The Security Council of Russia, at a meeting on October 26, 2017, instructed the Ministry of Communications and the Ministry of Foreign Affairs of Russia to initiate, before August 1, 2018, in the framework of the BRICS (Brazil, Russia, India, China and South Africa) discussion of the creation of a common domain name servers (DNS), independent of the control of [international organizations] ICANN, IANA and VeriSign, and capable of servicing the requests of users of the listed countries in case of failures or targeted impacts. ”
In the light of these events, we would like to consider the issue of consistency of legislation of the BRICS member countries in data protection issues. The following discussion focuses on the protection of personal data: on the basis of which laws are the protection based on and what are the main disadvantages.
A small excursion into the basics.
BRICS is a group of five countries: Brazil, Russia, India, China, and the Republic of South Africa.
July 9, 2015 at the VII BRICS Summit, held in Ufa, the Ufa Declaration was adopted. The declaration is voluminous, it concerns many globally relevant issues, but we will touch on only one point, in which relations to information and communication technologies are declared. So, paragraph 33 of the Ufa Declaration notes:
- the need to strengthen cooperation in ICT, including the Internet
- the decision to establish within the framework of the BRICS working group on cooperation in the field of ICT
- the need to form a system
- allows you to ensure the confidentiality and protection of personal information of users
“We reiterate the inadmissibility of using ICT and the Internet to violate human rights and fundamental freedoms, including the right to privacy, and reaffirm that the rights enjoyed by people outside the Internet should also be protected in it.”
The full text of the declaration can be found at the link .
The main points of personal data protection in the BRICS countries
PD protection in the Russian Federation
Today, the Russian Federation among the BRIC countries has advanced the furthest in this regard, we note the main points that have been made in the framework of the issue of protection of AP.
Formed legislation in the field of protection of PD, which includes:
- norms of the Constitution (Art. 23, 24);
- special law - Federal Law of the Russian Federation of July 27, 2006 No. 152- “On Personal Data”;
- norms of sectoral laws;
- regulations.
In addition, a special authorized body has been created, whose activities provide for:
- effective functioning of a centralized system of control and supervision over compliance with the requirements of the legislation;
- consideration of appeals of subjects of personal data;
- maintaining the register of PD operators;
- information work with citizens and operators of PD.
It should also be noted that a uniform practice of law enforcement is gradually being formed. At present, there is a system for the protection of PDs that meet international standards in Russia and it is in operation.
If you do not have sufficient clarity in the processing of personal data in accordance with the regulatory legal acts of the Russian Federation and would like to get a more complete understanding of the legislation, we recommend that you read our White Paper on the Federal Law No. 152 .PD Protection in China
Everything is complicated here. There is no special general law on the protection of PD. However, let's look at the main points.
The Constitution of the PRC guarantees the protection of the dignity of the person and the secret of correspondence. Provisions on the protection of PD are contained in separate legal acts, and we will now briefly review them.
On November 5, 2012, the Guidelines for the Protection of Personal Information in the Information System for the Provision of Public and Commercial Services was adopted, in which the following definition was given:
Personal data - any information about a particular individual, which alone or in combination with other information allows him to identifyThe management establishes the obligation of the PD operator to obtain the consent of the PD subject for processing and notify him of the processing purpose, storage period, measures for the protection of PD and so on.
As for the localization of PD, then we are told about it in Article 5.4.5:
In the absence of a clearly expressed consent of the PD subject, normative permission or consent of the authorized bodies, the PD operator should not transfer the PD to any person abroad, including any individuals residing abroad, or any organizations and companies that are registered abroad.Also, personal data is also mentioned in the consumer protection law adopted on October 25, 2013:
Article 29. When collecting and using personal data of individuals, entrepreneurs must follow the principles of legality, reasonableness and necessity, explicitly inform about the purpose, methods and limits of collecting and using information and obtain the consent of the consumer.
Business entities are required to take technical and other necessary measures to ensure the security of information and prevent disclosure or leakage of consumers' PD.For non-compliance with the norms of the law, there is a serious administrative fine.
In addition, there are a number of regulatory acts that in one way or another affect the protection of subjects of the PD.
- The PRC Law on Tort Liability, 2009, which protects the right to privacy and, in particular, provides for the responsibility of a medical institution for the distribution of PD without the consent of the PD subject
- “Decision on enhancing the protection of information on the Internet”, adopted by the Parliament of the PRC on 28.12.2012
- “Regulations on telecommunications and protection of personal information of Internet users”, adopted on July 19, 2013
- March 15, 2015, the “Measures of Responsibility for Violations of Consumer Rights and Interests”, developed and adopted by the State Administration of Industry and Commerce of China (SAIC), entered into force.
The latter act is of particular interest in relation to the definition of personal data in the context of consumer protection. According to the Measures, the following data are relevant to the Consumer PD:
- name;
- floor;
- profession;
- Date of Birth;
- passport ID;
- address;
- Contact Information;
- information about income and property;
- health information;
- consumer habits.
On June 1, 2017, the Cyber Security Act came into force. The Cybersecurity Law is the first consolidated law governing virtually all problems in this area in China. In particular, he, of course, applies to PD.
