personal data protection in russia: trends of the last decade state university – higher school of...
TRANSCRIPT
Personal Data Protection in Russia: Trends of the Last
Decade
State University –State University – Higher School of Economics, RussiaHigher School of Economics, Russia
Software Engineering DepartmentSoftware Engineering Department
Alexandra A. SavelievaProf. Sergey M. Avdoshin
Higher School of Economics - 2010 2
Personal Data in the World of Globalization and Digitization
Higher School of Economics - 2010 3
Main Regulations
Federal laws
Governmental Regulations
Normative Documents of the Regulatory Authorities
The Federal Law of the Russian Federation of 19 December 2005 No. 160-FZ
On Ratifying the European Convention for On Ratifying the European Convention for the Protection of Individuals with regard the Protection of Individuals with regard to Automatic Processing of Personal Datato Automatic Processing of Personal Data
The Federal Law of the Russian
Federation of 27 June 2006 No. 152-FZ On Personal DataOn Personal Data
Government Regulation No.
781 of November 17, 2007
Government Regulation No. 687 of September 15,
2008
Government Regulation No. 512 of July 6,
2008
Supervision Agency Supervision Agency for Information for Information
Technologies and Technologies and Communications Communications
(aka Roskomnadzor)(aka Roskomnadzor)
Federal Federal Service for Service for
Technical and Technical and Export ControlExport Control
Federal Federal Security Security ServiceService
Higher School of Economics - 2010 4
Major Provisions of the Law
Operator should take the appropriate security measures to ensure personal data protection against accidental or unauthorized access, alteration, destruction or dissemination.
Personal Data subject has an excusive right to decide whether to submit their personal data to an operator for processing
A documentary evidence of data subject’s agreement on their personal data processing should be in operator’s disposal
Data subject has a full authority to access their personal data stored within any operator’s information system.
The State creates a designated authority to ensure the data subject rights protection
Higher School of Economics - 2010 5
Affected Domains
Business
IT
Individuals
Finance Education
Security
Higher School of Economics - 2010 6
Social Networking % Reach of Country’s Total Internet Audience
89
11
66
34
65
35
75
25
72
28
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Russia * USA ** Switzerland *** Europe *** WorldWide ***
Internet population not active in social networksInternet population using social networks
* Research of Russian Social Media – 2010 // ROSE agency in cooperation with HeadHunters.ru, March – April 2010 http://cossa.ru/1130** 2010 Social Networking Report // Experian Simmons, June 2010 http://www.experian.com/marketing-services/register-2010-social-networking-report.html
*** Social Networking Has Banner Year in France, Growing 45 Percent // ComScore Press Release, February 2009 http://www.comscore.com/Press_Events/Press_Releases/2009/2/Social_Networking_France *** Steven Van Belleghem. Social Media around the world // InSites Consulting, Dec 2009 – Jan 2010http://www.slideshare.net/stevenvanbelleghem/social-networks-around-the-world-2010
Higher School of Economics - 2010 7
Web Search for ‘Personal Data’
Blue: ‘персональные данные’, Region: RussiaGrey: ‘personal data’, Region: WorldwideSource: http://www.google.com/insights/search/#
Higher School of Economics - 2010 8
Designated Authority for Protection of Personal Data Subject’s Rights is obliged:
to organize protection of the rights of subjects of personal data
to control that protection of personal data is in accordance with the requirements of the present Federal Law and other Federal Laws
to consider the complaints and applications of citizens or legal entities on questions connected with the processing of personal data
to keep the Register of Operators to take measures aimed at improving protection of
the rights of subjects of personal data;
Higher School of Economics - 2010 9
Number of Appeals from Personal Data Subjects
0
20
40
60
80
100
120
140
160
180
200
Q1 Q2 Q3 Q4
2008 2009Sources: Roskomnadzor. Public summary report – 2009 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications http://rsoc.ru/docs/doc_530.pdf Report on the activities of Designated Authority for Protection of Personal Data Subject’s Rights in 2008 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications http://www.rsoc.ru/personal-data/reports/
Higher School of Economics - 2010 10
Operators of Personal Data – ‘Leaders’ by the Number of Complaints
54
51
28
21
Telecoms Operator Mass Media Credit AgenciesState and Municipal Agencies
Source: Roskomnadzor. Public summary report – 2009 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications http://rsoc.ru/docs/doc_530.pdf
Higher School of Economics - 2010 11
Appeals from ‘bad guys’
Tax-dodgers and debtors failing to pay rent can prosecute media that publish personal data
Higher School of Economics - 2010 12
Operator’s Responsibilities
Within 3 days!
