Подписаться на новости Версия для печати

Legal Issues in Personal Data Protection on the Russian Internet

Legal Issues in Personal Data Protection on the Russian Internet


© 2003, Victor Naumov

Translation: Joseph G. Bayerl

Citizen's information rights constitute a complex legal institution, which draws on a variety of sources. Despite its declarations of citizens' rights, direct mechanisms for their enforcement are lacking; no expository treatment of citizens' rights in the various spheres of public life has been produced; and the specific obligations of government agencies, organizations and citizens in respecting these rights have not been defined. So, for the time being, given the Russian Federation's lack of a tradition of protection for citizens' information rights and the lack of court experience with related matters, we are left to depend on the conscientiousness of parties to the information relationships that arise from the use of information and communication technologies and the Internet; and on their understanding of the fairly fragmentary Russian legislation.

All information resources, whether owned by natural persons, legal entities or government agencies, create the potential for infringement on the information rights of the persons who use them, especially through the collection of information about users. Who has the organizational and technical opportunity to collect information about users and their computers? The list includes resource owners, e-mail recipients, Internet providers who control users' access to the net and maintain information about them, third persons with the widest range of motives, up to and including criminal intentions, and other parties.

In analyzing the legal issues in protecting citizens' rights, we shall assume that the user is connected to the Internet, and that there is a potential to collect the following information, whether comprehensively or in part.

1. The IP address of a computer that is connected to the Internet, and information about the Internet provider and services rendered to the user.

2. The user's e-mail address.

3. Information about installed software and computer configuration.

4. Information obtained through the use of cookies, indicating the users' access to web sites, and their activities on those sites, including all sorts of information on logins and passwords required for access to resources and services.

5. Personal data entered by the user while using various Internet sites and resources.

6. User information that the provider maintains incident to rendering telecommunications services, including passwords and logins for access to the provider's information systems.

In regard to the topic of this analysis, Articles 23 and 24 of the Constitution of the Russian Federation contain a well-known set of tenets on information. These guarantee the right to the inviolability of private life, and the privacy of written communication, telephone conversation, mail, telegraphic transmissions and other forms of communication. The articles also state that collection, maintenance, use and dissemination of personal data are prohibited without the subject's consent. These provisions ought to consolidate the content and modalities of information handling on the Internet. At the same time, another constitutional provision (Para. 4, Article 29 of the RF Constitution) proclaims the rights to freely seek, transfer, and generate information, but affords these rights to parties to information relations only so long as they observe the same legitimate interests and rights with respect to other parties. To this end, the Constitution states that these rights are guaranteed only to the extent that they are pursued "by any legal means"  [1]. The aforementioned guarantees of citizens' information rights are elaborated in Russian legislative acts that regulate relations in the field of informatization (information legislation)  [2].

Federal Act No. 24-FZ "On Information, Informatization and the Protection of Information," of 20 February 1995 (hereafter referred to as the Information Act) introduces the institution of personal data. This concept is defined in Article 2 of the Information Act, as follows:

"Information about citizens (personal data) is information about facts, events and circumstances in the life of a citizen which establish his or her identity."

The Federal Information Act assigns personal data to the category of confidential information [3], which is treated, in turn, under the heading of limited access information (Art. 10 and 11 of the Information Act). The basic standards for the protection of citizens' information rights are contained in Para 1, Art. 11 of the Information Act:

"The collection, maintenance, use and dissemination of information concerning private life, as well as information violating an individual's right to personal privacy, family privacy, and the privacy of written communication, telephone conversations, mail, telegraphic transmissions and other forms of communication are prohibited without the individual's consent, unless so authorized by court order."

It would seem that this standard is interpreted more broadly than the Act's definition of personal data. This clearly affords citizens additional guarantees, although one could find the definition itself far too narrow. By contrast, in Art. 2 of the Pilot Act "On Personal Data," which was passed in the 14th Plenary Session of the Interparliamentary Assembly of CIS States [4], there a definition of personal data which is more far-reaching than that in the Information Act.

"Personal data is information (fixed on a physical medium) concerning a specific person, who is identified, or may be identified with it. Personal data includes, biographical and identifying information, individual characteristics, family records, social status, and information on education, occupation, service, finances, state of health and so on."

