Comparison: GDPR vs. Russia's Federal Law on Personal Data
The governments of different countries are more and more focusing on the Internet: they are engaged in the control of media piracy, propaganda, and distribution of prohibited goods. The use of the Internet in all spheres of life and the volume of personal data it contains has given rise to a very important trend – the protection of personal data (PD) of individuals. The desire of the state to regulate this sphere is quite natural. In this article, we compare Russian and European approaches to the protection of the individual's right to privacy.
Laws and Regulations in Russia and the EU
The main documents that regulate the work with personal data are the Russian Federal Law No. 152 adopted in 2006 and the European General Regulation on Personal Data Protection (GDPR), which entered into force on May 25, 2018.
Russian legislation defines personal data as any information relating directly or indirectly to a defined or identifiable person (PD subject). There is also a concept of PD operator. It refers to individuals and organizations involved in PD processing. Processing is any action performed with personal data.
The terms introduced in the GDPR are very similar, but there are also serious differences. For example, the definition of personal data and its characteristics is much wider in the GDPR. This is in order to exclude any misunderstandings if it is not clear whether the information refers to PD or not. Unlike the 152-FZ where there is a PD operator concept, the GDPR has a "controller" and a "processor". According to the GDPR, the controllers define the purposes and means of the processing while the processors on their behalf deal directly with the processing.
Basic differences between 152-FZ and GDPR
When dealing with personal data, you must ensure that it is correctly processed and protected. The organization is obliged to establish a person responsible for the processing of personal data – this point is common in Russian and European regulations. In the GDPR there is the concept of a Data protection officer – he reports directly to the top management of the company, but in contrast to the 152-FZ, this task can be entrusted to a third party contractor (legal entity).
In Russia, the organizations are obliged to adjust processes of personal data processing in compliance with the legislation of the Russian Federation: to create and introduce protection systems, to notify Roskomnadzor. It is necessary to obtain consent from the PD subjects (including when transferring their PD to third parties), prepare and publish the relevant provisions on a website. In addition, according to the localization law 242-FZ, the databases of personal data are located on the territory of Russia.
The GDPR does not require the mandatory storage of personal data in the EU countries. Although the European regulations in many ways resonate with the Russian legislation, there are serious differences with regard to the cross-border transfer of PD – it is possible only in those countries, which in the opinion of the European Union properly protect personal data.
According to 152-FZ, a cross-border transfer is permitted to all countries that have acceded to the Council of Europe Convention for the Protection of Individuals with regard to automatic processing of personal data, as well as to a number of non-aligned states that provide PD protection.
Russian legislation allows the collection of personal data in an amount appropriate to the purposes of processing and their storage for a period necessary for the purposes of the processing. According to the GDPR, the legal basis for the processing of the PD is a contract, consent, public, vital or legitimate interest.
The requirements for protection
One of the key differences between GDPR and 152-FZ is the protection of personal data based on the risks of potential damage. If the damage (psychological, financial, or material) is great and possible – the processing cannot be performed.
Russian legislation includes only the concept of the level of protection of personal data. It depends on their type, number, and availability of undeclared capabilities in system and application software. In this case, specific instructions are given about the use of the certified protection means (the FSTEC order No. 21), and the GDPR has no such by-laws.
Article 25 of the GDPR requires companies to create systems with built-in protection of personal data and privacy systems by default – the concept “Privacy by Design & Privacy by Default”.
The data controller is obliged to integrate a data protection system into all business processes (including product or service development processes) at an early stage of their design, and to support such a system continuously thereafter. For example, at the development of a mobile application, it is necessary to analyze and prevent the possible risks related to confidentiality, and to establish mechanisms of management of such risks before coding.
According to the concept, the best way to reduce privacy risks is not to create them.
Penalties for violations
Roskomnadzor can come to any organization with an inspection based on the results of systematic monitoring or upon an appeal by an individual. There are also scheduled inspections, the list of which is posted on the agency website. If an organization has not notified Roskomnadzor that it is a PD operator, this will not save it from inspections, nor will formal completion of ready-made documents downloaded from the Internet help – Roskomnadzor will certainly check information systems and find out the real situation. Transfer of personal data to the secure cloud 152-FZ belonging to a cloud provider can partly help, but it is necessary to remember that it is the operator, who sets the purpose of processing and he is responsible for violations.
The consequences of the violation are quite serious: blocking the organization's website, heavy fines for legal entities and officials, suspension of the company for up to 90 days, as well as depriving an official of the right to occupy certain positions or engage in certain activities for a period of 2 to 5 years. Non-certified information security means may be confiscated and, of course, the organization will face reputational losses.
For the violation of the GDPR, there is also a liability. However, if in Russia under various articles of the criminal and civil code, the offenders will pay up to three hundred thousand rubles, in Europe there are no limits on the amounts – fines may be as high as 4% of the annual turnover of the company.