Civil law qualification of personal data

Chernyshenko Il'ya Gennad'evich ORCID: 0000-0003-4066-8446 Student, Financial University under the Government of the Russian Federation 105187, Russia, Moscow, Shcherbakovskaya str., 38 cheig@inbox.ru Other publications by this author

Barkova Alina Vasil'evna ORCID: 0000-0001-9470-3070 PhD in Law Associate Professor, Department of Legal Regulation of Economic Activity, Financial University under the Government of the Russian Federation 38 Shcherbakovskaya str., Moscow, 105187, Russia rav6232551@mail.ru Other publications by this author

When considering the civil nature of personal data, it is important to focus on the fact that the concept of the object of subjective civil law is identical to the concept of the object of civil law relations.

Personal data occupies a central place within the legal framework and is a collective category. This data is information that identifies an individual or makes them identifiable. In today's society, where digital technologies are becoming more widespread, the collection and processing of personal data is an integral part of many aspects of modern legal relations.

It is worth noting that Russian legislation still has the problem of qualifying certain information about a person as personal data, the problem of their appearing in close relationship with civil relations, the differentiation of categories of private or public law in the context of relations in the field of personal data. These issues have already been partially addressed in the works of such leading experts on the topic of research as: L. K. Ostrikova, E. V. Talapina, A. I. Savelyev, etc.

The position of the author of this article is as follows: personal data in Russia, indeed, are an object of civil subjective law, although they are not directly named in Article 128 of the Civil Code of the Russian Federation.

In order to prove that a citizen's personal data is an object of civil relations, it is advisable to start by considering the content of Article 23 of the Constitution of the Russian Federation, since it establishes the fundamental constitutional right of citizens to inviolability (hereinafter referred to as confidentiality) of private life, which in turn is protected by civil law in accordance with Article 152.2 of the Civil Code of the Russian Federation.

The wording of article 23 of the Constitution of the Russian Federation provides a constitutional and legal basis, including for the protection of personal data of a citizen. Firstly, the content of this article is aimed at protecting privacy and related elements. Data such as name, address, phone number and other identifying information (hereinafter referred to as personal data) are an integral element of a person's private (private) life. Secondly, the right to secrecy, as well as the right to confidentiality, includes a mechanism to protect against illegal access and use - the protection of this right is regulated by the legislation on personal data. Thirdly, personal data may also include information transmitted as part of personal correspondence and in the process of communication (by e-mails, messages in messengers and in telephone conversations) - this is one of the components of a person's private life, therefore, its inviolability implies data protection. Fourth, the basic law on personal data supplements the constitutional norm by specifying how personal data should be used and processed.

Another argument in defense of this position can be presented on the basis of the Ruling of the Constitutional Court of June 9, 2005 No. 248-O "On the refusal to accept for consideration the complaint of citizens Zakharkin Valery Alekseevich and Zakharkina Irina Nikolaevna for violation of their constitutional rights by paragraph "b" of Part three of Article 125 and part three of Article 127 of the Penal Enforcement Code Of the Russian Federation". Thus, the Constitutional Court determined that the concept of privacy is associated with the ability guaranteed by the state to control information about oneself, to prevent the disclosure of personal, intimate information. Personal data includes just the same personal and intimate information, such as: information about health, marital status and much more. Citizens' control over information about themselves and the protection of information about their personal lives from illegal or unauthorized disclosure are the tasks of personal data legislation.

The qualification of personal data as an object of civil law relations is necessary, first of all, to expand the possibilities (methods) of legal protection and more comprehensive regulation of personal data of citizens in the relationship of civil law with other areas of legal relations.

In addition, the need for the legal consolidation of such an object as personal data in civil law can be indirectly expressed from the problem of their place in the system of Russian legislation, indicated by L. K. Ostrikova ^[5]. The consolidation of personal data in civil legislation will bring legal certainty to their legal regime.

An array of personal data can be included in the subject of civil law contracts, in particular, including a service agreement and its varieties. In the context of a service agreement, personal data may appear in the following structures:

1) the personal Data Processing Agreement (DPA), which regulates the relationship between the personal data subject and the data operator. The data operator undertakes to process the data on behalf of and at the direction of the data subject. This agreement implies the transfer of an array of personal data to the operator in order to perform certain tasks in the future;

2) an array of personal data may be involved in a contract for the provision of a specific type of service, where the data processing itself carries a functional load. In this case, the personal data will be used to provide a certain service (for example, in the process of processing a request, providing support), and data processing obligations will be included in the terms of the contract;

3) a contract concluded with cloud service providers. Organizations use cloud services in the form of data warehouses, they enter into contracts with service providers. Such agreements provide for conditions regarding the processing of personal data, if such data is transferred to the cloud. Organizations often use this contractual structure when renting server space from a provider in order to transfer customer data to the server for subsequent storage and processing.

In any of the above cases, the agreement regulates issues related to the processing of personal data, including the purposes of processing, retention periods, security measures and responsibilities of the parties. Therefore, the legal consolidation of personal data in civil legislation will offset the risks in law enforcement practice associated with the ambiguity of interpretation of the terms of contractual structures listed above.

