Register of violators of the rights of personal data subjects. Register of violators of the law “On personal data. With changes and additions from

Some time ago I swore off commenting on draft laws and other normative legal acts, since they sometimes differ radically from the final version, if they are adopted at all.

But I decided to make an exception to the rule. A very surprising act is being prepared - bill No. 553424-6 “On amendments to certain legislative acts of the Russian Federation (regarding clarification of the procedure for processing personal data in information and telecommunication networks).”

Aleksey Lukatsky and Sergey Borisov have already posted about it, but there are nuances that I did not see in their comments and that I would like to draw attention to. Since what was born in the bowels of the State Duma is not subject to publication on the “Unified portal for posting information on the development by federal executive bodies of draft normative legal acts and the results of their public discussion,” one has to use a personal blog for this very public discussion.

Many people have already spoken about the essence of the law; it boils down to two fundamental points - the placement of databases with personal data of Russians only on the territory of Russia (with some permissible exceptions) and the creation of another register, now of violators of the rights of personal data subjects. Everything else is a kind of connection to the implementation of these two main ideas.

Regarding the placement of databases of personal data of Russians in Russia. What is surprising is not the idea of base sovereignty itself; this has been discussed for a very long time, but precisely these very exceptions. It is assumed that everything will be on the territory of Russia, but some things can be hosted outside its borders, namely, websites of government agencies (clause 2 of part 1 of article 6 of 152-FZ, I will separately highlight databases of bailiffs - clause 3 of part 1 of art. .6 152-FZ), state extra-budgetary funds, any government and self-government bodies, as well as organizations providing state and municipal services (clause 4 of part 1 of article 6 of 152-FZ).

For some reason it seemed to me that it should be exactly the opposite - let businessmen figure out with clients themselves where their database servers are located, but government agencies, municipalities and organizations specially created to implement their powers - no, no. At first I couldn’t believe my eyes, I re-read Article 1 of the bill ten times - for sure, they can. Those. a personalized accounting system created in accordance with the Federal Law “On Compulsory Health Insurance”, or a government services website or municipal services the city of Verkhnevoltovsk to be hosted somewhere in Germany or Latvia - this is, please, but the ABS database and the website of the bank - a wholly owned subsidiary of a foreign one, or booking.com, where Russians had the imprudence to book a hotel or rent a car - please transfer it to Russia . I’m not joking about booking .com and I’m not mistaken - the constant demands of deputies and senators to check whether Google, Twitter or Facebook are complying with Russian legislation indicate that legislators pose the issue this way. Otherwise, block, period. Another interesting question is how the operator should determine whether a Russian sent him personal data or not. For the vast majority of sites, you do not need to indicate citizenship or passport information.

Regarding the inclusion of the operator in the register of violators of the rights of personal data subjects and blocking of the resource. Entry into the register, in accordance with the bill, occurs on the basis of a judicial act that has entered into legal force. And now – a question for the studio. Which act exactly? About what? In accordance with Article 2 of the bill, the register is created “in order to limit access to information on the Internet” processed in violation of the law Russian Federation in the field of personal data” I.e. Are we talking about a judicial act that determines who is guilty of violating such legislation? Or about a judicial act directly requiring blocking of the site? If it is about an act indicating the perpetrator, is this only Article 13.11 of the Code of Administrative Offenses in the current edition, or in general any violation related to this legislation? I can offhand suggest a whole set of cases:

· Article 5.27 of the Code of Administrative Offenses (Violation of labor and labor protection legislation) – if we are talking about a violation of the requirements of Chapter 14 of the Labor Code “Protection of Personal Data”, for example, personal data of employees is published on the website without their written consent;

· Article 5.39 of the Code of Administrative Offenses (Refusal to provide information to a citizen) – if the operator has not responded to the subject’s request submitted through the site;

· Article 13.12 of the Code of Administrative Offenses (Violation of information security rules, part 6) - if uncertified information security means are used to protect the site or the firewall is not of the same security class as specified in FSTEC Order No. 21, and the site channel is not encrypted by a certified CIPF;

· Article 13.13 of the Code of Administrative Offenses (Illegal activities in the field of information protection) - if the operator built the protection of his website himself, but does not have a license for TZKI;

