242 FZ on personal data protection. Federal law 242 (FZ on personal data): changes and comments

In Russia there is a separate law under which various organizations and individuals must carry out operations of personal data — law No. 152-FZ. In the legal act from time to time, the legislator makes changes. In particular, September 1, 2015 came into force the law № 242, after the issuance of law No. 152-FZ, a number of principally new norms. What are they? Who is obliged to fulfill the relevant provisions of the legislation?

What is an FZ on personal data?

It is particularly necessary to focus on this fundamental point: the law 242-FZ, which entered into force on 1 September 2015, is a normative act, which made changes in the other, the fundamental source of law — law No. 152-FZ, adopted in July 2006. Thus, the language contained in act No. 242, should be considered only in the context of the norms contained in law No. 152-FZ.

The Fundamental legal act-law No. 152-FZ, established in the legislation of the Russian Federation such legal category as:

- personal information

- the operator of the relevant information;

- the processing of personal data.

Under the first legal category, the legislator prescribes to understand any information that directly or indirectly relates to a natural person. This can be, for example, his name, personal information, contact information.

Under the second legal category in the law refers to the state or municipal authority, organisation or person who either alone or during interaction with other entities handling the data, and also determine their structure and operations with them.

Under the third legal category, the legislator prescribes to understand any operation or sequence that are related to personal data and are carried out through the use of means of automation or without them.

Basic operations with personal data, defined in law No. 152: collection, recording, storage, updating, use, transmission, blocking, deletion. The legal category, in principle, at the time of adoption could be considered fairly new to the legal system of the Russian Federation. Prior to the circulation of personal data was regulated by the Russian legislation is quite superficial.

Novelty law No. 152-FZ

The Law on personal data, adopted in Russia, was called thus to approximate domestic legal system to international standards ensuring confidentiality of information exchange — the first, submitted in electronic form and used as part of online communications. But law No. 152-FZ equally created the legal environment to ensure protection of various offline data.

According To the regulatory legal act was identified several classes of personal data that required the application of certain security algorithms. In addition, law No. 152-FZ has established norms under which the circulation of various data can be carried out in specialized information systems — those that require particularly high qualifications of the administrators and receive their licenses to conduct transactions with personal data.

Despite the fact that law No. 152-FZ was published in 2006 in practice the main provisions of the personal data operators has become necessary to use only from 1 July 2011. Since the relevant source of law, as we noted above, periodically made various adjustments. In particular, those that have been approved by the Federal authorities through the Law 242-FZ. Consider its features in more detail.

Features of the application of a legal act

Federal law 242-FZ “personal data" (or rather “On introducing amendments to the acts in the specification data processing”) established a provision under which operators were required to implement the processing and storage of information on servers that are located on the territory of Russia. Or if it's offline personal data — to place them in databases that are located in Russia. Note that in the law 242-FZ stipulates a number of exceptions with respect to specified standards — which, in turn, reflected in the provisions of the Federal law No. 152.

Another caveat of the application of the law is that through it the legislator also introduced changes not only in the basic legal act governing personal data, but also in other sources. Namely, in the laws 149 “information” and 249 (“On protection of legal entities and individual entrepreneurs during state and municipal control”).

In the Russian media actively replicated information that Roskomnadzor-the Agency responsible for ensuring compliance of the activities of data controllers to the provisions of the FZ-242 “On protection of personal data”, in 2016, will carry out inspections of the largest suppliers of IT solutions, which carry out activities in the Russian Federation. In particular, it was stated that the purpose of Roskomnadzor — to learn whether provisions under the act such brands as Microsoft, «Vkontakte», HeadHunter, LaModa. It was assumed that the Agency will perform about 1 thousand various checks.

Initiated by the Federal authorities through the publication of the Federal law № 242-FZ changes on personal data in the basic law could pre-empt the need for major operators significant upgrade of hardware and software. But this problem must be solved by brands, otherwise, for non-compliance of their infrastructure to the requirements of the act, the Roskomnadzor may impose a fine on the company.

A Significant role in the audit, was supposed to play users of various IT solutions. If they begin to suspect that their data is completely protected, information about the service that is involved in operations with the corresponding data may be transferred to users directly in the Roskomnadzor. Which, in turn, will initiate the test service for compliance with the law 242-FZ.

It is Useful to consider what was the scope of the considered source of law.

Law No. 242: scope of sources of law

The Main discussion point in this case — whether the jurisdiction of the FZ-242 “On protection of personal data” foreign companies, which, on the one hand, provide services to Russian users, on the other, are located outside of the Russian Federation from a legal point of view, and in terms sagastume infrastructure.

Certain provisions in the law that would clearly define the geography of his actions, the legislator did not approve. Therefore, in order to find the answer to the question under consideration, it is necessary to refer to other legal acts.

Thus, in accordance with the law on information, acting in the RF, application on the territory of Russia of various types of communication infrastructure should be based on the norms approved in the legislation of the Russian Federation. Thus, if we follow this norm, we can come to the conclusion that Federal law No. 242-FZ apply only to those services that are uniquely uses infrastructure that is hosted in Russia.

