December
2017
Protection of personal data: first results and prospects of legal actions
Жердина, Двенадцатова_Защита персональных данных_первые итоги и перспективы судебных дел_11.2017
Download fileFile added | 01.12.2017 |
Presentation | .pdf (1,7 Мб) |
Protection of personal data has become an important topic today not only because of the rapid development of web-based technologies and globalization as a whole; it is also connected with the need to protect the right of citizens to privacy. The expansion of cloud technologies, the emergence of Big Data, cross-border transfer of personal data create new challenges not only for the legislators but the courts considering personal data protection disputes.
The Federal Service for Supervision of Communications, Information Technology and Mass Media (hereinafter Roskomnadzor) is the authority responsible for supervision and control over protection of the rights of subjects of personal data. With the aim of ensuring appropriate processing of personal data and compliance with the requirements of the personal data laws, Roskomnadzor oftentimes resorts to quite drastic measures with respect to the violators.
It was just recently that the blocking of the LinkedIn website (November 2016) was discussed, and a few days ago Roskomnadzor issued a new statement that it may block the social network Facebook as well[1]. By the way, Roskomnadzor also has page on this social network[2]. The initiative to block one of the most visited websites[3] came as a result of Facebook’s non-compliance with the requirement to store the personal data of Russian citizens on local servers[4]. The personal data localization requirement was the stumbling block in the case of LinkedIn as well.
In this article we will look at the major and most interesting cases related to the protection of personal data. Before we begin, it should be noted that even the very concept of personal data is defined by the courts differently, which deserves a separate mention.
The concept of personal data in case law
The concept of personal data is of vital importance here because it is based on whether or not the information is recognized as personal data that the provisions of the personal data laws will be applied. Under Federal Law No. 152-FZ “On Personal Data” (hereinafter the Law on Personal Data) dated July 27th, 2006, personal data refers to all information pertaining directly or indirectly to a specific natural person (subject of personal data).
One of the key factors that determines whether or not the information can be classified as personal data is the ability to identify a person on the basis of the operator’s data. Owing to the fact that the Law on Personal Data does not mention that it is based on these data that a person can be identified, there are frequent disputes in judicial practice on what is to be considered as the personal data of a subject.
Hence, for example, the recognition of an IP-address as personal data is often debated. Because an IP-address allows you to identify the device which was used to access the internet and by no means a specific user[5]. However, the Court of Justice of the European Union, for example, holds a different
opinion, and states that IP-addresses constitute protected personal data[6]. The Russian courts are not as definitive and do not directly specify that an IP-address can be classified as personal data in their decisions. However, it is obvious that in the majority of cases an IP-address can be used to identify the device which was used to access the internet and the list of users and how they are connected with one another if the users accessed the internet from one IP-address[7].
There have been quite a few debates regarding whether or not a photo (image) of a person should be recognized as personal data. The Law on Personal Data only mentions biometric personal data which refer to data indicating personally identifiable physiological and biological characteristics of a person based on which his/her identity can be determined. That being said, a photo or image in and of itself, without being linked to other data that allow you to identify a person, cannot be recognized as personal data. This was how the image of the plaintiff placed on cosmetic products distributed by the defendant was treated by the court, the latter having determined that the Law on Personal Data does not apply to these relations[8]. At the same time, in its explanation, Roskomnadzor[9] justly states that the norms of the Civil Code (hereinafter CC of the RF) on intangible benefits, including a citizen’s image (Article 152.1 of the CC of the RF), may be applied to relations arising out of or in any way connected with personal data.
Some courts are of the opinion that an email address should not be recognized as personal data either because, in the opinion of the courts, it does not allow you to identify the subject of personal data, and serves only as means for transferring data[10]. However, this position is not uniform, for this reason there isn’t a single approach to recognizing an email address as personal data in judicial practice. There exists an opinion that an email address allows you to identify its owner[11].
Today the courts unequivocally recognize the following as personal data:
the person’s full name, address and passport data;
outstanding utility bills[12];
data from an application for a personal loan (full name, date and place of birth, registered address and actual place of residence, work and cell phone number, passport data, information about employment and family members)[13];
documents from a pension file[14];
employee data from an employment contract[15];
information about administrative action(s) instituted against a natural person[16];
information about vehicles registered under a natural person’s name[17].