· Article 19.7 of the Code of Administrative Offenses (Failure to provide information (information)) – if the operator processes personal data on the site, and Roskomnadzor did not notify Roskomnadzor of the processing;

· Article 137 of the Criminal Code of the Russian Federation (Violation of privacy) – if information about private life is collected and posted on the site, and the court considered it illegal;

· Article 138 of the Criminal Code of the Russian Federation (Violation of confidentiality of correspondence, telephone conversations, postal, telegraph or other messages) – if the operator, for example, has posted a private letter, SMS message or telephone connection protocol on the website;

· And with some stretch – Article 140 of the Criminal Code of the Russian Federation (Refusal to provide information to a citizen), if Article 5.39 of the Code of Administrative Offenses seemed insufficient.

Another problem inherent in the bill is How will Roskomnadzor find out about the entry into force of a court decision on a violation of the law? The obligation of the courts to do this is not included in the bill, as well as a direct court decision to block. A somewhat exotic path is proposed - the right of the subject to apply to Roskomnadzor with an application to take measures to limit access to information processed in violation of legislation in the field of personal data on the basis of a judicial act that has entered into force in a form approved by Roskomnadzor. And if the subject does not apply, how will the supervisory authority perform the functions assigned to it by law? Some unanswered questions...

And one more small but significant point. A number of operators are required by law to disclose certain information on their official website on the Internet. For example, Order of the Federal Financial Markets Service dated January 10, 2006 No. 06-117/pz-n “On approval of the regulation on disclosure of information by issuers of issue-grade securities” describes in detail the procedure for disclosing information on the website provided for by the law “On the Securities Market”, obliging users to provide “free and easy access" to it and ensure this access "within the time limits established by regulatory legal acts, on one page on the Internet." And for violation, by the way, the fine is from 700 thousand to a million rubles. Or Directive of the Bank of Russia dated January 16, 2004 No. 1379-U “On assessing the financial stability of a bank in order to recognize it as sufficient for participation in the deposit insurance system” recognizes the bank as ensuring the availability of information about persons who have a significant (direct or indirect) influence on decisions made management bodies of the bank, an unlimited number of persons, if information about them is posted on the official website of the bank or on the official website of the Bank of Russia. The absence of written confirmation from the bank about the disclosure of this information to an unlimited number of persons is grounds for refusal to issue a license to attract funds on deposit. individuals, no more and no less.

Now let's imagine - the issuer of securities or the bank violated the law on personal data, failing to post, for example, a policy regarding the processing of personal data on the website, and was held accountable for this. The situation is quite real, such cases were reported not so long ago wrote. The court decision came into force, the site was blocked, and then a completely different regulator received a complaint that it was impossible to gain access to information subject to mandatory disclosure. Silent scene. A curtain.

And finally. The bill is written with errors and inaccuracies. How do you like, for example, the phrase “registry operator excludes uploads for telecom operators Domain name, index of a site page on the Internet or network address, allowing you to identify a site on the Internet based on a request from the owner of the site on the Internet, a hosting provider or a telecom operator providing services for providing access to the Internet information and telecommunications network, no later than three days from the date such an appeal after taking measures to eliminate violations of the legislation of the Russian Federation in the field of personal data, or on the basis of a court decision that has entered into legal force to cancel a previously adopted court act.” No matter how hard I tried, I still couldn’t understand who should do what.

In general, in my humble opinion, adopting a law in this form is not only impossible, but also very harmful, since the consequences of its adoption will be completely unpredictable, and in areas that the authors clearly did not think about.

GOVERNMENT OF THE RUSSIAN FEDERATION

RESOLUTION

ABOUT THE AUTOMATED INFORMATION SYSTEM

"REGISTER OF VIOLators OF RIGHTS OF PERSONAL DATA SUBJECTS"

In accordance with parts 3 and 4 of Article 15.5 of the Federal Law “On Information, Information Technologies and Information Protection,” the Government of the Russian Federation decides:

1. Approve the attached:

Rules for the creation, formation and maintenance of an automated information system "Register of violators of the rights of personal data subjects";

criteria for determining the operator of the automated information system "Register of Violators of the Rights of Personal Data Subjects" - an organization registered on the territory of the Russian Federation, in order to be involved in the formation and maintenance of such a register.

