Content
- Introduction
- What the law says
They have the USA and Europe
We have Russia - Personal data and law enforcement
They have the USA and Europe
We have Russia - Conclusion
Introduction
Eldar's note that European laws prohibit taking photos of people on the streets caused serious controversy in the comments. I propose to figure out what kind of animal this 'personal data' is, how they are stored and used in the European Union, the USA and Russia, whether they can be transferred to someone or somewhere else, for example, to another country. I don’t want us to have a meeting of the circle of lovers of comparative law, so I will try to explain everything in an accessible way, as they say, on my fingers, and deliberately I will simplify some things.
Human activities on the Internet leave many traces. 'Cunning companies' collect them, accumulate, analyze and then sell them to everyone in an impersonal form. Is this personal data? Let's figure it out.
What the law says
To begin with, let's define that the law / laws distinguish between general processing of personal data and such, but carried out by the competent authorities in the interests of security (in fact, there is a longer and more accurate name, I suggest those interested to look, for example, EU directive 2016/680).
I suggest starting with the general processing of personal data.
They have the USA and Europe
In the United States, everything is simple and complex at the same time. There is no single law regulating the processing of personal data, there is no single definition of personal data, etc. Each area has its own normative act and its own definition. Of course, there are a lot of nuances in them, you just can't figure it out. For example, the 1974 Privacy Act prohibits federal employees from disclosing information about private citizens without their written consent. The 1999 Gramm-Leach-Bliley Act regulates, among other things, the protection of 'private personal information' by banks, insurance and other financial companies. Simplified, we can say that the main principle of working with personal data is the inadmissibility of their use for discrimination based on the criteria of race, gender, religion, age, etc.
Cross-border transfer of personal data is allowed, that is, their transfer to another country with an appropriate agreement. For each request from abroad, a separate decision is made to transfer (or refuse to transfer). The United States has such an agreement, for example, with the European Union, but for some reason it is mainly applied in the opposite direction, from the EU to the United States.
In the European Union, throughout its territory, the GDPR (General data protection regulation 2016/679) mentioned by Eldar is in effect. Its requirements apply only to legal entities. He established uniform rules governing the processing of personal data in all EU countries.
In this regulation, personal data is understood as any information that allows an individual to be identified directly or indirectly. The regulations detail the procedure for processing personal data, the organization of this work, etc. We, in theory, should be neither cold nor hot from him, because these are requirements for those who live and work in Europe. But the effect of this legal act extends outside the EU, if the processing of personal data is related to the offer of goods and services to EU residents or to the monitoring of their actions / behavior. That is, any online stores working for Europeans, or companies offering, for example, personalized advertising in the EU, must take care to bring their activities in line with these standards, and therefore incur certain costs.
Under the new regulation, companies that process personal data will have to report cases of illegal access to data. In addition, serious liability is introduced (fines with many zeros or as a percentage of revenue for the previous financial year) for violation of the requirements of this regulation.
You've probably noticed that recently, many services have updated their security policies, which include the conditions for processing personal data. For example, since mid-May, this kind of letters have been frequenting my mailbox. These companies were preparing for the entry into force of the EU GDPR regulation from May 25, 2018, and also received mandatory consent to the processing of personal data.
In Europe, as I mentioned above, cross-border transfers of personal data are permitted. In this case, this term means their transfer outside the borders of the EU, since the principle of free movement of personal data operates within the EU. The criteria are very similar to those in the United States – the existence of an agreement, compliance with certain requirements and a decision on a case-by-case basis.
We have Russia
In Russia, the Federal Law of July 27, 2006 No. 152-FZ 'On Personal Data' is in force (as amended and supplemented). Its requirements apply to legal entities and individuals of the Russian Federation who process personal data of citizens of our country (namely, citizens of Russia, and not any inhabitants of the Earth). Personal data is defined in much the same way as in the EU – any information relating directly or indirectly to a specific or identifiable natural person.
The fines are not as large as in Europe and amount to a maximum of several tens of thousands of rubles. But Russian legislation has its own peculiarity called the localization of personal data. This means that personal data (so to speak, their originals) must be stored on the territory of our country, and a working copy can be anywhere.
Cross-border transfer of personal data is allowed, but the conditions are not so strict. No special agreement is required, only certain conditions must be met. The decision on the transfer is made by the person who processes the personal data.
Personal data and law enforcement
They have the USA and Europe
Now I propose to consider the features of access to personal data and their transfer by the competent authorities in the interests of security.
In Europe, as I have already mentioned, the directive 2016/680 is in effect from 6 May 2018. It introduces requirements for the protection of personal data in this area that are uniform for all member countries. The EU expects that unification will significantly reduce the material and time costs of information processing. The new rules will apply to the exchange of personal data at the national, cross-border and international levels. The transfer of such information abroad can only be carried out on the basis of a decision of the European Commission on the “adequacy of the level of protection of personal data” in a third country or an international organization, or upon agreement between the countries.
The 'adequacy' of the level of protection of personal data will be determined by the European Commission. In fact, this is a check for compliance of the norms in a third country with the legislative and administrative practice of the European Union. The most difficult moment in the implementation of the directive was the adaptation of IT systems to perform the functions of registration and storage of credentials on the facts of access to personal data. Most member countries have already stated that they will be able to complete the installation of the relevant equipment only by 2026.
