Two weeks ago, the forums found a database of 600 customers of the Avito and Yula services, among which there are real addresses and phone numbers. The databases are still freely available, anyone can download them. And imagine how many people have already downloaded the database with the intent to send spam or, even worse, to lure the data of users' payment cards. The forum administration does not delete databases, because they do not see any problem in this situation, and even more so a violation, and say that this is not the theft of personal data, but the collection of open data.
The news of a data breach is no longer surprising.
July and August 2020 is jam-packed with news of TikTok being banned for unauthorized data collection. Yes, and my task is not to surprise, but to understand the issue, and keep the promise that I made to one of Habr's readers. By the way, my name is Vyacheslav Ustimenko, I wrote the article together with Bella Farzalieva, an IT lawyer from the international law firm Icon Partners.
Why is it important
The issue of protection and processing of personal data is only gaining momentum every year. The protection of personal data is about the freedom of choice of a person, the culture of society and democracy. An independent person is hard to manage, difficult to deceive and impossible to copy. This idea is carried by the well-known data protection regulations in the EU (GDPR) and the USA (CCPA). Personal conducted a survey, even lawyers (90% of my subscribers) are still poorly versed in data protection issues.
The question was: "Which of the following is personal data."
I am attaching a screenshot of the survey results.
The correct answer was chosen by about 20% of those who voted.
PS The fact that I am from Ukraine, and the article about the laws of the Russian Federation should not confuse you, dear readers, since the expertise of an IT lawyer cannot be limited to one country.
What is personal data in the Russian Federation
The definition of personal data in accordance with the Federal Law does not differ much from the European or Ukrainian one, about which .
Personal data - any information relating directly or indirectly to a specific or identifiable natural person, we are talking about any data by which a person can be identified.
In Russia, the use and protection of personal data is regulated by many documents, in particular, 152-FZ "On Personal Data", 149-FZ "On Information, Information Technologies and Information Protection", the Code of Administrative Offenses, the Criminal Code of the Russian Federation, the Labor Code of the Russian Federation and the Civil Code of the Russian Federation.
Open personal data. What kind of animal is this.
#Look at the situation through the eyes of the user
Perhaps readers have not yet thought about how personal data can be open, because personal sounds like personal, and open sounds like public.
At the same time, the feeling of confidence does not leave the feeling that after another conversation with the telephone seller, each of us thinks “how did he get my number” or “what is this strange call from a stranger who knows more about me than necessary”.
So, users who put up something for sale through Avito, do not be surprised that they got into hacker databases, received spam emails or an incomprehensible call from scammers or “cold sellers”.
You can only blame yourself in such a situation, because ignorance of the laws does not exempt from responsibility.
Everything that the user himself posted about himself for public consideration, in other words, on the Internet, becomes public, that is, open data and can be stored, distributed, used without the consent of the user.
Confirmation from legislation
Part 1 of article 152.2. Civil Code of the Russian Federation.
Unless otherwise expressly provided by law, the collection, storage, distribution and use of any information about his private life, in particular information about his origin, about his place of stay or residence, about his personal and family life, is not allowed without the consent of a citizen.
It is not a violation of the rules established by paragraph one of this paragraph, the collection, storage, distribution and use of information about the private life of a citizen in state, public or other public interests, as well as in cases where information about the private life of a citizen has previously become publicly available or was disclosed by himself citizen or at his will.
Another confirmation
Clause 4 of Article 7 of the Federal Law of the Russian Federation No. 149-FZ “On Information, Information Technologies and Information Protection”.
Information posted by its owners on the Internet in a format that allows automated processing without prior modification by a person in order to reuse it is publicly available information posted in the form of open data.
#Conclusion
The Avito administration rightly claims that the database on hacker forums consists entirely of public information that is available on their website and can be collected by parsing (automatic collection of information using special programs), that is, there is no question of any data leakage. Whether the data is used for legitimate purposes is another question that should definitely not be asked to Avito.
If you do not want someone to compile, evaluate or use your consumer profile, leave less information about yourself on public resources.
Below is a funny (but not accurate) comment from a forum.
#Let's look at the situation through the eyes of business
Let's take the same Avito as an example, and consider the questions:
- whether the site is a personal data operator,
- whether it is mandatory for him to take consent to the processing of data and declare himself to Roskomnadzor for inclusion in the register of operators,
- Will Avito really go unpunished?
In a situation with data leakage, Avito really has nothing to do with it. One can imagine that Avito is a fence on which the user wrote “SELL GARAGE” and indicated his name, phone number or other contact information, and then he began to resent why the data is known, copied or used by everyone who passed by the fence.
Confirmation from legislation
Article 10 of Law No. 152-FZ.
Company or individual a person who has received the client's written consent to data processing becomes an operator of publicly available personal data, but the legislation imposes minimal requirements on the protection of publicly available personal data or, more simply, open data, in comparison with other categories.
Another confirmation
Paragraph 4 of part 2 of article 22 "On personal data".
The operator has the right to carry out, without notifying the authorized body for the protection of the rights of subjects of personal data, the processing of personal data made public by the subject of personal data.
#Conclusion
Avito is a personal data operator. As for the Roskomnadzor notification, there are exceptions in the law, but they do not apply to Avito, since this site collects and processes not only publicly available data. But if the site works only with open data, there would be no need to notify and register with Roskomnadzor. Avito is innocent, and therefore there will be no punishment.
Data can be leaked or legally obtained not only from marketplaces, but also from any site or from mobile operators, from social networks, banks, registries, they can be extracted from a sequence of mobile transactions using a bank card or using hidden functions of smartphone applications, a million options.
By the way, everyone knows that Habr is not a forum, but there is an opportunity for commenting, and the purpose of the article is not to surprise, but to understand the issue.
Question
In the realities of 2020, you need to be careful with the placement of personal data on the Internet and do as in the ridiculous comment above, or introduce new legislative acts, or maybe a new era has just come and you should come to terms with the public availability of open data?
Source: habr.com