The rules change during the game.
The law, in particular, provides that regulatory legal acts on certain issues of personal data processing can be adopted not only by state bodies, as is currently established, but also by local governments, as well as the Bank of Russia. Such acts are adopted pursuant to federal laws and within the powers of the said bodies and the Bank of Russia.
The most important changes affected Article 18, in particular, the introduction of Article 18.1 — “Measures aimed at ensuring the fulfillment by the operator of the obligations stipulated by this law.” Now many requirements for ensuring the security of personal data have reached the federal level, unlike the previous law, when the requirements were established by acts of the Government of the Russian Federation and regulators. This can include the requirement for organizational and technical measures to ensure the security of personal data, and familiarization of the operator's employees with the provisions of the Russian Federation legislation on personal data.
The new law is eclectic in terms of approaches to legal regulation: for example, paragraph 5 of part 1 of article 18.1 introduces a new rule — “assessment of harm that may be caused to personal data subjects in the event of a violation of this Federal Law…”. A similar regulatory principle is currently in effect abroad and can be seen in international legal legislation. It should be noted that abroad this is expressed in a liberal and democratic approach, while the new Law (as a continuation of the old one) implies a different concept, which is expressed in Article 19 of the Law — “Measures to ensure the security of personal data during their processing”. This article lists the security requirements that must be met by operators. Such a concept as the “level of protection” of personal data is introduced. Operators must carry out internal control or audit of compliance of personal data processing with federal legislation and requirements for their protection, as well as assess the harm that may be caused by personal data subjects in the event of a violation of these requirements.
The changes affected not only the operators, but also the legal status of the subjects. For example, Article 14 of the Law supplements the list of restrictions under which the right of the subject of personal data to access their personal data is limited. According to Article 9 of the Law, consent to the processing of personal data may be given by the subject or their representative in any form confirming the fact of its receipt. In paragraph 6 of the same article, in the event of the incapacity of the subject of personal data, consent to the processing is given by their legal representative.
The legal regime of the activities of persons entrusted to the operators for the processing of personal data is described in detail, that is, those who process them if the company does not have its own resources for this.
So, the new Law has slightly changed the legal status of personal data operators. Many norms have been “moved” from by-laws that describe the rights and obligations of operators in more detail, while slightly improving their position, but not fundamentally changing it.
Most likely, the story with the amendments is just beginning. Next in line are by-laws of the Government of the Russian Federation, as well as departmental documents of regulators, which must be brought into line with the new law.
The InfoTechnoProject Company invites all specialists in working with personal data, regardless of the company's field of activity, to the seminar “The Old New Federal Law “On Personal Data” (http://seminar-itp.ru/), which will be held on August 9, 2011. By attending it, you will be able to get answers to all questions regarding the organization of work with personal data, in accordance with the amendments made to Federal Law No. 152-FZ “On Personal Data”.
Press service of «InfoTechnoProject»