Chairman of the Government

Russian Federation

D.MEDVEDEV

Approved

Government resolution

Russian Federation

CREATION, FORMATION AND MAINTENANCE OF AUTOMATED

INFORMATION SYSTEM "REGISTER OF RIGHTS VIOLATORS

SUBJECTS OF PERSONAL DATA"

1. The automated information system "Register of Violators of the Rights of Personal Data Subjects" (hereinafter - the register) is created in order to limit access to information on the information and telecommunications network "Internet" (hereinafter - the "Internet"), processed in violation of the legislation of the Russian Federation in the field personal data (hereinafter referred to as information processed in violation of the law).

2. The creation, formation and maintenance of the register is carried out by the Federal Service for Supervision in the Sphere of Communications, information technologies and mass communications.

3. federal Service for supervision in the field of communications, information technology and mass communications may involve in the formation and maintenance of the register an organization registered on the territory of the Russian Federation that meets the criteria for determining the operator of the automated information system "Register of Violators of the Rights of Personal Data Subjects" - an organization registered on the territory of the Russian Federation, in order to involve in the formation and maintenance of such a register, approved by Decree of the Government of the Russian Federation dated August 19, 2015 N 857 “On automated information system"Register of violators of the rights of personal data subjects."

4. The register includes:

a) domain names and (or) indexes of pages of sites on the Internet containing information processed in violation of the law (hereinafter referred to as domain names);

b) network addresses that allow you to identify sites on the Internet containing information processed in violation of the law (hereinafter referred to as sites, network addresses);

c) an indication of the judicial act that has entered into legal force on taking measures to limit access to information processed in violation of the law (hereinafter referred to as the act on restricting access), including the name of the court, case number, content of the violation of the legislation of the Russian Federation in the field of personal data, set out in the operative part of the judicial act, the date of the judicial act and the date of its entry into legal force;

d) the date and time of sending by the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications to telecom operators the information specified in subparagraphs “a” - “c” of this paragraph, for the implementation of measures limiting access to information processed in violation of the law;

e) information on eliminating violations of the legislation of the Russian Federation in the field of personal data.

5. Information on eliminating violations of the legislation of the Russian Federation in the field of personal data includes:

a) the date and time of receipt by the Federal Service for Supervision of Communications, Information Technologies and Mass Communications of the act on restricting access;

b) information about the hosting provider or other person providing information processing on the Internet in violation of the legislation of the Russian Federation in the field of personal data (hereinafter referred to as providers), including their names and email addresses;

c) the date and time of sending the notification to the provider about violation of the legislation of the Russian Federation in the field of personal data;

d) date and time of entering the domain name into the register;

e) date and time of entering the network address into the register;

f) information about the judicial act that entered into legal force on the cancellation of a previously adopted judicial act on restricting access (hereinafter referred to as the act on canceling the act on restricting access), including the name of the court, the case number, the date the judicial act was issued and the date it entered into legal force;

g) information about the decision of the Federal Service for Supervision of Communications, Information Technologies and Mass Communications to exclude the domain name and network address from the register;

h) the date and time of entering into the register information about the exclusion of the domain name from the register;

i) the date and time of entering into the register information about the exclusion of a network address from the register.

6. In pursuance of the act on restricting access, the information specified in subparagraphs “a” - “d” of paragraph 4 and “a” - “e” of paragraph 5 of these Rules is entered into the register.

7. The Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications, within 3 working days from the date of receipt of the act on restricting access, carries out:

a) entering into the register the information specified in subparagraphs “a”, “c” of paragraph 4 and subparagraph “a” of paragraph 5 of these Rules;

b) definition of provider;

c) direction to the provider in Russian and English languages V in electronic format notifications of violations of the legislation of the Russian Federation in the field of personal data with information regarding the act of restricting access, domain name, network address, as well as with a requirement to take measures to eliminate the violation of the legislation of the Russian Federation in the field of personal data specified in the act of restricting access;

d) entering into the register the information specified in subparagraphs “b” - “d” of paragraph 5 of these Rules.

8. The basis for inclusion in the register of the information specified in subparagraphs “h” and “i” of paragraph 5 of these Rules is the act of repealing the act on restricting access that has entered into legal force or the decision of the Federal Service for Supervision of Communications, Information Technologies and Mass Media communications regarding the exclusion of a domain name and network address from the registry.

