On the issue of state policy in the field of personal data protection

Marushina Valentina Andreevna ORCID: 0009-0000-1646-1539 Master's degree; Institute of Law ; Patrice Lumumba Peoples' Friendship University of Russia 10 Stalevarov str., Moscow, 111555, Russia Valelenziya82@yandex.ru

Chugunov Daniil Konstantinovich ORCID: 0000-0003-4506-8095 PhD in Law Assistant; Law Institute; Patrice Lumumba Peoples' Friendship University of Russia 87k1 Udaltsova str., Moscow, 119607, Russia daniilchugunov@icloud.com

Introduction

Personal data, being an object of legal regulation, is, in accordance with Article 3 of Federal Law No. 152-FZ dated 07/27/2006 "On Personal Data", any information related directly or indirectly to a specific or identifiable individual, ^[1] and needs a competent mechanism to ensure their protection, which will contribute to the preservation of confidentiality of information and prevention of their dissemination to third parties. Currently, in the context of the counter–sanctions policy of the Russian Federation (hereinafter - the Russian Federation), public authorities pay special attention to the protection of personal data due to the need to improve their processing procedures, including use, transfer, etc. The relevance of the study is due, firstly, to an increase in the number of hacker attacks on Russian Internet sites and information systems by unfriendly states, as well as an increase in the number of cases of fraud and leakage of personal data, and secondly, as a result, the interest of both the state and legal entities and individuals in ensuring the protection of information that in the process of complicating the means of its processing in the information space on the Internet, it becomes more vulnerable. 

The main part

1. The State, in order to ensure the effective protection of a certain category of persons with the most significant personal data, providing for a special procedure for their processing, has taken an initiative related to providing law enforcement agencies with access to state and other information systems containing data on a separate category of persons – employees of such departments. Such a bill was submitted to the State Duma of the Russian Federation in 2023, but at the moment it has passed only the first reading. This is due, among other things, to the fact that the text proposed in the original version requires appropriate amendments.

Since this innovation is related to the access of law enforcement agencies not only to public but also private services developed by companies, it will have a significant impact on the business sector. At the same time, despite the importance of the goal of introducing appropriate changes, the proposed initiative was not supported by business representatives. This is explained by the fact that information systems in which large companies store data about their customers (users) are often interconnected. Such a relationship and, consequently, interaction can be expressed in the form of data exchange, distributed execution of search queries and coordinated database changes ^[3]. Accordingly, according to representatives of the business sector, the establishment of a special procedure under which employees of law enforcement agencies will be given direct access to such information systems will violate the integrity of their functioning and create a threat to business of violating other laws ^[14]. Based on the provisions of the current version, it is assumed that departments will be able to gain remote access to personal data in a particular information system, however, in such situations there is a risk of non-transmission of data (changes made by representatives of law enforcement agencies) between information systems, which will lead to their disconnection, and therefore entail a threat to their smooth operation.  It is also worth noting that the possibility of remote access to a certain extent increases the risks of personal data leakage, because such information will be disclosed to a large circle of technical specialists who have access to databases and who will see the changes being made.

In order to avoid the above-mentioned risks, the possibility of achieving this goal is currently being considered by establishing a slightly modified mechanism within which, in accordance with a Decree of the Government of the Russian Federation, law enforcement agencies will have access not to the entire information system, but to separate "fields" of information databases. At the same time, it seems appropriate to focus on the fact that, from the technical side, the implementation of this procedure will require an additional set of actions and serious technical and financial costs, which will also affect the efficiency of the process of introducing the mechanism in question.

In particular, credit institutions also have certain concerns that, if this law is adopted, information about employees of the Ministry of Defense, FSB, FSO, etc., who have bank accounts open, may be subject to editing or even deletion by the special services, which may lead to a conflict between the proposed amendments and the requirements established by the Federal Law the law "On Countering the Legalization (Laundering) of proceeds from crime and the Financing of Terrorism" dated 08/07/2001 No. 115-FZ and the Federal Law "On Banks and Banking Activities" dated 12/22/1990 No. 395-1, since the text of the bill does not imply amendments to these acts. In addition, the question arises about the possibility of ensuring the enforcement of bank secrecy in cases where law enforcement agencies will be able to access personal data, as well as process them. Thus, as part of the amendments to the draft law under consideration, in our opinion, it is necessary to take into account the relevant provisions related to banking activities and provide a way to overcome the mentioned conflicts. Similar contradictions may arise in the field of communication services.

