FZ 242 on the protection of personal data. Federal Law 242 (Federal Law on Personal Data): changes and comments

In Russia there is a separate law, inaccording to which various organizations and individuals are required to carry out transactions with personal data - Federal Law No. 152. The legislator makes changes periodically to the relevant legal act. In particular, on September 1, 2015, the norms of Federal Law No. 242 entered into force, after the publication of which a number of fundamentally new norms appeared in Federal Law No. 152. What are they? Who is obliged to comply with the relevant provisions of the law?

What is the Personal Data Federal Law?

It should be specially emphasized on thisthe principal point: the law of 242-FZ, which came into force on September 1, 2015, is a normative act that amended another fundamental law source - Federal Law No. 152, adopted in July 2006. Thus, the wording contained in Law No. 242 should be considered solely in the context of those norms contained in Federal Law No. 152.

The fundamental legal act - Federal Law No. 152, established in the legislation of the Russian Federation such legal categories as:

- Personal Information;

- the operator of the relevant information;

- processing of personal data.

Under the first legal category, the legislatorprescribes to understand any information that directly or indirectly refers to an individual. It can be, for example, his full name, personal details, contact information.

Under the second legal category in the lawmeans a state or municipal government body, an organization or an individual who independently or in the course of interaction with other entities carries out the procedure for data processing, as well as determine their composition and operations with them.

Under the third legal category, the legislatorprescribes to understand any operation or their sequence that have to do with personal data and are carried out using automation tools or without them.

Basic operations with personal data,defined by Law No. 152: collection, recording, storage, adjustment, use, transfer, blocking, removal. These legal categories, in principle, at the time of adoption could be considered quite new for the legal system of the Russian Federation. Before that, the turnover of personal data was regulated by Russian legislation rather superficially.

Novelty of the Federal Law № 152

The law on personal data, adopted in the Russian Federation, wasthus, to bring the domestic legal system closer to the world standards for ensuring the confidentiality of information exchange - first of all, presented in electronic form and used in the framework of online communications. But Federal Law No. 152 equally created a legal environment also to ensure the protection of various off-line data.

In accordance with this normative legal actSeveral classes of personal data were identified that required the use of certain protection algorithms. In addition, Federal Law No. 152 established norms according to which the turnover of various data could be carried out in specialized information systems - those that required particularly high qualification of administrators, as well as obtaining licenses for carrying out operations with personal data.

Despite the fact that Federal Law No. 152 was issued in 2006year, in practice its main provisions to personal data operators became mandatory only from July 1, 2011. Since that moment, various corrections have been made periodically to the appropriate source of law, as we noted above. In particular, those that were approved by the federal authorities through Law 242-FZ. Let's consider its features in more detail.

Features of the application of the legal act

Federal Law 242-FZ "On Personal Data"(more precisely, "On Amendments to the Acts Regarding Specification of Data Processing") established a provision according to which operators were obliged to process and store information only on servers that are located on the territory of Russia. Or if it's offline personal data - place them in databases that are in the RF. Note that in the law 242-FZ there are a number of exceptions to this rule - which, in turn, are reflected in the provisions of Federal Law No. 152.

Another nuance of the application of the law isThe fact that through his legislator has also made changes not only to the main legal act regulating transactions with personal data, but also to other sources. Namely, laws 149 "On Information", as well as 249 ("On the Protection of Legal Entities and IPs under State and Municipal Control").

In the Russian media actively replicatedinformation that Roskomnadzor, the agency responsible for ensuring compliance of data operators with the provisions of FZ-242 "On the protection of personal data," in 2016 will conduct inspections of the largest suppliers of IT solutions that operate in the Russian Federation. In particular, it was said that the purpose of Roskomnadzor is to find out whether the requirements of the law under consideration are fulfilled by such brands as Microsoft, Vkontakte, HeadHunter, LaModa. It was assumed that the department will perform about 1 thousand different checks.

Initiated by the federal authorities througheditions of the Federal Law No. 242-FZ, changes to the personal data in the basic law could predetermine the need for major operators to carry out a significant upgrade of hardware and software. But this task should be solved by the brands, otherwise, if the infrastructure used by them does not comply with the requirements of the law in question, Roskomnadzor may impose a fine on the company.

A significant role in inspections, likeit is assumed that users of various IT solutions should play. If they start suspecting that their data is not completely secure, then information about the service that is involved in operations with the relevant data can be transferred by users directly to Roskomnadzor. Which, in turn, will have to initiate a service check for compliance with the provisions of law 242-FZ.

It will be useful to consider what the scope of the source of law under consideration is.

Law No. 242: the scope of the source of law

The main discussion point in this case -whether the jurisdiction FZ-242 "On the Protection of Personal Data" extends to foreign firms that, on the one hand, provide services to Russian users, on the other hand, are located outside the Russian Federation both legally and in terms of the infrastructure involved.

Separate provisions in the law in question,which would unambiguously determine the geography of its operation, the legislator did not approve. Therefore, in order to find the answer to the question under consideration, it is necessary to apply to other legal acts.

So, in accordance with the law on information,acting in the Russian Federation, the use in Russia of various types of communication infrastructure should be carried out taking into account the norms approved in the legislation of the Russian Federation. Thus, if you follow this rule, you can come to the conclusion that Federal Law No. 242-FZ extends all the same only to those services that uniquely use the infrastructure that is located in Russia.

