Confidentiality of Personal Data in the Situation of Cyber Threats

Occupation: Ph.D., Associate Professor of the Department of Business Law, Civil and Arbitration Proceedings
Affiliation: Novosibirsk State National Research University
Address: Novosibirsk, 1, Pirogova Street, Novosibirsk, Russia, 630090

Abstract

Recently, Russia has become one of the leaders in personal data leaks. The year 2023 in Russia became a truly record year for the number of personal data leaks. Personal data is currently not only a valuable resource in the field of business turnover, but it is also the object of various types of cyberattacks and leaks committed by third parties’ malicious actions. The right to confidentiality and the right to protection of personal data are not implemented in the digital environment due to the susceptibility to cyberattacks and the lack of appropriate measures and guarantees in this field. Based on the analysis of current legislation and law enforcement practice, we conclude that it is not enough to list the rights of personal data subjects in order to effectively protect them. Guarantees in the cyber space are needed through the implementation of appropriate protective measures, as well as the establishment of the liability of operators related to the amount of harm caused and eliminated in regards to the subjects of personal data.

Keywords

personal data, operator, leak, leakage, personal information, GDPR, turnover fines, protection of personal data, cyber threat, cyberattack

Received

16.07.2024

Number of characters

33416

Download pdf To download PDF you should sign in

GOST	Zainutdinova E. Confidentiality of Personal Data in the Situation of Cyber Threats // Law & Digital Technologies URL: http://ras.jes.su/ldt/s278229070031663-5-1-en (circulation date: 22.07.2024).
MLA	Zainutdinova, Elizaveta "Confidentiality of Personal Data in the Situation of Cyber Threats." Law & Digital Technologies DOI: 10.18254/S278229070031663-5
APA	Zainutdinova E. (). Confidentiality of Personal Data in the Situation of Cyber Threats. Law & Digital Technologies DOI: 10.18254/S278229070031663-5

100 rub.

When subscribing to an article or issue, the user can download PDF, evaluate the publication or contact the author. Need to register.


1	Introduction. According to the norms of the Federal Law of July 27, 2006 No. 152-FZ (as amended on February 6, 2023) “On Personal Data” (hereinafter referred to as the Federal Law on Personal Data), personal data means any information related to directly or indirectly defined or an identified individual (subject of personal data). Such legislative formulation allows all emerging new types of information in the digital environment to be classified as personal data, such as IP address, cookies, email address, and other. This allows the legislation on personal data to remain relevant to this day from the moment of its adoption. It seems that this approach of the Russian legislator is developing in line with the global practice.
2	Thus, according to the provisions of the General Data Protection Regulation (GDPR) of the European Union (hereinafter referred to as the GDPR), personal data is also any information relating to an identified or identifiable individual. At the same time, the list of personal data is also indicated, such as name, identification number, location data, online identifier, and other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. It seems that this definition is similar to the Russian one. Moreover, in the current realities of the digital economy, it is impossible to list all personal data; in any case, this is a task of judicial practice.
3	China's new Personal Information Law, effective November 2021, also defines personal information as broadly as possible to cover the widest possible range of information. Thus, according to the Article 4 of this law, personal information is all types of information recorded by electronic or other means relating to a specific or identifiable individual, with the exception of information after the use of anonymization technologies. Indeed, this definition enshrines a wide range of information; the only limitation is the indication that when anonymization is used, personal information ceases to relate to a specific or identifiable individual.
4	Russian judicial practice quite successfully formulates criteria for classifying this or that information as personal data (for example, data left by individuals on the social networks VKontakte, Odnoklassniki, Moi Mir, Instagram (prohibited in the Russian Federation), Twitter; on the Internet portals “Avito”, “Avto.ru” are considered as personal data). Law enforcement practice is based on the principle of maximizing the list of personal data if it allows one to identify a particular individual. Also, expanding the means of legal protection, courts, when considering cases on the use of personal data of citizens, apply the norms of the Law of the Russian Federation “On the Protection of Consumer Rights”.
5	Implementation of the right for protection of personal data in the digital field. It is interesting to see how the right to protect one’s rights and legitimate interests of the subject of personal data in the digital field is changing. As a general rule, in accordance with the Articles 17.2, 24 of the Federal Law on Personal Data, the subject of personal data has the right to protect his or her rights and legitimate interests, including in court, and the right to compensation for losses and moral damage.
6	In general, the approach of the Russian legislator is to establish a legal regime for personal data through their definition and limiting the capabilities of the personal data operator to use them (Articles 3, 10, 11, 18, 18.1, 19 of the Federal Law on Personal Data). Cases of unlawful acquisition of personal data constitute criminal and administrative offenses. As a rule, the consequence of violating the legislation on personal data is administrative liability under the Article 13.11 of the Code of Administrative Offenses of the Russian Federation of December 30, 2001 No. 195-FZ (hereinafter referred to as the Code of Administrative Offenses of the Russian Federation). Article 13.14 of the Code of Administrative Offenses of the Russian Federation is applied in cases where a person, who received access to personal data in connection with the performance of official or professional duties, allowed its disclosure, which can often be found in practice and is a prerequisite for leaks of personal data.
7	Two more types of legal liability should also be added. For disclosure of personal data, employees of an organization may be subject to disciplinary action, for example, in the form of dismissal. And for damage caused to the employer as a result of the disclosure of information related to personal data, the employee is subject to financial liability in full (Articles 90, 238, clause 7, part 1; Article 243 of the Labor Code of the Russian Federation). Criminal liability arises for more serious acts, which consist not simply in the disclosure of personal data or their other illegal use, but in causing harm to the property or personal non-property rights of the subject. As an example of causing such harm, one can cite the sending of personal messages, photos or videos of a citizen to third parties or posting them in the public domain (In Cassation ruling of the Seventh Cassation Court of the General Jurisdiction dated June 10, 2020 No. 77-889/2020). Such disclosure often takes place by posting information on the Internet (In Resolution of the Plenum of the Supreme Court of the Russian Federation dated December 25, 2018 No. 46 “On Some Issues of Judicial Practice in Cases of Crimes against the Constitutional Rights and Freedoms of Man and Citizen (Articles 137, 138, 138.1, 139, 144.1, 145, 145.1 of the Criminal Code of the Russian Federation Federation)”).

