Protection of personal data and other confidential information

Pepeliaev Group lawyers from the firm’s practice groups dedicated to the legal protection of information and the administrative law defence of business have published ratings of the main events of 2011-2012 in the area of the legal protection of information. The ratings focus on events that have had the greatest resonance in the business environment as well as commenting on the results of compliance checks carried out by regulator Roscomnadzor in relation to personal data protection legislation in 2011.

The ratings are based on an analysis of legislation and the requests of Pepeliaev Group’s clients.

1st place – the passing of the new text of the Law On personal data (as amended by Federal Law No. 261-FZ dated 25 July 2011). The new version of the Law has made requirements on companies that are personal data operators more flexible and less prohibitive. In particular, the list has been expended of instances when consent need not be obtained from data subjects to their data being processed.

2nd place – the passing of the Law On a national payment system, which establishes, among other things, that obligations to ensure the protection of information in a payment system are imposed on operators transferring funds, bank payment agents, payment system operators and payment infrastructure services operators.

3rd place – the entry into force of the new Law On licensing particular types of activity and the new Regulations on licensing that establish that activity involving the technical protection of confidential information requires a licence irrespective of whether or not the activity is undertaken to safeguard a party’s own needs.

4th place – the entry into force of the new Law On counteracting the unlawful use of insider information and the manipulation of the market, and on amending specific items of Russian legislation. The Law is aimed at making the Russian stock market more transparent and less subject to manipulation. This should help the Russian stock market to become more attractive to investors, including foreign ones.

5th place – the passing of the Law On electronic signatures, which, as of 1 July 2012, fully replaces the old Law On electronic digital signatures. All relationships that involve the use of electronic signatures will be governed solely by the new law.

“The quick development of information technologies, the expansion of the information space, the growing competition on markets where information is the main asset – all of this means that we can talk about the protection of information as a new and important area of business activity,” asserts Andrey Slepov, head of the legal protection of information at Pepeliaev Group.

Almost all businesses – shops, hotels, telecom operators, transport companies, bankers, insurers and many others – work with the personal information of clients. In Russia, there are already more than 240,000 registered personal data operators, a number that is constantly growing. The numbers of inspections and violations in this area are also on the rise.

“Statistics show that, because business is unprepared for amendments in legislation concerning personal data protection, almost every inspection reveals violations,” says Elena Ovcharova, head of administrative law defence of business at Pepeliaev Group.

Further to an analysis of the practice that has evolved in the area of control (supervision) over compliance with the requirements of legislation in the area of personal data, it may be concluded that the most frequent violations of operators are unchanged from 2008 to 2012:

• a failure to send to the local branch of Roscomnadzor, by the appointed deadline, information or a notice regarding personal data processing;
• an operator’s failure to present, or its late presentation of, information requested by Roscomnadzor (such as to examine an individual’s complaint to the regulator or during an inspection);
• the failure of information set out in a notice regarding personal data processing to correspond to the operator’s actual activity;
• the failure to implement, within the time stipulated, an order of a local division of Roscomnadzor to eliminate violations;
• the processing of personal data by a personal data operator without the data subject’s consent, or the failure of the content of the subject’s consent to their data being processed to correspond to the requirements of the Law On personal data;
• the failure of an operator to take steps to preserve the security of personal data and to safeguard it from unauthorised access;
• the violation of confidentiality requirements;
• the superfluous nature of the processing of personal data in terms of the purposes of processing; the processing of personal data for longer than the specific purposes require etc.

The assessment of the administrative defence of business group is that personal data operators are currently committing a large number of violations of Russian law in the personal data sector. As a result, it should be expected that the regulator Roscomnadzor “will monitor, on a permanent basis, the activity of Operators, with such monitoring aiming to prevent, identify and clamp down on violations in the area of personal data”. “But in the near future, we believe it is possible that there will be a differentiation of the components of administrative offences in the area of personal data,” states Elena Ovcharova.