Section 1, Para. 1, Article 11 of the RF Information Act contains the following provision:

"Classes of personal data to be maintained within Federal information resources, cross-jurisdictional information resources, information resources of Russian Federation subjects, information resources of local self-government bodies, as well as those received and compiled by non-governmental organizations shall be established in Federal Law."

However, given the present lack of corresponding laws, the foregoing provision creates a serious gap in the legislation pertaining to informatization [5] - which specific elements of information about citizens are considered personal?

It bears mention that a number of the Russian Federation's governmental regulations from other branches of legislation apply more concrete standards with regard to what information is considered personal. For example, Section 1, Art. 84 of the Russian Federation Tax Code [6], titled "Taxpayer Identification Number," enumerates the following elements of personal data: last name, first name, and patronymic; date and place of birth; gender; local address; information from a taxpayer's passport or other identification documents; and citizenship. In the Russian Federation Labor Code [7], which contains an entire chapter on personal data (Ch. 14), the concept of employee personal data is explained as follows:

"An employee's personal data is information about a specific employee that an employer requires incident to labor-management relations." (Sec. 1, Art. 85)

However, in the article that follows, the Code's author provides another referential provision that creates a kind of conceptual loop.

"In determining the quantity and types of personal employee data to maintain, the employer shall be governed by the Constitution of the Russian Federation, this Code and other Federal Laws." (Para. 2, Art. 86)

The same Article 86 (Para. 6) introduces an interesting provision, with regard to the use of information technologies and the Internet:

"An employer shall have no right to take a decision affecting employee interests on the basis of data received solely as a result of automated processing or through electronic means of delivery."

Accordingly, due to the lack of specific provisions that would clarify the types of information to be treated as personal data, one finds various approaches to the question of what part of the data collected and processed on the Internet is protected by law, and what part is not. It is possible to interpret this issue narrowly, proceeding from the concept of personal data as defined in the Information Act. This does add substantive criteria such as personal identification in determining whether or not to consider a certain type of information constitutes personal data. However, if one takes into account 1) the objective difficulty in distinguishing between information that positively identifies a person and that which does not do so (is only partly identifying); 2) the provisions in Part 2, Para. 1, Art. 11 of the Information Act; and 3) the constitutional principal of the inviolability of private life, one may derive the arguable presumption that, in the absence of a direct expression of consent for dissemination, all information that results from a citizen's use of information systems and resources can be considered personal data [8].

Of the types of user information under discussion here, information about IP addresses, installed software and computer configuration primarily identify the information technology being used. Without further information (such as the fact that a certain software application is registered to a certain user), it is impossible to conclude definitively that this information identifies the user. Therefore, it is impractical and, for the most part, pointless to classify this type of information as personal data. Incidentally, such a classification were made, it could lead to major (and even disastrous) changes. It would require revising a majority of the Internet's standards and information exchange protocols.

In many cases, information obtained by means of cookie technology may constitute personal data (for example, in those cases where they are used to store passwords and logins for access to information resources and services), while in many other cases it does not (as in cases where the only information stored in cookie files is the addresses of the sites the user visited).

Without a doubt, e-mail addresses [9] and identifying information that users enter directly must be held to constitute personal data. One can agree with the authors of the publication "Internet and Glasnost" that the restricted way in which electronic addresses are published arises from the need to protect personal data [10].

The user information obtained by service providers is highly significant. When a user signs a service agreement, the provider typically obtains his or her name, passport data, place of residence, and the login and password required for access to the provider's information services. In addition to this information, the provider accumulates information concerning which resources the user accesses and the access times. Clearly, all of this information constitutes personal data. Its possession makes it possible to identify the user and gather information about his or her activities on the Internet, which makes it possible, for example, to compile a detailed profile of the user's informational predilections and preferences. It follows that the existence of "indisputably" personal data within a large store of user data makes the entire store personal. Therefore, providers are obliged to take measures to protect all user information in their possession.

In this regard, there is adequate justification for the following amendment, which was included in Federal Bill No. 228044-3 "On Amendments and Addenda to the Federal Communications Act," which was passed in its first reading in the Duma on 29 November 2002:

1. Such information as communications operators may obtain incident to their official duties involving subscribers and the communications services rendered to them is confidential, and shall be secured in accordance with the laws governing its protection.

Subscriber information includes the names of individual subscribers, titles and personal data about persons employed by corporate subscribers, subscriber addresses or address where terminal equipment (or subscriber device) is installed, pseudonyms, subscriber numbers and other information which would positively identify the subscriber or his terminal equipment (or subscriber device), and information from automated accounting databases.