But it is important to point out that personal data should not be perceived in the classical sense of the object of civil turnover, they can only appear in the subject and other terms of the contract, but should not be its object in order to counteract the purchase and sale of information about the private life of a citizen and following the ethical principles of storing and processing personal data, in accordance with which citizens They must be sure that their data is used with respect for their privacy and does not become an object of trade.

However, Yu. E. Donnikov tries to distinguish situations when information about the private life of a citizen included in personal data may and may not be the object of civil turnover ^[1]. In particular, if we are talking about a non-property component (i.e., an intangible good), then personal data is not in civil circulation, and if it is about property, for example, for receiving payment for posing by a citizen to obtain his image, then personal data may well be present in civil circulation. Moreover, the said author, equating personal data with information, tries to legitimize their presence in civil circulation on the basis that information can be freely used and distributed in accordance with the Law on Information.

The author of this article categorically disagrees with the opinion of Yu. E. Donnikov in view of the following.

Firstly, based on one example, and incorrectly formulated, a general statement is given about the possibility of participation of all personal data in civil circulation, i.e. categories (types) of personal data are not specified, there is no distinction: which data could be in civil circulation, and which will never appear in it due to the provisions legislation on personal data.

Secondly, there is no differentiation between the image of an individual as an intangible asset and as an object of intellectual property (the property component in the relationship will be present only when transferring property rights to the so-called "posing for the purpose of obtaining an image"; most likely, the author of the article was trying to convey the idea not of obtaining an image of a citizen to solve any tasks or performance of duties, and for the purpose of carrying out photographic activities, but then the image will not be either a kind of information or an intangible asset, but must be qualified as an object of intellectual property).

Thirdly, there is no emphasis on restricting the civil circulation of personal data. This restriction applies to the following points in civil relations: the processing of personal data requires the voluntary and informed consent of the data subject; data can be collected and used only for certain legitimate purposes known in advance; only those personal data that are necessary to achieve the purpose of their processing and use are subject to collection; processing and protection of personal data must be carried out in compliance with confidentiality and security measures; data subjects must have the right to access their data at any time, to change, block or delete it. Therefore, personal data is not an object of free civil circulation, and, moreover, there is a category of personal data ("sensitive data") that cannot be in civil circulation at all, since their dissemination in civil relations will lead to a potential threat to the security of a citizen's private life. Such "sensitive data" (for example, fingerprints, medical medical history, etc.) may be of public interest, unrelated to private legal relations.

A. I. Saveliev in his scientific work comes to the conclusion that ^[7]: a) personal data does not meet all the criteria for recognizing them as an intangible good; b) in modern public relations, personal data is already commercialized, for example, when included in an employment contract with a coach or an athlete, the conditions for providing one of the following the employer has the right to use the image, surname, etc. data or when using the image of little-known persons in promotional videos, in photographs when designing websites, etc.; c) it would be possible to recognize personal data as other property. Regarding the above opinion, it is necessary to express an unequivocal disagreement with the legal logic of the study of this issue.

Firstly, in the context of the legal protection of a citizen's personal data, considering them from the standpoint of an absolute or relative nature for the subsequent allocation of data as an intangible good is devoid of practical legal significance. The absolute nature of intangible goods is nothing more than an abstract theoretical concept used for scientific research. It is important to focus on complex legal relations, where differences in the characteristics of the same object, in its regulation, are a completely common, frequent and logical phenomenon that reflects the diversity and complexity of the legal regime, its actions in different legal situations.

Secondly, the use of personal data (even de facto) as the direct object of a contractual obligation is unthinkable and does not correlate with the concept of current civil legislation. Personal data should not be regarded as a commodity that can be freely alienated in any civil transaction for a number of reasons: this will undermine the principle of respect for privacy and confidentiality, entail contradictions in the established mandatory requirements for data processing, ensuring their security, and increase the risk associated with data abuse by the counterparty (for example, to their illegal sale, unfair use for other purposes), this does not meet the purpose of the basic legislation on personal data – enhanced protection of the interests of data subjects (the "owner" of data).

Thirdly, the qualification of personal data as other property under Article 128 of the Civil Code of the Russian Federation will entail an incredible number of legal risks in law enforcement, some of which have already been indicated above. For example, this does not correlate with specific requirements for the processing and protection of personal data, may raise concerns about the possibility of using data without the consent of the data subject, etc. From the point of view of the non-legal aspect, treating a citizen's data as property will cause semantic inconsistency (personal data have special properties and value, special significance - they cannot be adequately reflected by the concept of "property"), will violate all ideas about high ethical standards in the public environment.

E. V. Talapina raises a serious question about the distinction between private and public in the case of legal protection of personal data, comes to the fair conclusion that the protection of personal data of a citizen has an intersectoral character, exposed in public law data protection and in the implementation of subjective civil law ^[10].

Discussing the blurring of the boundaries of private and public in the regulation of personal data protection, she explores foreign experience. For example, German personal data legislation contains a unitary regulatory approach with the difference between private and public erased. There is an example of regulation in US law where the lines between private and public law intersect: there are a number of federal laws, such as the Law on the Protection of Personal Data in the Field of Healthcare (HIPAA) and the Credit Report Control Act (FCRA), which regulate the processing and protection of personal data of citizens both in the sector of private companies and and in the sphere of activity of state and municipal organizations controlled by state structures.

