Inspectors will come to those who leak – Newspaper Kommersant No. 235 (7436) dated 12/17/2022

Against the backdrop of increasing leaks of personal data of citizens, the Ministry of Digital Transformation proposed lifting the moratorium on unscheduled inspections of businesses by Roskomnadzor if the company leaked information. According to market participants, under certain conditions, this measure will help combat the use of data for illegal purposes, which has already become a separate business area for some unscrupulous operators.

Project decrees government, canceling in certain cases the moratorium on unscheduled business inspections, was posted by the Ministry of Digital Development on the portal of legal acts on December 15. It follows from the document that Roskomnadzor, subject to agreement with the prosecutor’s office, will have the right to conduct unscheduled audits of companies if a leak of their database has been recorded. Inspections are carried out “by decision of the head or deputy head of Roskomnadzor,” the draft says. It applies to all operators of personal data, clarified “Kommersant” in Mintsifra.

“Since the beginning of the military operation, the number of leaks of personal data has increased dramatically: more than 140 cases, about 600 million records about citizens got into the network,” Roskomnadzor representatives said.

But since March 2022, the government introduced a moratorium on unscheduled inspections, and now they can be carried out in case of significant threats to life and health, as well as at the request of the prosecutor, on behalf of the prime minister or the president of Russia. According to the interlocutor of Kommersant, who is close to the development of the initiative, the amendments will lift the moratorium on a specific segment of violations – data leaks.

Roskomnadzor’s unscheduled inspection is an on-site event during which department employees come to the organization and demand access not only to documents regulating data processing, but also to technical means of information processing: servers or cloud storage, explains the chief legal adviser of the intellectual property practice of the EBR law firm Kirill Lyakhmanov. “During the audit, in my experience, the department is especially attentive to everything related to the processing of special categories of personal data: biometrics, information about nationality and religion, health status and political views. The isolation of the premises in which the data servers are located and the storage of documents related to the personal data of the subjects are also being studied,” the expert said.

There are enterprises that consider unauthorized transfer of personal information to third parties as a business model, says R-Style Softlab analyst Alexander Sholokhov, unscheduled checks will minimize unfair practices. However, Vladimir Ulyanov, head of the Zecurion analytical center, does not see why this particular initiative could significantly change the situation. One of the reasons why leaks continue to happen with enviable regularity is banal – seriously investing in data protection is often inappropriate for business, despite the fact that now “the real responsibility for the leak is minimal,” says Mr. Ulyanov. As Kommersant wrote, the Ministry of Digital Development is preparing a bill on turnover fines (up to 3%) for submission to the State Duma in the event that the company leaks user data (see “Kommersant” dated October 24).

“We must not forget that Roskomnadzor is not authorized to conduct technical inspections – this is the patrimony of the FSTEC, and Roskomnadzor can only check what concerns the processing of personal data,” recalls Pavel Korostelev, head of the security code company’s product promotion department. The concrete benefit of the project will manifest itself when it is clearly described how the checks will take place, how much authority Roskomnadzor will receive and, most importantly, how much resources will be allocated for this, Mr. Korostelev believes.

Tatyana Isakova