Definition of the activities of personal data operators in Russia

The most Important criterion determining the jurisdiction of the reporting source of the law — the focus of a brand owning a particular service. If a website mainly caters for Russian users, it shall be considered subject to regulation from the point of view of application of provisions of act No. 242. The fact that the service is aimed at obtaining personal data of citizens of the Russian Federation may be established on the basis that:

- in the structure of the address of the website used domain .ru, .su .Russia or, for example .Moscow;

- the content of the website is in Russian language.

- the portal is the availability of opportunities to engage in relationship with a service using contracts drawn up in accordance with the Civil code of the Russian Federation.

In practice, data controllers that fall under the jurisdiction of the Federal law № 242, can be very different structures — for example, personnel service companies, banks, call centers. All they are required to ensure the compliance of its activities to the requirements of the law in question.

Law № 242 from the point of view of its application retroactive

The Law No. 242-FZ on amending the Federal law No. 152 was issued later than was actually himself law No. 152-FZ, and also the previous amendments, however, gave rise to the need to interpret provisions of the basic legal act. In particular, among lawyers there was discussion about whether to consider the law № 242 as having retroactive effect.

More than just a popular point of view, according to which in assessing the legal effect of the legal act to apply the legal principles under which the vesting of those retroactive laws that worsen the situation of those or other persons, or grant them additional duties, should not be performed.

Exceptions may be taken in respect of legal acts in which the principle of retroactivity are fixed. The law 242-FZ of such provisions does not contain. Therefore, to comply with its obligation onlythose relationships, which begin to process personal data after the entry of the relevant legal acts in force. That is, from 1 September 2015.

Entity data collection

Another controversial aspect of the considered legal act — a definition of "collecting data" based on the language present in it. What is the complexity of interpretations in this case? The fact that, in accordance with the provisions of law No. 152-FZ, which was introduced through the publication of the Federal law № 242-FZ changes on personal data, operators are obliged to provide the localization files in the process just after collecting the relevant information. In turn, the essence of this procedure is not clearly defined in the law, which, of course, is not conducive to the effective implementation of its provisions in a number of contexts.

Experts common point of view, according to which “collection”, it is legitimate to understand the process through which the operator receives data directly from some of the subject or authorized third party. it Turns out that localized in accordance with the norms of FZ 242 should be only the personal data it was acquired by the operator in fact has carried out focused work to collect relevant data. And if, for example, the operator got them by accident - as an option, in the form of e-mail, to localize, as prescribed by the law 242-FZ personal data is optional. Similarly, it is wrongful to consider how the data collection process receive one firm from another, if they represent phone numbers and other contact details of the representatives of the company.

Data Placement abroad according to the law № 242

The Next important thing that characterizes the law enforcement practice in the implementation of the provisions of act No. 242 — the ability to embed data with operators from abroad in necessary cases — for example, if we are talking about backing up the relevant information on servers that are leased from foreign suppliers. On the one hand, according to the law No. 242-FZ personal data must reside on servers located in Russia. On the other, of course, it may be their objective need for accommodation and also on foreign resources.

According to the lawyers, cross-border transfer of data without violation of the provisions of the governing law, in principle, possible. On the basis of what provisions of law this position can be considered legitimate?

When cross-border transfer legal

The fact that the law on personal data localization 242-FZ does not include provisions for adjustments to legal acts regulating cross-border transfer of files containing individualized data on Russian citizens and other entities that fall under the protection of the law № 152-FZ. Therefore, this procedure is legal, and until that moment had been taken under consideration the amendments to the law.

But again, pay attention — cross-border data transfer can be made only for backup purposes, copy the appropriate files. The originals, therefore, must be hosted on servers in Russia. The data controller responsible for unauthorized use of those or other persons files on foreign servers. In addition, he will probably have to align their information systems with the requirements established by the law of the state in whose territory are located the server.

Penalties for violations of the law № 242

So we looked at what made the legislator by law 242-FZ changes to the Federal law № 152. It will also be helpful to consider what sanctions may face data controllers who have violated the provisions of the relevant source of law.

First, for a company that is obliged to comply with the requirements of act No. 242, may be imposed an administrative fine. Its value is 500-1000 rubles for officials and a 10 times large amounts, for legal entities, the penalty provided in article 13.11 of the administrative code.

Second, can be applied to such sanction as the introduction of operator data in the registry violators. It is an automated database that includes domain names and url's of sites where personal data is processed with violations. Note that the inclusion of the operator in the register is carried out on the basis of a court decision. The exception — after its cancellation, or in fact resolve company violations of the act.

Third, there may be limited access to the website that implemented the incorrect processing of personal data. This procedure is performed after the data subject sends to the Roskomnadzor a statement about the need to take measures to lock the corresponding resource.

In addition, this document should also be supplemented judicial act, which entered into force. After that, Roskomnadzor sends the information on violations by the website owner, act No. 242 of the hosting provider, and that if the resource owner fails to eliminate the violation, it blocks the website.

The Procedure of applying sanctions toviolators of the provisions of a legal act depends largely on enforcement. Operators of personal data it makes sense to regularly examine her, as well as, for example, and various analytical studies of the provisions of the law № 242-FZ, legal commentaries to it. Compliance with the norms of law No. 152-FZ taking into account the relevant amendments-the most important condition for the correct functioning of appropriate information services.