Given the specifics of the legal regulation of the sphere of personal data protection ^[4], we believe that it is worth noting the following: the draft law proposes to oblige information system operators to identify information about the departmental affiliation of employees ^[10] of law enforcement agencies and inform the relevant departments about it, however, what is specifically meant by such information is not specified. The currently available version of the draft law does not specify exactly what information should be reported to the departments, whether the list of such data is closed, etc., which in the future may cause legal uncertainty in this matter. Thus, it follows from the above that, assessing the importance of the proposed changes, within the framework of establishing a special procedure for processing personal data of law enforcement officers, it seems correct to make additional adjustments in order to avoid collisions or gaps in the legal regulation of the area under consideration.

2. We will pay special attention to the issue of personal data storage by the organizers of information dissemination (hereinafter – ORI) and their transfer at the request of law enforcement services. After the adoption of the package of anti-terrorist amendments (the "Yarovaya Law") ORI are required to store information about the facts of receiving, transmitting, and delivering <...> user messages ^[8], as well as information about these users for one year. The list of information to be stored and provided to law enforcement agencies is fixed in the Decree of the Government of the Russian Federation dated 09/23/2020 No. 1526 and recently includes not only data on the user's registration data, but also on his geolocation and means of payment. Thus, on the one hand, certain additional means of "monitoring" the actions of users appear, on the other hand, the expansion of the list of information to be stored is associated with the need to increase the effectiveness of operational investigative activities to ensure public safety. For the same purpose, it is planned to supplement the list with data on the user's network addresses and ports, network addresses and ports of the Internet communication service ^[11]. At the same time, it is worth noting that the legislation does not define the concept of "network port", while Federal Law No. 149-FZ dated 07/27/2006 "On Information, Information Technologies and Information Protection" contains a definition of "network address", therefore the use of this concept in the by-law does not raise additional questions. In general, thanks to access to network addresses and ports, special services will be able to identify by IP address and port a user who posted illegal information or committed other illegal acts, especially in conditions of sanctions pressure from unfriendly countries, and protect users' personal data from acts of fraud on the network. Note that, in our opinion, these changes will have a positive impact on crime detection statistics and to some extent facilitate the search for criminals.

3. In view of the frequent cases of leakage of personal data, as part of the analysis of government policy measures, we focus on changes in a number of provisions concerning liability for violation of the procedure for processing personal data. At the moment, the legislation sets the maximum fine for the leakage of personal data for legal entities, which is 100 thousand rubles, however, the sanctions established in Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation (hereinafter – the Administrative Code of the Russian Federation) do not take into account the severity of the consequences that such leaks entailed, while The consequences that have occurred may be completely different, which in general may violate the principle of proportionality of punishment for the offense committed, therefore, the provision requires additional specification.

In connection with the above, we note that the need to establish a gradation of responsibility depending on the volume of so-called "leaked" information is already being discussed at the legislative level. In addition, for repeated violations by legal entities of the requirements for the processing of personal data that resulted in leakage, the state plans to introduce revolving fines that are not a fixed amount or a set range for all, but expressed as a percentage of the total amount of revenue received from the sale of all goods (works, services) for the calendar year preceding the year in which the administrative offense was revealed ^[11]. Of course, the proposed changes regarding the imposition of administrative penalties are indeed quite harsh, however, we believe that the establishment of such fines will have a preventive effect on personal data processing operators. Companies that do not want to lose a significant part of their income will more responsibly monitor compliance with personal data requirements, which will help reduce the number of leakage cases.

