The State Duma proposed a work plan to the government and the Ministry of Digital Transformation

Deputies of the State Duma at a plenary session on February 22, 2023 adopted a resolution with recommendations for the government and the Ministry of Digital Development, Communications and Mass Media, follows from the base of regulatory documents under consideration by the lower chamber. In particular, the Ministry of Digital Transformation was recommended to work out the issues of banning remote work for IT specialists, creating a national VPN service, and turnover fines for companies that have leaked personal data (PD).

These and other recommendations were collected based on the results of the speech of the Minister of Digital Development Maksut Shadayev at a meeting in the State Duma as part of the “government hour” in December 2022, follows from the materials of the chamber. This report was about the progress of digital transformation and ensuring information security in Russia. In mid-February 2023, the Committee on Information Technology, Communications and Mass Communications of the State Duma prepared a corresponding draft resolution.

The State Duma recommends that the Ministry, together with the Parliament, “work out the issue of banning remote work for IT specialists working with the development, implementation and administration of state information systems, information systems of critical information infrastructure facilities (CII), as well as with the circulation of personal data.” It was also proposed to consider the preparation of a draft law on compensation for harm to individuals by PD operators who leaked data, “including in a pre-trial (voluntary) manner.”

In addition, the State Duma considers it important that the Ministry of Digital Transformation, with the participation of IT companies, work out the possibility of creating, launching and coordinating a “national content delivery network (CDN)” by the department. And also “consider developing and launching a national VPN service.” The service is needed for “compatriots and other persons” to access Russian Internet resources blocked abroad.

The representative of the Ministry of Digital Development, commenting on the State Duma’s resolution, only noted that the deputies adopted the position on remote work from the ministry itself, “refusing the idea of ​​​​a total ban on remote work for IT specialists.” Employees employed at KII facilities and in state information systems (GIS) cannot work from abroad, the source explains. The ministry had previously proposed to prescribe this in government contracts, a representative of the Ministry of Digital Development noted.

“For IT professionals employed in other areas, decisions should be made only by the companies themselves. We oppose a total ban and believe that it will lead to negative consequences for our industry, ”the representative told Vedomosti.

The risks from the introduction of a ban for remote workers when working with personal data, GIS and CII are quite significant, warns the head of the employer brand promotion department at Auriga IT company Victoria Pluzhnikova. First of all, from the point of view of a potential reduction in the flow of applicants, she clarified. “Rather, it is worth looking towards creating a national system that allows you to work safely from anywhere in Russia,” the expert believes. According to Pluzhnikova, this could “significantly distinguish the Russian Federation in the global IT market.”

The resolution also made recommendations to the government. Among other things, it is recommended to amend the regulatory legal acts authorizing Roskomnadzor to conduct operational checks of companies, PD operators on the facts of information leaks.

“Additional changes to government acts are not required,” a representative of Roskomnadzor told Vedomosti. He explained that on February 4, 2023, the government had already authorized unscheduled inspections in the event of a leak of PD from Russian organizations. In general, “unscheduled inspections can be carried out only in case of significant threats to life and health, as well as at the request of the prosecutor, on behalf of the Prime Minister of the Russian Federation or the President of Russia,” he said.

The State Duma also recommends that the government develop and at the beginning of 2023 submit to the lower chamber draft laws that provide for amendments to the Code of Administrative Offenses on turnover fines for crimes when handling personal and biometric data, as well as the introduction of “criminal liability for illegal processing of biometric personal data” into the Criminal Code in case of corresponding socially dangerous consequences”.

Vedomosti sent a request to the government, but there they forwarded the questions to the Ministry of Digital Development.

Many of the proposals referred to in the State Duma resolution have already been discussed before. For example, in the autumn of 2022, the Ministry of Digital Development itself proposed compensation for data leaks, but Internet companies and banks were against it then, Vedomosti reported in November. The proposal for a content delivery system (CDN) was initiated in December 2022 by Anton Gorelkin, Deputy Head of the State Duma Committee on Information Policy (United Russia), reported RBC. According to the deputy, such a system should help domestic sites work faster.

The idea of ​​creating a national content delivery system remains one of the priority projects, without which it is impossible to achieve digital sovereignty, explains Mikhail Shurygin, CEO of EdgeCenter IT company. Such a solution will allow Internet services to balance traffic between providers, which will improve the quality of services provided, he explained.

The proposal for extrajudicial compensation in the event of PD leaks is an excellent initiative, says Vladimir Ulyanov, head of the analytical center at Zecurion. But it is not yet clear how the mechanism of these deductions can be arranged. “Will compensation be automatically awarded to all potential victims or only to those who apply themselves? Who will initiate the process? Finally, how can the victim prove the operator’s guilt, that it was he who leaked?”, the expert asks. He also recalled that now organizations often refuse to acknowledge the fact of a leak, explaining that the data was allegedly collected from open or third-party sources. The mechanism for calculating compensation is also unclear, the expert added.

But if such a law is eventually adopted, it will help companies take a more responsible approach to the system of protecting personal data, Ulyanov believes. “Now the introduction of leakage protection is not always cost-effective. It is cheaper to make a statement that the data was leaked from another source, ”he concluded.