Amendments to the law “On Personal Data” confused businessmen: a lot of inconvenience

Representatives of the IT business asked the Ministry of Digital Transformation to finalize the amendments to the law “On Personal Data”, which come into force on September 1. The participants of the July meeting of the working group “Regulatory regulation” of the ANO “Digital Economy” had a number of fundamental comments on this document. However, the amendments do not suit not only IT specialists. Frankly raw, moreover, counterproductive, they are seen by people from various spheres of economic activity.

Earlier, the deputy head of Roskomnadzor Milos Wagner, speaking about the advisability of the amendments, recalled a series of big data leaks – Big Data: since the beginning of the year there have been more than forty of them in the country, as a result, more than 300 million records have become freely available. We are talking about any data by which you can identify a person – full name, date of birth, email address, phone number, place of residence and health information. According to Wagner, the amendments are due to the fact that “personal data has become too valuable an object for the modern economy, they are, without exaggeration, being hunted. The state should also receive tools to influence the situation.”

According to one of the amendments, from September 1, the seller will not be able to refuse the sale of goods or services due to the fact that the buyer did not provide his personal data (PD). Now, when making purchases or paying for services from people, under various pretexts, they collect phone numbers, email addresses and other personal information.

If we talk about biometric PD, then from now on the main legal basis for their processing is the written consent of a person. Another amendment states that the period for providing a person with comprehensive information about the processing of his personal data should not exceed 10 business days, however, if there are valid reasons, this period may be extended by another 5 business days.

As for personal data operators, they are required to notify Roskomnadzor (in electronic form on the regulator’s portal) of incidents with personal data from the moment they are discovered. Responsibility for violations is also becoming tougher: Article 14.8 of the Code of Administrative Offenses establishes penalties for a store refusing to conclude an agreement with a consumer who did not report the PD. Fines for officials – from 5 thousand to 10 thousand rubles, for legal entities – from 30 thousand to 50 thousand rubles.

It would seem that the innovations that come into effect on September 1 are aimed at protecting private information and should be warmly approved by society. Meanwhile, judging by the reaction of business circles, the amendments significantly complicate their lives, primarily in the legal and technical sense. Several entrepreneurs told us on condition of anonymity what kind of problems the updated law “On Personal Data” creates.

So, let’s say a consumer decides to order home delivery of goods. If earlier a store (legal entity) automatically, upon the conclusion of a civil law contract with an individual, received the right to process his personal data and transfer them to third parties (courier), now this elementary option has been removed. Moreover, from September 1, all participants in the courier delivery process will have to obtain a written consent to the processing and transfer of PD – to the store, to the courier.

It is difficult to formulate this task in a human, understandable language, not to mention its scrupulous implementation.

If earlier someone was hired by the company as a courier or freight forwarder, it was understood that this person could give permission to transfer his minimum personal data (name and phone number specified in the power of attorney) to all counterparties. Now the company will have to obtain the written consent of its own employee to transfer this information to each customer of the goods.

According to the authors of the amendments, all this is done in order to strengthen the protection of personal data. In fact, businessmen interviewed by MK assure that additional risks may arise in the event of their leakage, since any consent becomes personalized, and any transaction becomes much more transparent. Conventionally, you order pies (through the marketplace) from an individual entrepreneur who bakes them, they are delivered to you by a courier, and all information about this process will be clearly traced.

In addition, the amendments create exceptionally favorable ground for the imposition of fines. The degree of responsibility of self-employed individuals (the same couriers or taxi drivers), who in their activities constantly deal with other people’s personal data, increases many times over. They receive this information no longer as individuals, but as official data operators. This means that they are responsible for its safety. And if any courier loses his personal phone with all SMS correspondence with the customer, this will be treated by law as a data leakage incident. That is, out of the blue, a person receives personal risks in the form of an impressive fine.

As our interlocutors note, the law was originally written for legal entities: it does not take into account how commercial relations between ordinary citizens are developing today. Now there are a lot of self-employed people in the country, many individual entrepreneurs who provide a variety of services, but at the same time do not bear the burden of administration, regulation, creating documentation, and conducting internal investigations. At the disposal of some IP-shnik there may be (conditionally) three hired couriers and one pie shop.

How to combine their activities with the law “On the Protection of Personal Data” so as not to run into a fine? Our interlocutors pin their hopes only on the fact that there are many such small businesses: they will not come to everyone.

“Indeed, there are a lot of leaks, – Vladimir Seleznev, a specialist in information security, candidate of technical sciences, comments on the situation. – Personal data in Russia is collected by everyone who is not too lazy, despite, firstly, repeated warnings from Roskomnadzor, and secondly, the fact that there is an official register of organizations authorized to collect and keep personal data. Citizens themselves are very calm about requests to provide a copy of their passport, phone number and other personal information. Although it can be used against them.”

In general, the problem of ensuring the security of personal data should be solved not so much by legally-compulsory, but by purely technical and technological methods. It is not the legislation that needs to be corrected, but the control over the safety of personal data needs to be strengthened. It is clear that Roskomnadzor is physically unable to do this: it does not have the appropriate resources. Finally, there is a contradiction that is insurmountable today: on the one hand, business cannot be a nightmare, on the other hand, it is necessary to check how adequately companies work with PD. As for the size of the established fines, for large grid companies (which mainly leak PD), this is not a problem at all, Seleznev summarizes. According to him, the fines should not be in absolute terms, but in relative, “floating” – relative to the turnover of a particular transaction. Only then can they have an effect.