FZ 242 on the protection of personal data. Federal Law 242 (Federal Law on Personal Data): changes and comments

In Russia, there is a separate law, according to which various organizations and individuals are required to carry out transactions with personal data - Federal Law No. 152. The legislator periodically changes the relevant legal act. In particular, on September 1, 2015, the norms of Federal Law No. 242 came into force, after the publication of which a number of fundamentally new norms appeared in Federal Law No. 152. What are they? Who is obliged to comply with the relevant provisions of the law?

What is the Federal Law on Personal Data?

Special attention must be paid to this fundamental point: Law No. 242-FZ, which entered into force on September 1, 2015, is a normative act that amended another fundamental source of law - Federal Law No. 152, adopted in July 2006. Thus, the wording contained in Law No. 242 should be considered solely in the context of those norms contained in Federal Law No. 152.

The fundamental legal act - Federal Law No. 152, established in the legislation of the Russian Federation such legal categories as:

- Personal Information;

- the operator of the relevant information;

- processing of personal data.

Under the first legal category, the legislator prescribes to understand any information that directly or indirectly refers to an individual. It can be, for example, his full name, personal details, contact information.

The second legal category in the law is understood as a state or municipal authority, an organization or an individual who, independently or in the course of interaction with other entities, carries out the data processing procedure, as well as determine their composition and operations with them.

Under the third legal category, the legislator prescribes to understand any operation or their sequence that are relevant to personal data and are implemented through the use of automation tools or without them.

The basic operations with personal data, defined by Law No. 152: collection, recording, storage, correction, use, transfer, blocking, deletion. These legal categories, in principle, at the time of adoption could be considered quite new for the legal system of the Russian Federation. Before that, the turnover of personal data was regulated by Russian legislation rather superficially.

Novelty of the Federal Law № 152

The law on personal data adopted in the Russian Federation was designed, therefore, to bring the domestic legal system closer to the world standards for ensuring the confidentiality of information exchange - first of all, presented in electronic form and used in the framework of online communications. But Federal Law No. 152 equally created the legal environment also to ensure the protection of various off-line data.

In accordance with this regulatory act, several classes of personal data were identified that required the use of certain protection algorithms. In addition, Federal Law No. 152 established norms according to which the turnover of various data could be carried out in specialized information systems - those that required particularly high qualification of administrators, as well as obtaining licenses for carrying out operations with personal data.

Despite the fact that Federal Law No. 152 was issued in 2006, in practice its main provisions for personal data operators became mandatory only from July 1, 2011. Since that moment, various corrections have been made periodically to the appropriate source of law, as we noted above. In particular, those that were approved by the federal authorities through Law 242-FZ. Let's consider its features in more detail.

Features of the application of the legal act

Federal Law 242-FZ "On Personal Data" (more specifically, "On Amendments to the Acts Regarding Specification of Data Processing") established the provision according to which operators were obliged to process and store information only on servers that are located on the territory of Russia . Or if it's offline personal data - place them in databases that are in the RF. Note that in the law 242-FZ there are a number of exceptions to this rule - which, in turn, are reflected in the provisions of Federal Law No. 152.

Another nuance of the law is that through its legislator has also made changes not only to the main legal act regulating operations with personal data, but also to other sources. Namely, laws 149 "On Information", as well as 249 ("On the Protection of Legal Entities and IPs under State and Municipal Control").

The Russian media actively replicated information that Roskomnadzor, the agency responsible for ensuring the compliance of data operators with the provisions of FZ-242 "On the Protection of Personal Data," in 2016 will conduct inspections of the largest suppliers of IT solutions that operate in the Russian Federation. In particular, it was said that the purpose of Roskomnadzor is to find out whether the requirements of the law in question are fulfilled by such brands as Microsoft, Vkontakte, HeadHunter, LaModa. It was assumed that the department will perform about 1 thousand different checks.

Initiated by the federal authorities through the publication of Federal Law No. 242-FZ, changes to personal data in the basic law could predetermine the need for major operators to make significant hardware and software updates. But this task should be solved by brands, otherwise, if the infrastructure used by them does not comply with the requirements of the law in question, Roskomnadzor may impose a fine on the company.

A significant role in auditing is supposed to be played by users of various IT solutions. If they begin to suspect that their data is not completely secure, then information about the service that is involved in transactions with the relevant data can be transferred by users directly to Roskomnadzor. Which, in turn, will have to initiate a service check for compliance with the provisions of the law 242-FZ.

It will be useful to consider what the scope of the source of law under consideration is.

Law No. 242: the scope of the source of law

The main discussion point in this case is whether the jurisdiction FZ-242 "On the protection of personal data" extends to foreign firms that, on the one hand, provide services to Russian users, on the other, are located outside the Russian Federation both from a legal point of view, so And in terms of the infrastructure involved.

Separate provisions in the law in question, which would uniquely determine the geography of its operation, the legislator did not approve. Therefore, in order to find the answer to the question under consideration, it is necessary to apply to other legal acts.

Thus, in accordance with the law on information operating in the Russian Federation, the use of various types of communication infrastructure on the territory of Russia must be carried out taking into account the norms approved in the legislation of the Russian Federation. Thus, if you follow this rule, you can come to the conclusion that Federal Law No. 242-FZ applies to only those services that uniquely use the infrastructure that is located in Russia.

