Technology). URL: https://digital.gov.ru/ru/personaldata/ (date of access: 06.06.2023).
[20] Commentary to the Federal Law of 21.07.2014 № 242-FZ "On Amendments to Certain Legislative Acts of the Russian Federation with
Regard to Clarifying the Procedure for Processing Personal Data in Information and Telecommunication Networks". URL: https://pd.rkn.gov.ru/library/p195/ (date of access: 06.06.2023).
[21] Recommendations on drafting a document defining the operator's policy regarding the processing of personal data in the manner prescribed by Federal Law № 152-FZ of July 27, 2006 "On Personal Data" approved by the Federal Service for Supervision of Communications, Information Technology and Mass Media (hereinafter - Roskomnadzor). URL: https://rkn.gov.ru/personal-data/p908/ (date of access: 06.06.2023).
[22] Explanatory memorandum to the draft law № 266-FZ "On Amending the Federal Law "On Personal Data", certain legislative acts of the Russian Federation and repealing part fourteen of Article 30 of the Federal Law "On Banks and Banking Activities". URL: https://sozd.duma.gov.ru/bill/101234-8 (date of access: 06.06.2023).
[23] Register of data on taking measures to restrict access to information resources containing information processed in violation of Russian personal data legislation. URL: https://pd.rkn.gov.ru/reg-isterOffenders/viewregistry/ (date of access: 06.06.2023).
[24] Decision of the Tagansky District Court in case № 2-3491/2016 of 04.08.2016. URL: https:// mos-gorsud.ru/rs/taganskij/services/cases/civil/ details/2ffe6d6d-69cd-423a-8ed7-cf3b3bb2d536 (date of access: 06.06.2023).
[25] Decision of the Supreme Court of the Russian Federation of 27.12.2019 N 5-AD19-239. URL: https://cloud.consultant.ru/cloud/cgi/online.cgi?req=-doc&ts=lu76RWTwXskzpTH8&cacheid=-8446CA680FD8CB2CF79A7ED80C922D96&-mode=splus&rnd=iDnUMw&base=AR-B&n=613963#jOL7RWTkD3Hvghf31 (date of access: 06.06.2023).
[26] Order of the Federal Service for Technical and Export Control of the Russian Federation of February 18, 2013 № 21 "On approval of the composition and content of organizational and technical measures to ensure the security of personal data during their processing in personal data information systems".
ОБРАЗОВАНИЕ И ПРАВО № 8 • 2023