3. Communications operators shall have a right to use their proprietary subscriber database to provide directory services, including the production and distribution of publications by various means (in print, on magnetic media, by means of telecommunications technology, and others).

Information about subscribers (natural persons) shall not be included in published directories or used for directory services without the subscribers' written consent. (Art. 50 of the Bill)

In sum, one may conclude that the argument for classifying all collected information as personal data goes too far. Nonetheless, this information constitutes a class of information that may become personal at a certain point. In other words, the information may unimportant in itself, but should be protected by law from the moment that a basis exists for connecting it to a given natural person. This connection introduces the requirement to ban its collection, maintenance, use and dissemination without the consent of persons concerned.

How might this consent be expressed? One method is by direct response, such as in answer to questions on web sites. This method is quite often used in all manner of Internet fraud [11], in which a naive user, lulled by handsome web design and slick brands, heedlessly enters the requested information, including even credit card numbers.

The other method, which is particularly applicable to Internet technologies, is consent expressed on a constructive basis, i.e. when a user's actions support the conclusion that he has given consent for the use of his personal data. For example, if a user enters his e?mail address on the Internet during a discussion in a public forum, his action has made it possible for the discussants or anyone simply reading the forum to use the address. This example demonstrates the importance of establishing guidelines on the potential uses of published electronic mail address. One may argue that the mere publication of an electronic address does not give license to third parties, who may have scanned it from the forum's pages by means of specialized software, to use the address for purposes such as promotional messages. In the absence of a cautionary statement on the use of addresses, or an analysis of the bulletin board owner's published information use policy, one cannot speak more definitively about whether an e-mail account holder consented to use of his address for purposes apart from the goals of the discussion forum.

It should be emphasized that the presence or absence of a user's constructive consent depends on the user's level of knowledge about the software's operational modes. This level of knowledge is difficult for information resource owners, providers and third parties to determine. For example, the user elects whether to use cookie technology and to what degree. However, it may be argued that the mere presence of such a user option is inadequate grounds to infer his consent, and that the information resource and system proprietors should explicitly inform the user and/or ask his consent for the collection and use of various types of information about the user and his system configuration. To be sure, the frequency and mode of user consent requests should be reasonable and ought not to be taken to the extreme of asking permission before loading every new file. Here the essential requirement may be the conscientiousness of resource and system proprietors who give users advance notice of their information use policies.

Returning to the problem of determining the structure of personal data and the modes of its usage, a number of other pressing considerations need to be taken into account. First, when analyzing the use of personal data on the Internet and assuring the inviolability of private life, one should take software into account. There are widely distributed software applications, which do not guarantee the levels of information security that would make users aware of all the actual tasks their computers perform. As a result, situations often arise in which the existence of so-called computer "holes" make it possible for information about the user to be collected through unauthorized access to his computer system. Second, in the compilation of large data stores, consisting of various types of information (such as IP addresses and cookies), special statistical processing, and linkage to information received from other sources not directly related to the Internet imply a transition from quantity to quality. In other words, it creates of conditions, under which the individual elements in the data store do not definitively identify users, but the data, taken as a whole, does so.

On the basis of the foregoing analysis and the provisions of the Federal Information Act (chiefly Art. 12 and 14) we may make the following practical conclusion: before beginning to collect and process information, persons involved in the handling of personal data and information about users must do all they can to determine the conditions that pertain to specific information processes, as well as the mutual rights and responsibilities of the principle parties and third persons. These conditions should be expressed either in bilateral agreements (such as contracts between providers and users), or in special contracts for the use of certain Internet resources and systems.

Based on the foregoing, the owners of information resources and services, service providers and software manufacturers should be guided by the following rules in respect to users:
- notify them of collection and processing of personal data and information about individuals' private lives;
- disclose the types of information collected, and the methods of its collection;
- specify the purpose and modes of use for data collected directly by the resource or service owner, or by third parties;
- provide a detailed description of the modes and forms of user consent for the collection and use of information;
- determine the storage term and method for collected data;
- on request, afford users the opportunity to terminate the collection of data containing information about their private lives;
- provide citizens free access to audit and correct information collected about them;
- specify which legislative acts comprise the basis for relations with users;
- determine the limits of civil liability for violating information privacy measures;
- inform users of the possibility of legally sanctioned collection of and access to data about citizens, particularly, in the course of criminal investigations.