9. After 3 working days from the date of sending the notification to the provider, the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications verifies the elimination of the violations specified in the access restriction act.

If there is no access to information processed in violation of the law, or the violation specified in the access restriction act is eliminated, the Federal Service for Supervision of Communications, Information Technologies and Mass Communications makes a decision to exclude the domain name and network address from the register, as well as enters into the register the information specified in subparagraphs “g” and “h” of paragraph 5 of these Rules.

If there is access to information processed in violation of the law, the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications enters into the register the information specified in subparagraph "b" of paragraph 4 and subparagraph "e" of paragraph 5 of these Rules and sends it to the operators communications domain name, network address and information specified in subparagraph “c” of paragraph 4 of these Rules, to take measures to limit access to information processed in violation of the law.

On September 1, 2015, something happened that we had been warning all website owners and web developers about for a long time: Federal Law No. 242-FZ of July 21, 2014 “On amendments to certain legislative acts of the Russian Federation regarding clarification of the procedure for processing personal data” came into force in information and telecommunication networks." If you carefully follow our updates news feed, or visited ours, then you must remember that this law made changes to the procedure for restricting access on the Internet to information processed in violation of the legislation of the Russian Federation in the field of personal data.

As part of the implementation of the mentioned changes, a “ Register of violators of the rights of personal data subjects" As you might guess, the main task of this register is to restrict access to Internet resources that violate Russian legislation on personal data. Thus, if any Internet resource commits violations when processing personal data and this fact is established by a court decision that has entered into legal force, then, in accordance with Part 6 of Article 15.5. Federal Law No. 149-FZ of July 27, 2006, the affected subject of personal data has the right to apply to Roskomnadzor with an application to take measures to limit access to information processed in violation of the legislation of the Russian Federation in the field of personal data.

The form of this application was approved by Roskomnadzor order No. 85 dated July 22, 2015 (registered with the Russian Ministry of Justice on August 17). According to this order, the application must indicate information about the applicant (full name, passport data, SNILS, address, telephone number), as well as information about the judicial act (case number, name of the court, date of adoption of the judicial act), details of the executive sheet, information about information resources containing information processed in violation of legislation in the field of personal data (domain name, network address, website page indexes).

In the illustrations below you can see the list of fields in the application form for taking measures to limit access to information processed in violation of the legislation of the Russian Federation in the field of personal data, posted on the official website of Roskomnadzor:

It should also be noted that already on September 9, 2015, information appeared on the Roskomnadzor website about the inclusion of the Internet resource abonenty-chast2.pw in the register of violators of the rights of personal data subjects. According to the information presented on the pages of this resource, data on the full name, date of birth, address, telephone number and place of work of more than 1.5 million Russian citizens was incorrectly processed. Thus, it can be stated that the launch of the “Register of Violators of the Rights of Personal Data Subjects” was quite successful.

In this regard, it would not be amiss to recall that the Expert Center provides special service - optimization of personal data processing on the website, within the framework of which leading specialists of the Expert Center audit the processes of processing personal data on the site and prepare a package of documents, including detailed instructions to bring the site into compliance with the norms of the current legislation on personal data ( as well as the texts of consents, agreements and regulations governing the processing of personal data on the site).

Decree of the Government of the Russian Federation of August 19, 2015 N 857
"On the automated information system "Register of violators of the rights of personal data subjects"

In accordance with parts 3 and 4 of Article 15.5 of the Federal Law “On Information, Information Technologies and Information Protection,” the Government of the Russian Federation decides:

1. Approve the attached:

Rules for the creation, formation and maintenance of an automated information system "Register of violators of the rights of personal data subjects";

Rules
creation, formation and maintenance of an automated information system "Register of violators of the rights of personal data subjects"
(approved by resolution

With changes and additions from:

2. The creation, formation and maintenance of the register is carried out by the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications.

3. The Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications may involve in the formation and maintenance of the register an organization registered on the territory of the Russian Federation that meets the criteria for determining the operator of the automated information system "Register of Violators of the Rights of Personal Data Subjects" - an organization registered in territory of the Russian Federation, in order to be involved in the formation and maintenance of such a register, approved by Decree of the Government of the Russian Federation of August 19, 2015 N 857 “On the automated information system “Register of violators of the rights of personal data subjects”.