Recent Trends in Legal Regulation of Information Security
Senior Associate, Head of the Data Protection Group
In today's world, there is more of a demand than ever for protection of business in relation to processing different types of sensitive information. This is only natural given that the legislature and regulators are taking such an active interest in the area of confidential information, information technology is developing so rapidly, the information space is quickly expanding, and there is an increasing competition on markets where information is the main asset.
What are the last trends in regulation of information security in Russia?
"Tax" on information security?
"Do you want to do business in Russia legally? Then please also for information security" — one reads this message between the lines a number of laws passed during this year.
Let us give an example of the law on personal data (renewed this summer). This law obliges companies processing personal data (say almost all companies) exercise protection of such data, inter alia, by technical tools. Many companies would prefer to comply with this obligation, though implementation of the relevant technical measures requires significant funding and it is not always easy for information security officers to justify such expenses to the management. But what if a company wants to comply? There is a strong risk that it is prohibited to technically protect data without obtaining a special license.
The new law on licensing (in force since beginning of November 2011) provides for licensing of activities aimed at technical protection of confidential information and does not contain a reservation to the respect that no license is required, if the relevant activity is exercised for a company's internal purposes only. Personal data are defined as a kind of confidential information. This means that the law on personal data obliges to exercise such technical protection of data, and the law on licensing (reinforced by administrative and even criminal sanctions) prohibits doing that without a license. Thus, you may comply with one law only by complying with another. Following this approach licensing turns into a fiscal function, which contradicts the essence of the former.
For many companies that do not deal with personal secrets of their employees and counterparties so deeply (often not that important for data owners themselves), it looks like paying twice for the service you do not really need. Taking into account that there are several million entities in Russia processing personal data without a license (one may say processing illegally?), it would be curious how the licensing authority (federal service for technical and export control — abbreviated in Russian as "FSTEK") would be able to provide licenses to all applicants, if at least 1 percent of the "targeted audience" will at a time decide to comply with the law and receive a license. Staff of the regulator supporting licensing functions does not exceed several dozens across Russia. Practice of applying relevant "questionable" provisions of the law is not yet developed. Thus, we have to wait.
Modernization or security?
"Russia needs modernization" — that is one of the most popular slogans used by the political establishment in recent years. Modernization goes in parallel with using newest information technologies. However, current legislation and proposed amendments contain certain provisions restricting "freedom of modernization."
For example, the regulator in the sphere of personal data (federal service for information technologies and communications — called "Roskomnadzor") proposes to regulate (and, mainly, restrict) use of cloud platforms from the perspective of personal data protection. One of the initiatives is to establish that data centers using cloud technologies shall locate in Russia. The rationale for this is that the regulator may not control platforms located outside Russia. Unfortunately, this is a typical "solution" in Russia. Security of data in clouds is subject to hot disputes, however despite all pros and cons the whole idea of cloud technology may be "spoiled" by introducing such ban, as this deprives the relevant technologies of imminent flexibility. The proposed regulations have not yet been adopted, so there is a chance that some compromise will be reached.
Another problem is Internet shopping. The law on personal data (left unchanged in this part during the last "revision campaign") contains a provision that prohibits companies to make decisions in relation to data owners based solely on automatic processing of their personal data without prior written consent. This problem is not that fatal for Internet shops that physically deliver goods to their customers using couriers, etc., but it is for companies selling content, video games, e-books, etc., completely virtually. In the latter case in most situations we face exclusively automatic processing of data (a person enters data, which may not belong to her/him, including those of a bank card, funds are remitted, content is delivered), however obtaining written consents is not practicable in most such cases. The only solution is to register relevant web sites outside Russia, but even that does not guarantee full safety to business, as Russian authorities have tools to ban foreign sites (Rusleaks.com is one of the latest examples). Whether the new legislation on electronic signatures may help to solve this problem? Hopefully, but in any case it will take a long time to make relevant resources accessible to ordinary people and promote them in the society.
• • •
Regulation of privacy issues in Russia is one of the strictest in the world. At the same time circulation of illegally collected information also holds a position at the top.
Sometimes protection measures required by the law are not proportional to aims of such protection. Information security in commercial sphere is designed to save money for business and not vice versa.
Generally speaking, recent changes in the legal regulation of information security (such as adoption of a new version of the law on personal data (as compared with the previous one), enactment of the law on e-signatures, etc.) are positive, however there are still many things to improve and "put in the right order."