Comparison of approaches and practices of personal data protection in Russia and the EU
In fact, with any action performed by a user on the Internet, the user's personal data is manipulated in one form or another.
We do not pay for many of the services we receive on the Internet: for searching for information, for e-mail, for storing our data in the cloud, for communicating on social networks, etc. However, these services are only shareware: we pay for them with our data , which these companies then monetize, mainly through advertising.
Currently, data on gender, age and place of residence, search history -
the backbone of an online advertising industry worth billions of dollars and euros. That is, from a legal point of view, personal data is materials for doing business. Accordingly, companies make great efforts and spend a lot of money to obtain and process personal data. Surveys conducted in 2018 show that users, realizing the value of their personal data, are becoming more and more dissatisfied with the way companies treat their personal data.
Regulation in the segment of the use of user data has not yet developed and lags behind the development of technologies not only in Russia, but throughout the world, therefore, the balance of interests of consumers and companies in the “money-service-data-money” model is built today by both Regulators and tacit agreements between society and companies. Regulators limit the capabilities of IT companies and expand the rights of users: they introduce new laws that give users more control over the information they provide.
It is interesting to compare the approaches of regulators in European countries and Russia. In Russia, the main regulations governing the handling of personal data are the Federal Law on the Protection of Personal Data (152-FZ) plus the Code of Administrative Offenses, which directly establishes a specific amount of fines for violating the procedure for handling personal data. Administrative fines have increased significantly since July 1, 2017. At the same time, new sizes of fines were established depending on the type of offense committed. So, officials can be fined from 3000 to 20 rubles, individual entrepreneurs - from 000 to 5000 rubles, organizations - from 20 to 000 rubles. Moreover, they can be held liable for various offenses. Accordingly, for different violations, several different fines can be imposed on one company. But responsibility is provided precisely for non-compliance with formal requirements, for example, if the necessary papers are missing. This is not always directly related to the real protection of information. For example, leaks in and of themselves are not grounds for punitive damages unless other laws are violated. Interestingly, a significant number of identified violations in the field of handling personal data contain the composition provided for by Article 15 of the Code of Administrative Offenses of the Russian Federation: “Failure to submit or late submission to the state body (Roskomnadzor) - information (information), the submission of which is prescribed by law and is necessary for the implementation of this body his lawful activities. It is interesting that much greater responsibility is provided not for violation of the procedure for handling personal data (as mentioned above, this is an average of 000-75 thousand rubles), but for not providing (delay, incomplete submission) information on the procedure for handling personal data in Roskomnadzor is subject to a fine of up to 000 rubles. Those. in the legislation of Russia and in the practice of its application, the trend “the main thing is that the suit is sitting” prevails and the needs of the state were satisfied. bodies in various reports. The real rights of users and the security of their personal data on the Internet are poorly protected. The same amount of fines is in no way correlated with the amount of benefits received by some companies in violation of the treatment of personal data on the Internet and does not encourage compliance with these rules.
In the EU, the picture is somewhat different. Since May 2018, in Europe, the handling of personal data has been governed by the rules for the processing of personal data established by the General Data Protection Regulation (GDPR).EU Regulation 2016/679 April 27, 2016 or GDPR - General Data Protection Regulation). The regulation has direct effect in all 28 EU countries. The regulation gives EU residents full control over their personal data. Under the GDPR, citizens and residents of the EU have very broad rights to control their personal data. European users have the right to request confirmation of the fact of processing their data, the place and purpose of processing, the categories of personal data being processed, to which third parties personal data is disclosed, the period during which the data will be processed, as well as to clarify the source of receipt by the organization of personal data and demand their correction. Moreover, the user has the right to demand the termination of the processing of his data.
Since May 2018 Liability in the form of fines for violation of the rules for processing personal data: according to the GDPR, the fine reaches 20 million euros (about 1,5 billion rubles) or 4% of the company's annual global income.
The most important thing is that all this works, companies violating the rights of users are held accountable and very serious. For example, on January 21, 2019, the National Commission for Informatics and Civil Rights of France (CNIL) decided to fine the American company GOOGLE LLC 50 million euros for violating the GDPR. The amount of the fine is very large. This clearly shows the dangers of non-compliance with GDPR requirements. What were they punished for? The French commission determined that during the initial configuration of a mobile device on the Android (Google) operating system, the user does not receive full information about what Google does with his personal data. The company has not fulfilled its obligation to ensure the transparency of the processing of personal data and informing the subjects (Articles 12 and 13 of the GDPR). The retention periods for user data are not strictly regulated. The company lacked the necessary legal basis for the data processing carried out (Art. 6 GDPR). Google has also been accused of improperly obtaining users' consent to process their data to personalize ads.
Other examples include a €20.000 fine by the German LfDI regulator for Knuddels, a dating chat app, and the Portuguese Barreiro Hospital was accused of improperly managing access to sensitive personal data (a fine of €300) and violating data security and integrity (another €100). ). UK authorities issued a warning to a Canadian company engaged in analytical research. The company was ordered to stop processing personal data of citizens, otherwise it faces a fine of 20 million euros. AggregateIQ, a Canadian digital marketing and software development company, has been fined £17000000. A cafe in Austria was fined 5280 euros for illegal video surveillance (the camera captured part of the sidewalk). Those. any organization to which the GDPR applies should not be limited, according to domestic tradition, to the development of regulatory documentation.
By the way, the peculiarity of the GDPR is that its effect applies to all companies that process personal data of EU residents and citizens, regardless of the location of such a company, so Russian companies should carefully consider this Regulation if their services are focused on the European market
Source: habr.com