It is quite logical that the changes concerning the introduction of revolving fines have caused a mixed opinion among representatives of the business sector. For example, Sberbank currently supports the idea of imposing such fines only in exceptional cases, arguing that the proposed innovations do not differentiate the objective side of the composition of an administrative offense based on the principle of the nature of the actions of the data operator ^[15]. Other banks, on the other hand, believe that the introduction of turnover fines in the amount of up to 500 million rubles is unjustified. It is worth noting that the measure in question, if adopted, on the one hand, can contribute to achieving the goal set by the legislator: such serious sanctions will motivate organizations to ensure proper processing of personal data, which will significantly reduce the likelihood of their leakage, on the other hand, negatively affect the economic activities of small and medium–sized businesses for which the payment of such A fine may jeopardize their continued economic activity and existence in general.

4. Finally, it is advisable to highlight another measure of state policy – the establishment of a requirement to switch to Russian authorization tools to ensure an appropriate degree of security in the context of countering international sanctions. With the entry into force of Federal Law No. 406-FZ dated 07/31/2023, amending Federal Law No. 149-FZ dated July 27, 2006 "On Information, Information Technologies and Information Protection", in order to access information posted on a website owned by a Russian legal entity or individual, it is necessary to pass authorization by one of the methods prescribed by law. These include, in particular, authorization by mobile phone number or through a single identification and authentication system. According to Anton Gorelkin, Deputy of the State Duma of the Russian Federation, the purpose of such innovations is to reduce the dependence of the Russian segment of the Internet on foreign software solutions. This requirement seems to be extremely significant and is primarily due to the need to protect the data of authorized users from actions committed by unfriendly states aimed at undermining the information system of the Russian Federation. At the same time, it follows that such changes will require significant financial costs from companies, but the issue of stimulating the business sector to carry out this procedure is already being discussed. Thus, the Government of the Russian Federation is considering the possibility of providing preferential loans for the transition of organizations to Russian software in order to reduce the costs of companies while complying with the obligation imposed on them by the state, and responsibility for its non-compliance has not been established at the moment. Thus, business is given the opportunity to implement the provisions of the legislation, but in the future, the introduction of such norms is quite possible. An important emphasis should be placed on the similarity of public and private interests in the issue under consideration, since both the state and private companies strive to ensure proper protection of personal data in their activities. And when the interests of business and the state coincide, especially in the context of sanctions pressure, the adoption of necessary changes seems to be a completely feasible step.

Conclusion

Thus, summing up all of the above, it is worth noting the following conclusions.

1. The state seeks to develop new mechanisms for the protection of the most significant personal data, special attention is paid to the procedure for law enforcement agencies to access the data of their employees; at the same time, assessing the expediency of such innovations, it is noted that their implementation will require comprehensive technical support. Within the framework of the proposed innovations, during the analysis of specific legal norms, some aspects were noted that require additional refinement in order to avoid collisions and gaps.

2. The expansion of the list of information to be stored and transferred (upon request) to law enforcement agencies has a positive impact to assist operational services in suppressing criminal acts, accordingly, we believe that this change is appropriate.

3. The tightening of liability for the leakage of personal data, including the introduction of negotiable fines, representing a measure of preventive impact on companies, which should contribute to improving the quality of protection by organizations of their customers' data, is a forced step on the part of the state, contributing to increased control by organizations of personal data processing processes. However, in our opinion, it is necessary to take into account the capabilities of not only large companies, but also representatives of medium and small businesses, for whom the payment of such fines may jeopardize the company's activities as a whole.

4. Under the conditions of sanctions pressure, the state is interested in ensuring the most effective protection of personal data, as well as the functioning of Russian information systems without reference to foreign services, for which it takes appropriate measures. And due to the fact that the interests of business representatives in this matter coincide with the state, the implementation of this mechanism is expected to not entail additional contradictions and difficulties.

Assessing the state policy of the Russian Federation in the field of personal data protection at the present stage, we emphasize that the right vector of development has been chosen, the proposed measures seem quite appropriate, however, a number of them need to be worked out in more detail so that the changes that have entered into as clearly and consistently as possible are integrated into the existing system of legal regulation. It is assumed that in the future, after the entry into force of these innovations, it will be possible to assess their effectiveness already within the framework of law enforcement.