The United States has gone further. In March 2018, they passed a law clarifying the legality of using data stored abroad, the so-called CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which effectively eliminates the existing mechanisms for protecting data stored abroad.
What does it mean? The law allows US law enforcement agencies to request from US IT companies the data of US citizens stored by them, regardless of where this information is physically located, and electronic communications service providers are required to transfer this data to authorized agencies. Given that many global IT companies are under US jurisdiction, US authorities gain access to correspondence, metadata, and user accounts around the world.
For example, the US police may oblige Google or Facebook to provide users' personal information, even if it is stored in Europe. Previously, law enforcement agencies could only require data from companies that are located in the United States.
If it was necessary to obtain information from another country, the system of agreements on mutual legal assistance (Mutual Legal Assistance Treaties, MLAT) came into effect. It is quite cumbersome and complex. The data transfer mechanism is governed by the national legislation of each country. The processing time for one request is on average 10 months. Most often, by the time information was received from another state, it became irrelevant.
The immediate reason for the development of the new law was the lawsuit Microsoft against the US government.
In 2013, during an investigation into a drug trafficking scheme, the FBI issued Microsoft a court order to view the correspondence of one of the users. He was a US citizen, but the correspondence was stored on servers in Ireland. This user specified Ireland as their location, and the policy Microsoft was to keep information as close to the user's location as possible. The FBI refused to release the data, citing the fact that it was against the laws of Ireland. Therefore, company representatives suggested that the FBI apply to the Irish authorities for permission.
It was at this time that E. Snowden's revelations were published. Citizens began to suspect that the US government was spying on them through Internet companies. This question especially worried foreign users. Therefore, Microsoft allowed government and corporate customers to choose in which country they would like to store their information.
The case has already reached the US Supreme Court, but after the adoption of the CLOUD Act, the parties agreed that the authorities re-form their requirements under the new law and promptly receive the necessary data, and the company withdraws all protests. Everyone was pleased (especially the judges of the Supreme Court, because they did not have to resolve this incomprehensible case).
We have Russia
And what about Russia? In our country, the receipt of information from abroad is governed by agreements on mutual legal assistance or other similar intergovernmental agreements. There is in the law on personal data the already mentioned requirement for their localization, there is a law prohibiting the placement of state IT systems outside the country, as well as the famous 'Yarovaya package'. These regulatory legal acts make it possible to ensure the security of personal data, their processing on the territory of Russia, and, if necessary, provide access to them for Russian competent authorities.
In terms of accessing personal data in the interests of security, these decisions were justified. I think you can imagine how foreign companies respond to requests from Russian law enforcement agencies to provide the necessary data. For example, according to statistics from the postal service Gmail from January to June 2017, the US authorities asked Google to disclose user data 16823 times and received the data more than 13500 times (81% of cases). During the same period, Russia contacted Gmail 318 times and received some data only a little over 30 times (10% of cases).
Conclusion
Brief summary:
- personal data in many countries of the world is carefully protected by law. But these measures, unfortunately, do not reduce the number of 'leaks' / 'leaks' of personal databases;
- requirements for ensuring the security of personal data are an effective tool for increasing spending on the information technology sector;
- if you live in Russia and your activity is not related to offering goods and services to EU residents or monitoring their actions / behavior on the Internet, then the requirements of the GDPR will not apply to you;
- the implementation of the Yarovaya package may lead to certain legal problems for Russian telecom operators, because the array of stored information will somehow get information about the residents of the EU, without their explicit consent. This, in turn, is a violation of the GDPR regulation and can lead to serious fines;
- In the interests of security, the United States is once again doing as it suits them regarding access to personal data, absolutely not caring about the rest of the world. The extraterritorial effect of US law may outrage even traditional allies;
- Well, and most importantly, what should an ordinary person do? If you are a law-abiding citizen, then you most likely have nothing to hide. In this case, all described laws do not affect your daily activities. If you need to hide something, then I think you know without my advice what to do and how to do it. Just in case, let me remind you of the basic things. It is advisable to store all the necessary information on an autonomous computer, which has never, under any circumstances, even indirectly been and will not be connected to the Internet, and in everyday activities to use not a smartphone, but a simple push-button telephone and a paper notebook. Everyone else who is between these two extremes just needs to know and take into account the mentioned nuances of personal data processing. In addition, I strongly recommend that you carefully read the data protection agreements with which you always agree (check this box) during the registration process for this or that service.
- obviously, over time, Europe will follow the path of the United States, and EU law enforcement agencies will also receive simplified access to personal data. In turn, for those people who have something to hide, proposals will expand to change their personal data, their 'autonomization', etc. For example, there are already services that, imperceptibly for the human eye, swap one or two pixels in certain blocks in a photo so that machine recognition cannot identify a person.
P.S. This topic is important because you need to understand how and by whom your personal data can be used. Hope the article was helpful.
Write in the comments if you are afraid for the safety of your personal data and do you read agreements on their protection when registering in online services or in offline organizations (banks, medical centers, insurance companies)?
Ivan Alexandrov
Back to content >>>