INTRODUCTION

According to the Federal Law of July 27, 2006 No. 152-FZ (as amended on February 6, 2023) “On Personal Data” (hereinafter referred to as the Federal Law on Personal Data), personal data means any information related to a directly or indirectly defined or identified individual (subject of personal data). Such legislative provision allows all emerging new types of information in the digital environment to be classified as personal data, such as IP address, cookies, email address, and others. This allows the legislation on personal data to remain relevant to this day from the moment of its adoption. It seems that this approach of the Russian legislator is developing in line with the global practice.

Thus, according to the provisions of the General Data Protection Regulation of the European Union (hereinafter referred to as the GDPR), personal data is also any information relating to an identified or identifiable individual. At the same time, the list of personal data is also indicated; such as name, identification number, location data, online identifier, and other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. It seems that this definition is similar to the Russian one. Moreover, in the current realities of the digital economy, it is impossible to list all personal data; in any case, this is a task of judicial practice.

China's new Personal Information Law, effective November 2021, also defines personal information as broadly as possible to cover the widest possible range of information. Thus, according to Article 4 of this law, personal information is all types of information recorded by electronic or other means relating to a specific or identifiable individual, with the exception of information after the use of anonymization technologies. Indeed, this definition enshrines a wide range of information; the only limitation is the indication that when anonymization is used, personal information ceases to relate to a specific or identifiable individual.

Russian judicial practice quite successfully formulates criteria for classifying various types of information as personal data (for example, data left by individuals on the social networks VKontakte, Odnoklassniki, Moi Mir, Instagram (prohibited in the Russian Federation), Twitter; on the Internet portals “Avito”, “Avto.ru”, which are considered as personal data). Law enforcement practice is based on the principle of maximizing the list of personal data if it allows one to identify a particular individual. Also, expanding the means of legal protection, courts, when considering cases on the use of personal data of citizens, apply the norms of the Law of the Russian Federation “On the Protection of Consumer Rights”.

IMPLEMENTATION OF THE RIGHT FOR PROTECTION OF PERSONAL DATA IN THE DIGITAL FIELD

It is interesting to see how the right to protect the rights and legitimate interests of the subject of personal data in the digital field is changing. As a general rule, in accordance with Articles 17.2 and 24 of the Federal Law on Personal Data, the subject of personal data has the right to protect his or her rights and legitimate interests, including in court, and the right to compensation for losses and moral damage.

In general, the approach of the Russian legislator is to establish a legal treatment for personal data through their definition and limitation of the personal data operator's ability to use them (Articles 3, 10, 11, 18, 18.1, 19 of the Federal Law on Personal Data). The unlawful acquisition of personal data constitutes both criminal and administrative offenses. As a rule, violating personal data legislation results in administrative liability under Article 13.11 of the Code of Administrative Offenses of the Russian Federation of December 30, 2001 No. 195-FZ (hereinafter referred to as the Code of Administrative Offenses). Article 13.14 of the Code of Administrative Offenses applies when a person who received access to personal data in connection with their official or professional duties allows its disclosure, which is often found in practice and frequently leads to personal data leaks.

Two more types of legal liability should also be added. For disclosure of personal data, employees of an organization may be subject to disciplinary action, such as dismissal. For damage caused to the employer by the disclosure of information related to personal data, the employee is fully financially liable (Articles 90, 238, clause 7, part 1; Article 243 of the Labor Code of the Russian Federation).

Criminal liability arises for more serious acts. These acts not only include the disclosure of personal data or other illegal uses but also causing harm to the property or personal non-property rights of the subject. An example of such harm is the sending of personal messages, photos, or videos of a citizen to third parties or posting them in the public domain (in Cassation ruling of the Seventh Cassation Court of the General Jurisdiction dated June 10, 2020 No. 77-889/2020). Such disclosure often takes place by posting information on the Internet (in Resolution of the Plenum of the Supreme Court of the Russian Federation dated December 25, 2018 No. 46 “On Some Issues of Judicial Practice in Cases of Crimes against the Constitutional Rights and Freedoms of Man and Citizen (Articles 137, 138, 138.1, 139, 144.1, 145, 145.1 of the Criminal Code of the Russian Federation Federation)”).