Short excerpt from the bill amending the Federal Law of July 27, 2006 N 152- "On Personal Data" (152-). With these edits 152- “allows to trade” Big Data, strengthens the rights of the operator of personal data. Perhaps readers will be interested in paying attention to key points. For a detailed analysis, of course, it is recommended to read the source .
As indicated in the explanatory note:
The draft law was developed pursuant to paragraph 01.01.003.002.001 of the action plan in the area of “Normative regulation” of the “Digital Economy” program, approved by the Government Commission on the use of information technologies to improve the quality of life and the conditions of doing business on December 18, 2017, protocol No. 2.
What seems the most interesting?
(Below in the text in the references everywhere it means 152-)
We meet "Anonymous data."
“Anonymized data” is not equal to “Anonymized personal data”. “Anonymous data” is identical to the anonymized personal data described, for example, here in the context of the GDPR.
Another consent is born: to the processing of personal data that is incompatible with the purposes of collecting personal data (supplemented by part 2 of article 5).
The processing of personal data will now be allowed to prevent property damage, prevent and prevent unlawful acts (change in clause 7 of part 1 of article 6) and to achieve socially significant goals (supplemented by clause 7.1 of part 1 of article 6).
In paragraph 9, part 1 of article 6 “or other research” change to “research and (or) analytical” (an important point, we will return below).
The new basis of processing in part 1 of article 6 “12) the processing of personal data received by the operator on a legal basis is carried out in order to obtain anonymized data”. Here, legalization of anonymization of data without the participation of the subject of personal data is legalized.
Art. 8.1., Which allows civil - legal circulation of anonymized personal data. Those. data can be used for commercial purposes, sold to third parties. For statistical, research and (or) analytical purposes, the consent of the subject is not required.
If during the processing of anonymized personal data “anonymity” is lost, then you may not need to ask for consent later (but you will have to find a legal basis). This is indicated by the added “(or)” in the phrase “... is carried out with the consent of the subject of personal data and (or) if there are grounds specified in paragraphs 2-11 of part 1 of Article 6 ...”.
Anonymized data can be used freely without the consent of the subject (changes under Part 4 of Article 8.1).
The requirements and methods of depersonalization are referred to the level of the Government of the Russian Federation.
The forms for obtaining personal data under Part 1 of Art. 9, electronic forms of obtaining consent are formally legalized: SMS, the form on the site, and other methods.
The personal data subject will be able to change the scope of the personal data processing goals stated in the (single) consent. Here the principle is abolished: "One goal - one consent." Corresponding changes in combining goals are introduced in part 4 of Art. 9. If the personal data operator refuses to amend the consent, the justified refusal can be appealed to Roskomnadzor.
According to Part 4 of Art. 9, it is easier to sign consent in electronic form, now instead of “in the form of an electronic document signed in accordance with federal law with an electronic signature” it is planned as follows: “signed in accordance with federal law with an electronic signature or confirmed in any way that can reliably identify the subject of personal data and establish his will ”.
In fact, informally existing practice of publishing on the site a list of third parties processing personal data is legalized.
According to the Telegram channel Privacy Experts ( @privacyexperts ):
The bill contains widely interpreted concepts. For example, “prevention and prevention of illegal acts” or “socially significant goals”.
At the same time, the bill does not contain decisions if, as a result of processing the totality of data, it becomes possible to assign individual personal data to a specific subject.
It can be seen that the position of the subject of personal data is deteriorating, at the same time, risks to the operator of personal data associated with documenting the processing of personal data for new types of processing are not ruled out.
It is not clear in what order data should be deleted when changing processing goals in the “Unified Consent”.
The explanatory note concludes with an indication that the bill complies with the provisions of the Treaty on the Eurasian Economic Union of May 29, 2014, as well as the provisions of other international treaties of the Russian Federation, and will not affect the indicators of state programs of the Russian Federation and their results.