It may also be useful to indicate what actions on the part of citizens or third persons will result in the cessation of protection for personal data pertaining to them. Likewise, to protect the interests of persons collecting information, it is advisable to determine the civil liability of users for providing false information. In all the activities under discussion, one must remember that the violation of measures for the protection of personal data may result in the invocation of civil, administrative or criminal liability.

This short analysis may be summarized in this way. Anonymity (the confidentiality of user information) and the public nature of users' actions that arises from the nature of Internet services, standards and protocols are essentially two sides of the phenomenon of Internet access and use. At present it seems impossible to fully provide for either one or the other by technological, or administrative and legal means.

At the moment, domestic legislation pertaining to personal data contains a significant number of gaps and is in need of systematization. Therefore, it is impossible to definitively classify given types of information about persons and system configuration as personal data. Moreover, it is difficult to reliably and definitively determine whether certain actions in the use of a resource or system constitute constructive consent to the collection of personal data. It would seem, thus far, that the Pilot Law contains the standards, which are best suited to the prevailing level of social relations.

Finally, the Russian Federation has no government agency charged with protecting users' personal data. There are no corresponding initiatives, and there are no programs in development that would be dedicated to protecting the information rights of citizens' when using information technology.



 [1] In this regard, Resolution 428 or the Consultative Assembly of the Council of Europe (Section C), states the following: "In case of controversy between the right of free information and the right of personal life esteem, the right of personal life esteem shall have the priority." See: Bachilo I.L.., V.N. Lopatin and M.A. Fedorov, Information Law, 2001, Law Center Press, Saint Petersburg, p. 274.

 [2] A theoretical treatise on the principle of the inviolability of private life, as it regards informational processes, is expounded in: Bachilo I.L.., V.N. Lopatin and M.A. Fedorov, Information Law, 2001, Law Center Press, Saint Petersburg, Chapter 8.

 [3] In Art 2 of the Information Act, confidential information is defined as "documentary information, access to which is limited in accordance with the laws of the Russian Federation. The same article further defines documentary information as "information fixed on a physical carrier with markings sufficient to permit its identification."

 [4] Adopted in the Interparliamentary Assembly of CIS States in Resolution 14-19 of October 16, 1999.

 [5] In addition to the indicated gap, it is important to the present research that the procedures for mandatory licensing of activities by non-governmental organizations and private persons engaged in the processing and providing their users with personal data that are called for in Para 4, Art. 11 of the Information Act have not yet been established. Likewise, regarding the degree of protection for information that is considered personal, there is a lack of standards for determining the degree of protection that, according to Para. 1, Art. 21, were to have been established in Federal Law.

 [6] Federal Act No. 146-03 of 30 July 1998, as revised in Federal Acts No. 154-F3 of 9 July 1999, No. 13-FZ of 2 January 2000, No. 118-FZ of 5 August 2000 (as revised on 224 March 2001), No. 180-FZ of 28 December 2001 and No. 190-FZ of 29 December 2001.

 [7] Federal Act No. 197-FZ of 30 December 2001 was adopted in the State Duma on 21 December 2001. The Code entered into force on 1 February 2002.

 [8] For details on this approach to the institution of personal data, see the work by Serienko, L.A. and I.D. Tinovitskoi "Subjective Rights in the Information Sphere." (Informatization Issues, No.3, 2000), which focuses, in particular, on the fact that "a broad array of personal data" merits consideration, including "not only information about private life, but also information about peculiar characteristics that identify a natural person in public life; about those factors specific to his physical, psychological, mental, economic, cultural or social identity." (p. 25)

 [9] In several countries, legislation adds electronic mail to the list of personal data. An example of this took place in Argentina in November 2001.

 [10] See p. 99 of the publication by Bolchinskaia, E, L. Tereschenko and M. Ykushev, Internet i Glasnost, Galeriia Publishing, Moscow, 1999.

 [11] See: the 20 January 2000 Letter by the Federal Commission on the Securities Market, No. IB-02/229 "On possible fraudulent schemes in securities trading on the Internet," which contains information compiled on the basis of analysis of typical fraudulent activities uncovered by the US Securities and Exchange Commission.


Published: February, 4, 2003