The definition of the operator of personal data in Russia

The most important criterion for determining jurisdictionthe considered source of law - the focus of the brand that owns a particular service. If a particular site primarily serves Russian users, then it should be considered an object of regulation in terms of applying the provisions of Law No. 242. The fact that the service is aimed at obtaining personal data of Russian citizens can be established on the basis that:

- in the address structure of the site the domain .ru, .su, .рф or, for example,. moscow is used;

- the content of the site is in Russian;

- the pages of the portal have the opportunity to enter into legal relations with the service using the forms of contracts drawn up in accordance with the Civil Code of the Russian Federation.

In practice, data operators that fallunder the jurisdiction of Federal Law No. 242, there can be a variety of structures - for example, personnel services of enterprises, banks, call-centers. All of them are obliged to ensure compliance of their activities with the requirements of the law in question.

Law No. 242 in terms of applying its retroactivity

Law No. 242-FZ on Amendments to Federal Law No. 152was issued later than the actual FL 152 itself, as well as previous amendments to it, however, necessitated the additional interpretation of the provisions of the main legal act. In particular, among lawyers there was a discussion about whether Law No. 242 should be regarded as having retroactive effect.

The most popular point of view, inaccording to which with respect to the assessment of the legal effect of the legal act under consideration, it is necessary to apply the general legal principles, according to which the retrofitting of those laws that worsen the situation of certain persons or establish additional duties for them should not be exercised.

Exceptions may beActs in which the principle of retroactivity is fixed directly. The law of 242-FZ does not contain such provisions. Therefore, only those participants in legal relations who begin to process personal data after the relevant legal act has entered into legal force are required to comply with it. That is, from September 1, 2015.

The essence of data collection

Another debatable moment characterizingthe legal act under consideration is the definition of the concept of "data collection" based on the wording present in it. What is the complexity of the interpretations in this case? The fact is that, in accordance with the provisions of Federal Law No. 152, amendments to personal data were made through the issuance of Federal Law No. 242-FZ, operators are required to ensure the localization of files in the process of collecting the relevant information. In its turn, the essence of this procedure is not clearly defined in the law, which, of course, does not contribute to the effective implementation of its provisions in a number of contexts.

In the expert environment, the point of view onwhich under the "collection" rightfully understand the process in which the data operator receives them directly from some entity or authorized third parties. It turns out that localized in accordance with the rules of the Federal Law 242 should be only those personal data that were acquired by the operator in the fact that he conducted a purposeful work to collect the relevant data. And if, for example, the operator received them accidentally - as an option, in the form of a letter to e-mail, then it is not necessary to localize, as prescribed by law 242-FZ. Similarly, it is wrong to regard as a process of data collection their receipt by one firm from the other, if they are telephones and other contact details of company representatives.

Placement of data abroad under Act No. 242

The next most important nuance that characterizeslaw enforcement practice in the implementation of the provisions of law No. 242 - the possibility of placing data by operators abroad in necessary cases - for example, if it is a matter of backing up relevant information on servers leased from foreign suppliers. On the one hand, according to the law No. 242-FZ, personal data should be placed on servers that are located on the territory of Russia. On the other hand, of course, there can be an objective need for them to be placed on foreign resources.

As lawyers note, cross-border transferdata without violating the provisions of the regulatory legislation, in principle, is possible. Based on which provisions of the legislation, this position can be considered legitimate?

When a cross-border transfer is legal

The fact is that the law on the localization of personal242-FZ does not include provisions on making adjustments to legal acts regulating the cross-border transfer of files containing individualized information about citizens of the Russian Federation and other entities that fall under the protection of Law No. 152-FZ. Therefore, this procedure is legal, as well as until the moment when the amendments to the law under consideration were adopted.

But once again pay attention - cross-borderData transmission can only be done for the purpose of backing up the relevant files. Their originals, therefore, must necessarily be placed on servers in the Russian Federation. At the same time, the data operator is itself responsible for unauthorized use of files on foreign servers by individuals. In addition, he is likely to align his information systems with the requirements established by the rules of law of the state on the territory of which the servers are located.

Sanctions for violations of law No. 242

So, we studied what the legislator introducedby issuing the law 242-FZ of the amendment to Federal Law No. 152. It will also be useful to consider what sanctions can be imposed by data operators who violated the provisions of the relevant source of law.

First, the company that is required to performthe requirements of Act No. 242, an administrative fine may be imposed. Its value is 500-1000 rubles for officials, as well as 10 times larger amounts - for legal entities. This penalty is set art. 13.11 of the Administrative Code of the Russian Federation.

Secondly, such sanction can be applied,as entering the data operator in the register of violators. It is an automated database that includes domain names and the addresses of pages of sites where personal data is processed with violations. Note that the inclusion of the operator in the relevant registry is carried out on the basis of a court decision. An exception is after its cancellation or after the company eliminates violations of the law in question.

Thirdly, access to the site may be restricted,on which improper processing of personal data is realized. This procedure is carried out after the subject of personal data sends to Roskomnadzor an application on the need to take measures to block the corresponding resource.

In addition, this document should also besupplemented by a judicial act, which entered into force. After that, Roskomnadzor sends information about violations by the site owner of Law No. 242 to the hosting provider, and if the owner of the resource does not eliminate the violation, the site is blocked.

The procedure for applying sanctions to violatorsprovisions of the legal act in question largely depends on law enforcement practice. To operators of personal data it makes sense to regularly study it, as well as, for example, and various analytical studies of the provisions of law No. 242-FZ, comments of lawyers to him. Execution of the norms of Federal Law No. 152, taking into account the actual amendments to it, is the most important condition for the correct functioning of the relevant information services.