The author of the article proposes to distinguish between the elements of private and public law in the field of collection, storage, use and processing of personal data. Regarding the subject composition: personal data is the object of private relations only between a citizen and organizations, in rare cases – a citizen and a citizen, while public legal relations will link the activities of the state, its authorized bodies with citizens.

Let's move on to the differentiation by object. Public legal relations in the field of personal data should include: the development of normative legal acts regulating the processing of personal data; monitoring and supervision of compliance with legislation on personal data; collection and processing of personal data by interested bodies without the consent of personal data subjects (compliance with the condition of obtaining the consent of the subject to data processing is the moment of transition of relations to private law the plane).

The author admits the interconnection and complementarity (i.e. blurred boundaries) of private and public only if citizens protect their intangible benefits. This will expand the scope of control over their data and increase the flexibility and effectiveness of protecting citizens from leaks, illegal processing and abuse of their personal information, regardless of whether the data is processed in the private or public sector. In addition, this approach will make it possible to better take into account the modern realities of the digital environment and technological changes, harmonize legislation in the field of personal data protection and strengthen transparency, responsibility of organizations and the state related to data processing and protection.

Thus, the Ninth Arbitration Court of Appeal in case A40-597/2019 considered, in the framework of the bankruptcy case, the legality of the video recording by the sole creditor of the creditors' meeting, as well as the possibility of invalidating the decision of the creditors' meeting based on this fact. The court of appeal found the arguments of the manager to be correct about exceeding the limit of competence of the sole creditor at this meeting and violating the right expressed in not obtaining the consent of the creditors' meeting to videotape on the basis of Article 6 of the Law on Personal Data when processing (hereinafter referred to as records) identifying information (for example, information about the financial condition of the debtor, his property status).

Filing a cassation appeal against this decision, the only creditor included in it the argument that the court should have been guided by Article 152.1 of the Civil Code of the Russian Federation in resolving the case regarding the video recording of a citizen at a public event, at a creditors' meeting, in this case, the creditor considered that the recording was carried out lawfully. The Court of cassation instance, refusing to transfer the cassation complaint for consideration at a court hearing, indicated that the arguments of the applicant of the cassation complaint, i.e. the sole creditor, on the admissibility of video recording of the creditors' meeting, including the application of Article 152.1 of the Civil Code of the Russian Federation, are legitimate.

This case is very controversial and ambiguous from the point of view of the correlation of bankruptcy proceedings as a private-public category with the application of public law legislation to it (within the framework of the norms of the Law on Personal Data) or private law (civil) legislation (within the framework of Article 152.1 of the Civil Code of the Russian Federation), or in general the subsidiary application of these provisions of two different in their nature the legal nature of normative legal acts. The author believes that in such a situation, subsidiary (complex) regulation should not be applied due to the fact that public interest prevails in bankruptcy relations, which is even minimally justified by the participation of the supervisory authority in the creditors' meeting, hence it follows that the application of the norm of the Civil Code of the Russian Federation is unacceptable in contradiction to the essence of the relationship. It is also unacceptable to apply the norms of the Civil Code of the Russian Federation due to the fact that it is not about a specific citizen, not about a video recording of a public event, since the creditors' meeting does not meet the criteria of a public event within the meaning of Article 2 of Federal Law No. 54-FZ of 06/19/2004 "On Meetings, Rallies, demonstrations, marches and picketing."

The recognition by the Supreme Court of the Russian Federation of the applicant's arguments as sound, the expression of agreement with them is the lack of understanding by the court of the difference between personal data as a complex, public and private legal category, the ambiguity of when a dispute should be comprehensively considered and resolved, and when the legislation of only one sphere (industry) is subject to application, in addition, very controversial and unmotivated the position of the court of cassation instance takes place in the absence of judicial practice on such similar issues.

The author of the article believes that the application of legislation on personal data in close relationship with civil legislation is possible only in cases where two heterogeneous legal relations do not contradict each other in the context of the content of legal norms: conceptual apparatus, subject composition, and other elements.

Thus, the author of the article is a proponent of comprehensive intersectoral legal regulation of personal data due to the multiplicity and diversity of emerging legal relations regarding them. The need for such a regulatory mechanism is due to the search for a balance between private and public interests, especially in terms of protecting the rights of data subjects, and the practical needs of data processing for commercial and other purposes. At the same time, the comprehensive legal regulation of personal data should not contradict the content of one of the types of legal relations included in it.

The author is most inclined to the option of separate consolidation of personal data in the Civil Code of the Russian Federation as one of the aggregate objects of intangible benefits. At the same time, the need to consolidate personal data in the Civil Code of the Russian Federation is caused by solving critical tasks of increasing the level of protection of the rights of data subjects, ensuring transparency and predictability of their legal regime in the context of civil relations, strengthening law and order and effective suppression of offenses in the light of the growing trends in the development of information technologies and digitalization in general.