The storage of personal data and other important data should be provided exclusively in the territory of the PRC (Article 37).
The cybersecurity law confirms the obligations of network operators in relation to the protection of personal information, which are defined by existing legislation and regulatory requirements, including the right to monitor compliance with the principle of legality, necessity and appropriateness of the collection and use of personal data, as well as the right to monitor compliance with consent ”(article 41) on the use of personal data only for the purposes for which the person concerned has given consent (article 41), the right of take measures to protect the security of personal data (article 42) and protect the individual right to evaluate and correct personal information (article 43).
In addition, the Cybersecurity Act also includes some new rules on the protection of personal data, including the requirements for notifying data breaches (article 42), anonymization of data as an exception in the requirements for informing and obtaining consent (article 42), as well as the right of an individual to demand from network operators to amend or delete his personal data if information about him is erroneous or used for purposes that are inconsistent with him (Article 43).
The main problems of PD protection in China include the following:- the absence of an authorized body for the protection of PD;
- the lack of a single special law on PD;
- the lack of a single conceptual apparatus (well, with this, and we are not all smooth);
- the basic rules for the protection of PD are contained in the regulations that are advisory in nature (for example, the Guide);
- the lack of notification about the processing of PD and the registry of operators engaged in processing PD.
PD Protection in Brazil
Brazil’s constitution protects human dignity, privacy and correspondence. As in China, there is no general law on the protection of PD and the provisions on the protection of PD are contained in separate regulatory acts.
The Brazilian law “On the Internet” (Marco Civil da Internet) dated 04.23.2014 .:
- Establishes the general principles of Internet use, the rights and guarantees of users, the obligations of providers and the rules for providing services on the Internet.
- The law contains a large number of rules relating to the protection of privacy and personal data.
- To process PD on the Internet, you must obtain the free and informed consent of the user.
- PD processing is allowed only for a specific purpose, which is specified in the user agreement or in the rules for the use of Internet services.
As for the localization of PD. Initially, the draft law contained requirements for the storage of PD of Brazilian citizens on the territory of the state. In subsequent editions, the provision was deleted, but the President’s right to issue decrees on this issue was introduced. The adopted final version of the law does not raise the issue of data localization. The exclusion of this requirement from the law was the result of lobbying by international corporations and the United States.
Of particular interest is the decision in the Law on the issue of jurisdiction (Article 11). The general rule is:
Internet providers and Internet application providers are obliged to comply with Brazilian legislation, including on the protection of PD, if at least one of the actions for collecting, storing or processing PD takes place within the state territory of Brazil.
But there are additional conditions:
- The general rule applies to PDs collected in Brazil and to the content of communications if at least one of the terminals is located in Brazil.
- The general rule applies even when such activity is carried out by a foreign legal entity, provided that:
a) a foreign legal entity provides services to an unlimited number of persons in Brazil;
or
b) at least one of the persons belonging to the group of foreign companies was established in Brazil.
Protection of PD in Brazil, the main problems:- the absence of an authorized body for the protection of PD;
- the lack of a single special law on PD;
- lack of a uniform definition of personal data;
- lack of definition of special categories of PD (sensetive personal data);
- lack of PD protection in certain industries and areas, with the exception of the Internet;
- lack of notification about the processing of PD and the Registry of operators engaged in the processing of PD.
PD Protection in India
Article 21 of the Indian Constitution guarantees everyone the right to life and personal freedom.
There is no special general law on IP protection in India.
Information Technologies Act 2000. Contains a special article on the protection of special categories of personal data (Art. 43A). The PD operator is obliged to apply the necessary measures to protect the PD and is responsible for the damage caused by data leakage.
There are “Rules on the practice and procedure for ensuring the security of specific categories of personal data and information”, adopted in 2011. According to them:
Personal data - any information that relates to an individual and which, in combination with other information at the disposal of the operator of personal data, can identify the individual.Special categories of PD are (clause 3 of the Rules):
- passwords;
- financial information (including bank account and credit card details);
- health data;
- sexual orientation;
- biometric data.
Localization of special categories of PD. According to rule 7, a cross-border transfer of PD to Indian citizens can only be allowed when it is necessary to fulfill the contract between a legal entity and the PD subject, or when the entity has given its consent to the transfer of data.
Rules for the protection of confidentiality and personal data are contained in a number of industry laws in India, including insurance and banking legislation.
The main problems of PD protection in India:- the absence of an authorized body for the protection of PD;
- the lack of a single special law on PD;
- lack of notification about the processing of PD and the Registry of operators engaged in the processing of PD.
findings
In contrast to the Russian Federation, both legislation and practice for the protection of PD in other BRICS countries are lagging behind. At the same time, in recent years there has been observed in all the BRICS countries:
- interest in the development of a PD protection system in connection with the new information threats of the digital age
- adoption of new regulations
- introduction or plan for the establishment of a special authorized body for the protection of entities PD
- striving to introduce best practices and international principles and standards
We hope that Russia will further improve the system of legislation, introducing best practices and avoiding unnecessary restraining measures.