Roskomnadzor takes over the certification of personal data operators

As it became known to Kommersant, Roskomnadzor proposes to introduce a requirement for companies to obtain a license to process such data in the upcoming bill on turnover fines for leaks of personal data. Licensing should be done by the certification center of the regulator. Currently, data operators only have to notify the agency of the start of such activities.

Roskomnadzor proposes to add the concept of a “special operator” to the upcoming bill on turnover fines for personal data leaks, which will become a certification center for companies operating personal data, two interlocutors familiar with the development of the project told Kommersant: “The regulator wants to take on this role “. Thus, operators will have to not only notify Roskomnadzor that they are processing personal information of citizens, but also receive a “license” from the regulator for their processing, Kommersant’s interlocutors explain.

It is assumed that for this the regulator will audit the company’s IT infrastructure for compliance with certain criteria, explains one of the interlocutors. A source close to the Ministry of Digital Development specified that the initiative can only be extended to companies that process a large amount of data: “But so far the indicators are not detailed.” The office of the head of the State Duma Committee on Information Policy, Communications and IT, Alexander Khinshtein, confirmed that “there is such a proposal,” adding that the bill is “at the final stage.” Roskomnadzor and Mintsifra did not respond to Kommersant.

From September 1, 2022, in accordance with amendments to the law “On Personal Data”, operating companies must notify Roskomnadzor of the start or implementation of any processing of personal data, except in a number of cases, for example, when data is processed in order to protect state security and public order. Licensing in terms of information protection is currently handled by the FSB and FSTEC, they certify data protection tools.

A bill on turnover fines for legal entities for leakage of personal data of employees or customers has been developed since the beginning of 2022. The initiative involves amending the Code of Administrative Offenses, according to which a company that has leaked can be fined 1% of its annual turnover. Later it became known that the introduction of a range of fines from 5 million to 500 million rubles was being discussed. (see Kommersant dated December 26, 2022).

Data leaks, including personal data, remain a significant problem: according to Positive Technologies, in the first two quarters of 2023, 51% of cyber incidents led to this particular event, and in the second quarter the number of leaks already exceeded the first by 4% (see Kommersant June 16).

“The most critical leaks occur at the largest big data operators: telecoms, banks and fintech, retail and insurers,” said Kirill Lyakhmanov, chief legal adviser of the intellectual property practice at the law firm EBR. If the norm proposed by Roskomnadzor on licensing activities is adopted, then it will most likely apply to all processors of personal data, otherwise “its political effect will tend to zero.” But if we are talking about a full-fledged audit of the architecture of data processing tools by Roskomnadzor, then this will greatly increase the “cost” of the process for small companies, he notes: “They will be forced to buy ready-made, “boxed” solutions for storage and processing from third-party providers.”

The complexity of implementing such an initiative depends on the approach of the regulator, namely, how the decision will be made whether to give the company a license for data processing, says Axenix cybersecurity expert Evgeny Kachurov: “For example, it is not clear what to do if Roskomnadzor considers the composition of personal data required to do business.” Kommersant’s interlocutor in the cybersecurity market believes that the initiative could lead to a dead end scenario, when any Russian legal entity will have to obtain a license, since it processes the data of its own employees: “This will turn into an additional bureaucratic restriction.”

Tatiana Isakova, Yulia Tishina