1. 1. Arhipov, V.V. 2018. “The Problem of Qualifying Personal Data as Intangible Goods in the Digital Economy, or there is Nothing More Practical than a Good Theory”. Zakon 2:52-68. 2. Barkov, A.V., Kiselev, A.S. 2022. “Legal Support of Information Security: Tools to Counter Cyber Threats”. Zhurnal Prikladnyh Issledovanij. Pravo:91-96. 3. Burova, A.Yu. 2023. “Digital Ecosystem as a Way of Doing Business: a Legal View”. Current Issues of Russian Law 11:111-117. 4. Gribanov, A.A. 2018. “General Data Protection Regulation: Ideas for Improving Russian Legislation”. Zakon 3:149-162. 5. Nohrina, M.L. 2013. “The Concept and Signs of Intangible Benefits: Legislation and Civil Science”. Izvestiya Vysshih Uchebnyh Zavedenij. Pravovedenie 5:143-160. 6. Rozhkova, M.A., Glonina, V.N. 2020. “Personal and Non-Personal Data as Part of Big Data” 271-296 in Pravo Cifrovoj Ekonomiki 2020. Ezhegodnik-Antologiya. Ser. «Analiz Sovremennogo Prava / IP & Digital Law», ed. by M.A. Rozhkova. Moscow: Statut. 7. Savel'ev, A.I. 2021. Scientific and Practical Article-by-Article Commentary on the Federal Law “On Personal Data”. Moscow: Statut. 8. Savel'ev, A.I. 2015. “Problems of Application of Legislation on Personal Data in the Era of “Big Data”. Pravo. Zhurnal Vysshej Shkoly Ekonomiki 1:43-66. 9. Soldatova, V.I. 2023. “New Legislative Measures to Protect Personal Data”. Pravo i Ekonomika 3:25-30. 10. Uroshleva, A. 2018. “Commercialization of Personal Data and the Concept of “Big Data” are Topical Issues in the IT Field”. https://www.garant.ru/article/1229761/ (last updated July 16, 2024).