The Ministry of Digital Development is going to postpone some of the requirements for the circulation of biometric data until July 1, 2024

The Ministry of Digital Development intends to postpone until July 1 part of the requirements of the law on the circulation of biometric data affecting access control terminals – for example, those used at checkpoints (checkpoints). The reason is that Chinese biometric terminals do not support Russian cryptography standards. Companies developing biometric access systems are grateful for the delay, but emphasize the high cost of conversion and the reluctance of customers to accept the transfer of biometrics to a single system.

Kommersant got acquainted with the draft order of the Ministry of Digital Development, published on November 24 at regulation.gov.ru. He postpones for eight months, until July 1, 2024, part of the requirements for biometric systems used in Russia. The document concerns only checkpoints – we are talking about access control and management systems (ACS, used, for example, in banks, factories, commercial companies and fitness clubs). The deadlines are being shifted so that companies can purchase equipment that meets the requirements, the explanatory note says.

Changes are proposed to be made to ministry orders 445 and 446 dated May 5, 2023. They approved lists of security threats when processing biometric data in the Unified Biometric System and commercial biometric systems – substitution, deletion, unauthorized access, etc. The new order temporarily excludes from the lists threats related to “terminal devices of information systems that ensure the functioning of the checkpoint.” The Federal Law on Biometrics (No. 572) stipulates that when processing it, security measures against threats must be used, including cryptographic protection. The Ministry of Digital Development and the Center for Biometric Technologies did not respond to requests.

Some devices for biometric access control are not designed to use domestic cryptographic protection class KS1, as required by law, VisionLabs CEO Dmitry Makarov explained to Kommersant: “For some terminals manufactured in China and running Linux, there is no ready-made software modification with the ability to install domestic CIPF (means of cryptographic information protection.— “Kommersant”)”. Replacing devices, he said, would require too much financial investment.

The deferment will help the business “prepare to meet the requirements without stopping the access control system,” Mr. Makarov believes.

According to the President of the National Fitness Community, Elena Silina, the re-equipment costs 1.5–2 million rubles. for a fitness club: “It also takes time to implement it, test and integrate information systems – this process takes at least six months.”

The postponement is “really necessary,” notes Irina Troska, director of franchising and development at XFIT: “We are currently testing several alternative access systems that ensure the safety of customers and meet their expectations, and only after choosing the optimal option will we be able to refurbish the clubs.”

At the same time, Kommersant’s source in the biometric systems market claims that the delay is not related to the equipment: “Business needs more time to bring the entire cycle of transfer and processing of biometrics into compliance with current legislation.” Some market players, according to Olga Kiseleva, president of the Association of Fitness Industry Operators, decided in principle to abandon the collection and use of biometric data: “The new rules suggest that the client must agree to transfer his biometric data, but only 20–30% are ready for this. visitors.”

Yuri Litvinenko, Alexandra Mertsalova