Brief excerpt from the draft law on amendments to the Federal Law of July 27.07.2006, 152 N 152-FZ "On Personal Data" (152-FZ). With these amendments, XNUMX-FZ will "allow trading" Big Data, strengthen the rights of the operator of personal data. It may be interesting for readers to pay attention to key points. For a detailed analysis, of course, it is recommended to read .
As stated in the explanatory note:
The bill was developed in pursuance of paragraph 01.01.003.002.001 of the action plan in the direction of "Regulatory regulation" of the "Digital Economy" program, approved by the Government Commission on the use of information technologies to improve the quality of life and business conditions on December 18, 2017, protocol No. 2.
What seems to be the most interesting?
(Below in the text in the references everywhere we mean 152-FZ)
- We meet "Anonymous data".
"Anonymous data" is not equal to "Anonymous personal data". "Anonymized data" is identical to anonymized personal data, described for example in the context of GDPR.
- Another consent is born: to the processing of personal data that is incompatible with the purposes of collecting personal data (part 2 of article 5 is supplemented).
- The processing of personal data will now be allowed to prevent property damage, prevent and prevent unlawful acts (change in clause 7 of part 1 of article 6) and to achieve socially significant goals (clause 7.1 of part 1 of article 6 is supplemented).
- In paragraph 9, part 1, art. 6 “or other research” are changed to “research and (or) analytical” (an important point, we will return below).
- New basis for processing in Part 1 of Art. 6 "12) the processing of personal data obtained by the operator on legal grounds is carried out in order to obtain anonymized data." Here, the processing of data depersonalization is legalized without the participation of the subject of personal data.
- Added Art. 8.1., which allows civil - legal circulation of depersonalized personal data. Those. data can be used for commercial purposes, sold to third parties. For statistical, research and (or) analytical purposes, the consent of the subject is not required.
- If “anonymity” is lost during the processing of anonymized personal data, consent can not be asked later (but you will have to find a legal basis). This is indicated by the added "(or)" in the phrase "... is carried out with the consent of the subject of personal data and (or) in the presence of the grounds specified in clauses 2-11 of part 1 of Article 6 ...".
- Anonymized data can be used freely without the consent of the subject (changes under part 4 of article 8.1).
- The requirements and methods of depersonalization are assigned to the level of the Government of the Russian Federation.
- The forms for obtaining personal data under Part 1 of Art. 9, electronic forms of obtaining consent are formally legalized: SMS, a form on the website, and other methods.
- The subject of personal data will have the opportunity to change the composition of the purposes of processing personal data stated in the (single) consent. Here the principle is canceled: "One goal - one consent." Corresponding changes to the association of goals are made in Part 4 of Art. 9. If the personal data operator refuses to make a change to the consent, the reasoned refusal can be appealed to Roskomnadzor.
- According to part 4 of Art. 9, the signing of consent in electronic form is simplified, now instead of “in the form of an electronic document signed in accordance with the federal law with an electronic signature”, it is planned as follows: “signed in accordance with the federal law with an electronic signature or confirmed in any way that allows you to reliably identify the subject of personal data and establish his will."
- In fact, the informally existing practice of publishing on the website a list of third parties processing personal data is legalized.
According to the Privacy Experts Telegram channel ():
The draft law contains broadly interpreted concepts. For example, “prevention and prevention of illegal acts” or “publicly significant goals”.
At the same time, the draft law does not contain decisions if, as a result of processing the aggregate data, it becomes possible to assign individual personal data to a specific subject.
It can be seen that the situation of the subject of personal data is deteriorating, at the same time, risks for the operator of personal data associated with documenting the processing of personal data for new types of processing are not excluded.
It is not clear in what order data should be deleted when changing the purposes of processing in the Unified Consent.
The explanatory note ends with an indication that the bill complies with the provisions of the Treaty on the Eurasian Economic Union dated May 29, 2014, as well as the provisions of other international treaties of the Russian Federation, and will not affect the indicators of state programs of the Russian Federation and their results.
Source: habr.com