Personal data was taken to court – Newspaper Kommersant No. 192 (7393) dated 10/17/2022

Over the past nine months, the number of applications from citizens to Roskomnadzor due to fraud related to personal data has grown by 10.5% year-on-year. The number of cases reaching court has increased by 60% over the past two years. This is due both to an increase in the number of data leaks and to the close attention of the state to the problem, lawyers believe. But even with a positive court decision, fines for leaks remain insignificant, and law enforcement officers often refuse to investigate such cases due to their complexity.

“Kommersant” got acquainted with the data of Semenov & Pevzner, according to which, since 2020, the number of court cases on violation of legislation in the field of personal data (Article 13.11 of the Code of Administrative Offenses) has increased by 30% per year. Thus, in two years the growth was 60%. Analysts took into account claims against both legal entities and individuals. Consideration of most cases ends with the imposition of fines, the company said.

The dynamics is connected, among other things, with the increasing cases of personal data leaks, as well as the need to take the process of their processing under tighter state control, explains Yulia Yarnykh, a partner at Semenov & Pevzner. Another reason is the increased awareness of people who have begun to learn about their right to withdraw consent to the use of personal data by submitting an appropriate application, notes the founder and CEO of the vvCube consulting group Vadim Tkachenko: “The trend towards an increase in the number of cases will continue, because, on the one hand, , people’s data is being used more and more, on the other hand, information about what rights a consumer has is becoming more and more accessible.

An increase in the number of citizens’ appeals is also observed by the profile regulator: in the first nine months of 2022, Roskomnadzor and its territorial bodies received 219.1 thousand citizens’ appeals, which is 10.5% more than in the same period in 2021, Kommersant was told in the department . Since the beginning of the year, more than 1.2 thousand Russians from different cities of the country have applied to the Center for Legal Assistance to Citizens in the Digital Environment, Roskomnadzor added.

Citizens’ appeals can be quite justified: according to InfoWatch, 305 databases “leaked” in Russia in the first half of the year, which is 45.9% more than in January-June 2021. The amount of stolen information increased by more than 16 times, amounting to 187.6 million records. The most high-profile cases were the loss of data from Yandex.Food, Delivery Club, and the CDEK delivery service. At the same time, the fine imposed on the legal entity in case of violation does not exceed 100 thousand rubles. (see Kommersant dated August 19).

The process of protecting personal data in court itself “cannot be called easy”, and, as practice shows, the assessment of evidence and the general process of defending the amount of a fine in each case have their own specifics, Ksenia Petrovets, senior lawyer at Birch Legal, clarifies: “In this regard, the issuance of a favorable decision does not guarantee that the defendant will bear substantial liability.”

Experts in the field of cybersecurity note that the number of criminal cases related to the “breakthrough” – the illegal search for data about people in the shadow network – is also growing. “On the one hand, law enforcement officers are learning to investigate this kind of offense, on the other hand, there are more and more offenses themselves,” explains Ashot Hovhannisyan, founder of the DLBI data leak intelligence and darknet monitoring service. According to him, in 90% of cases, employees of mobile phone stores involved in mobile “breakthrough” are guilty. They are usually charged with violation of communication secrecy (Article 138 of the Criminal Code of the Russian Federation) and illegal access to computer information (Article 272 of the Criminal Code of the Russian Federation). Punishment in these cases varies from a fine of 50-100 thousand rubles. to imprisonment for up to two years, the expert says.

Cases when attackers obtain personal data of people necessary for the subsequent commission of theft remain a common threat, says Sergey Egorov, lawyer and managing partner of the EMPP Law Office. Law enforcement agencies in almost 90% of cases in such cases issue decisions to refuse to initiate a criminal case, the lawyer says: “But this is not because they do not see it as a crime, but because it is extremely difficult to investigate such a case.”

Tatyana Isakova, Timofey Kornev