The definition of the operator of personal data in Russia

The most important criterion for determining the jurisdiction of the source of law under consideration is the focus of the brand's activity that owns one or another service. If a site primarily serves Russian users, then it should be considered an object of regulation in terms of applying the provisions of law No. 242. The fact that the service is aimed at obtaining personal data of Russian citizens can be established on the basis that:

- in the address structure of the site the domain .ru, .su, .рф or, for example,. Moscow is used;

- the content of the site is in Russian;

- the pages of the portal have the opportunity to enter into legal relations with the service using the forms of contracts drawn up in accordance with the Civil Code of the Russian Federation.

In practice, operators of data that fall under the jurisdiction of Federal Law No. 242, can be a variety of structures - for example, personnel services of enterprises, banks, call centers. All of them are obliged to ensure compliance of their activities with the requirements of the law in question.

Law No. 242 in terms of applying its retroactivity

Law No. 242-FZ amending Federal Law No. 152 was issued later than the actual Federal Law No. 152 itself, as well as previous amendments to it, but it necessitated a further interpretation of the provisions of the main legal act. In particular, among lawyers there was a discussion about whether Law No. 242 should be regarded as having retroactive effect.

Most popular is the view that in order to assess the legal effect of the legal act in question, it is necessary to apply the general legal principles, according to which the retrofitting of those laws that worsen the situation of certain persons or establish additional duties for them should not be exercised .

Exceptions can be made with respect to legal acts in which the principle of retroactivity is fixed directly. The law of 242-FZ does not contain such provisions. Therefore, only those participants in legal relationships that begin to process personal data after the relevant legal act has entered into legal force are required to comply with it. That is, from September 1, 2015.

The essence of data collection

Another debatable moment characterizing the legal act under consideration is the definition of the concept of "data collection" based on the wording present in it. What is the complexity of the interpretations in this case? The fact is that in accordance with the provisions of Federal Law No. 152, which were amended through the publication of Federal Law No. 242-FZ, changes to personal data, operators are required to ensure the localization of files in the process of just collecting the relevant information. In turn, the essence of this procedure is not clearly defined in the law, which, of course, does not contribute to the effective implementation of its provisions in a number of contexts.

In the expert environment, the point of view is widespread that under the "collection" it is legitimate to understand the process in which the data operator receives them directly from some entity or authorized third parties. It turns out that localized in accordance with the rules of the Federal Law 242 should be only those personal data that were acquired by the operator in the fact that he conducted a purposeful work to collect the relevant data. And if, for example, the operator received them accidentally - as an option, in the form of a letter to e-mail, then it is not necessary to localize, as prescribed by law 242-FZ. Similarly, it is wrong to consider as a process of data collection their receipt by one firm from another, if they represent telephones and other contact details of company representatives.

Placement of data abroad under Act No. 242

The next most important nuance characterizing law enforcement practice when implementing the provisions of law No. 242 is the possibility of placing data by operators abroad in necessary cases, for example, if it is a matter of backing up the relevant information on servers leased from foreign suppliers. On the one hand, according to the law No. 242-FZ, personal data should be placed on servers that are located on the territory of Russia. On the other hand, of course, there can be an objective need for their deployment on foreign resources.

As lawyers note, transboundary data transfer without violating the provisions of the regulatory legislation, in principle, is possible. Based on which provisions of the legislation, this position can be considered legitimate?

When a cross-border transfer is legal

The fact is that the law on the localization of personal data 242-FZ does not include provisions on making adjustments to legal acts regulating the cross-border transfer of files containing individualized information about citizens of the Russian Federation and other entities that fall under the protection of law No. 152-FZ. Therefore, this procedure is legal, as well as until the moment when the amendments to the law under consideration were adopted.

But once again we pay attention - transboundary data transmission can be carried out only for the purpose of backing up the corresponding files. Their originals, therefore, must necessarily be placed on servers in the Russian Federation. At the same time, the data operator himself is responsible for unauthorized use of files on foreign servers by those or other persons. In addition, he is likely to align his information systems with the requirements established by the rules of law of the state in the territory of which the servers are located.

Sanctions for violations of law No. 242

So, we studied what the legislator introduced by issuing the law 242-FZ of the amendment to Federal Law No. 152. It will also be useful to consider what sanctions data operators may have encountered that violated the provisions of the relevant source of law.

First, an administrative penalty may be imposed on a company that is required to comply with the requirements of law No. 242. Its value is 500-1000 rubles for officials, as well as 10 times larger amounts - for legal entities. This penalty is set art. 13.11 of the Administrative Code of the Russian Federation.

Secondly, such sanction can be applied, as entering of the operator of the data in the register of infringers. It is an automated database that includes domain names and the addresses of pages of sites where personal data is processed with violations. Note that the inclusion of the operator in the relevant registry is carried out on the basis of a court decision. An exception is after its cancellation or after the company eliminates violations of the law in question.

Thirdly, access to a site on which improper processing of personal data is realized can be restricted. This procedure is carried out after the subject of personal data sends to Roskomnadzor an application on the need to take measures to block the corresponding resource.

In addition, this document should also be supplemented by a judicial act, which entered into force. After that, Roskomnadzor sends information about violations by the site owner of Law No. 242 to the hosting provider, and if the owner of the resource does not eliminate the violation, the site blocks.

The procedure for imposing sanctions on violators of the provisions of the legal act in question largely depends on law enforcement practice. To operators of personal data it makes sense to regularly study it, as well as, for example, and various analytical studies of the provisions of law No. 242-FZ, comments of lawyers to him. Execution of the norms of Federal Law No. 152, taking into account the current amendments to it, is the most important condition for the correct functioning of the relevant information services.