Destroy the Personal Data
• Detection of inadequate personal data• Detection of operator misconduct with regard to personal data• Processing of personal data after the revocation of subject’s consent
Eliminate the Violation
Within 7 days
Motivated Refusal
• Request from Personal Data Subject about the presence and contents of their data in Operator’s information system
Detailed Response
Within 10 days
Higher School of Economics - 2010 13
Violation of the Law
Civil, criminal, administrative and disciplinary liability of physical and legal entities Penalty up to 500 000 RUR (~$17K) Suspension of operator business activities for a period of up to
90 days Arrest for a period of up to 6 months / corrective labor for a
period of up to 1 year Discharge / Revocation of the right to hold a position for a period
of up to 5 years
Higher School of Economics - 2010 14
152-FZ in IT Industry
36,80%
42,90%
16,20%4,10%
Extremely well-informedAware but didn't get into detailsUnderstand the conceptUnfamiliar with the Law
Source: Personal Data in Russia – 2008 // Perimetrix Research Paper http://www.perimetrix.ru/downloads/rp/PMX_Personal_Data_2008.pdf
45% 36,80%
20,30%
10,30%
2,10%
18,50%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
152-
FZ On P
erso
nal D
ata
Indust
rial S
tandar
ds
Other
Act
s
PCI DSS
SOX
None
of abov
eIT Staff and Management Awareness
Influence on Personal Data Protection
Higher School of Economics - 2010 15
Justification of Investments in Security
“Up to 5% of IT budget in western companies is allocated to information security, while in Russia it is only 0.5%” [2008 ]
“If we used the same language with CFO to explain them why Information Security investments are important, we would be able to reach the 5% level of expenditures”
Vladimir MamykinDirector on
information security at MicrosoftMicrosoft
Russian Federation
Higher School of Economics - 2010 16
Conclusions
The awareness of people about their rights for personal data has significantly improved
The State designated an authority to ensure the data subject rights protection
CSOs received a sound argument to justify investments into information security
Lawyers became involved in IT projects focused on personal data protection
The law acts as a powerful stimulus for the development of information security culture in Russia in accordance with international standards
Higher School of Economics - 2010 17
References The Federal Law of the Russian Federation of 19 December 2005 No. 160-FZ On Ratifying the
European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
Roskomnadzor. Public summary report – 2009 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications http://rsoc.ru/docs/doc_530.pdf
Report on the activities of Designated Authority for Protection of Personal Data Subject’s Rights in 2008 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications http://www.rsoc.ru/personal-data/reports/
Portal on Personal Data // Designated Authority for Protection of Personal Data Subject’s Rights http://pd.rsoc.ru/
Research of Russian Social Media – 2010 // ROSE agency in cooperation with HeadHunters.ru, March – April 2010 http://cossa.ru/1130
2010 Social Networking Report // Experian Simmons, June 2010 http://www.experian.com/marketing-services/register-2010-social-networking-report.html
Social Networking Has Banner Year in France, Growing 45 Percent // ComScore Press Release, February 2009 http://www.comscore.com/Press_Events/Press_Releases/2009/2/Social_Networking_France
Steven Van Belleghem. Social Media around the world // InSites Consulting, Dec 2009 – Jan 2010 http://www.slideshare.net/stevenvanbelleghem/social-networks-around-the-world-2010
Personal Data in Russia – 2008 // Perimetrix Research Paper http://www.perimetrix.ru/downloads/rp/PMX_Personal_Data_2008.pdf