In one of the decisions[18] the so-called identifiers, data allowing you to definitively identify a specific person: passport number and series, personal insurance policy number; taxpayer identification number (TIN)[19]; biometric data; bank account data[20] were listed.
Thus, if a dataset is necessary and sufficient to identify a person, that dataset should be considered as personal data.
Personal data localization in case law
Pursuant to Article 18, part 5, of the Law on Personal Data, when collecting personal data, including using the internet, data operators shall ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of the citizens of the Russian Federation using databases located within the territory of the Russian Federation. There are exceptions to this rule:
data processing to achieve the purposes stipulated by an international agreement entered into by the Russian Federation or to exercise and fulfill the functions, powers and obligations imposed on operators by the legislation of the Russian Federation;
data processing related to a person’s participation in constitutional, civil, administrative, criminal proceedings, legal proceedings in arbitration courts;
data processing when providing state or municipal services;
data processing as part of a journalist’s professional activity, lawful activity of mass media, scientific literary creative activity provided the rights and legitimate interests of the subject of personal data are not violated.
Roskomnadzor has quite an effective tool for fighting violators in its arsenal – blocking the website.
The most “highly-publicized” case involving violation of the localization requirement is undoubtedly the blocking of LinkedIn in November 2016 (case No. 33-38783/16[21]). In view of a possible blocking of Facebook, let’s briefly recall what this dispute was about.
Subject-matter of the dispute: The plaintiff (Roskomnadzor) filed a claim with the Moscow City Court against the internet resources (http://www.linkedin.com, http://linkedin.com ) asking the court to recognize that their activity related to collection, use and storage of personal data of the citizens of the Russian Federation violated the requirements of the Law on Personal Data and the rights of citizens to privacy, personal and family secrets. In plaintiff’s opinion, violation by the defendant (LinkedIn Corporation) of the Law on Personal Data consisted in collecting personal data of the citizens of the Russian Federation without using databases located on the territory of the Russian Federation, as required by the Law on Personal Data. Moreover, the defendant obtained access to the data of third parties who are not LinkedIn users via synchronization with user emails and devices.
Despite the fact that the defendant is registered outside the Russian Federation, Roskomnadzor indicated during the hearing of the case that the internet resource is targeted towards the territory of the Russian Federation. This, in the opinion of Roskomnadzor, is evidenced by the availability of the website in Russian and the possibility of using ads in Russian. It should be noted that these conclusions coincide with the explanation of the Ministry of Communications and Mass Media of the Russian Federation “Processing and storage of personal data in the Russian Federation. As amended on September 1st, 2015”[22].
The outcome of the case: the court upheld the plaintiff’s claim in full.
The case above shows Roskomnadzor’s commitment to ensuring that databases are located within the territory of the Russian Federation. We would like to note that as of the date of this article LinkedIn Corporation failed to convince Roskomnadzor to unblock the LinkedIn website[23].
Case law, when the purpose of processing personal data did not coincide with that previously claimed
Pursuant to Article 5, part 2, of the Law on Personal Data, the processing of personal data shall be limited to specific, pre-defined and lawful purposes. Data processing that is incompatible with the purposes of personal data collection is prohibited. Data processing that is incompatible with the purposes of personal data collection is subject to administrative penalty under Article 13.11, part 1, of the Code of Administrative Offences of the Russian Federation (hereinafter CAO RF).
In this regard, case No. А40-18827/2017, which was heard at the Moscow City Arbitration Court in October 2017, and which was widely publicized[24], is interesting. The social network “Vkontakte” was the plaintiff in this case[25].
Vkontakte case
Subject-matter of the dispute: The plaintiff filed a claim with the Moscow City Arbitration Court against LLC “Double” and JSC “National Bureau of Credit Histories” (hereinafter NBCH) to protect exclusive related rights to a database. According to the plaintiff, the defendants used the open data of “Vkontakte” social network users to evaluate the borrowing capacity of the users. Moreover, the defendants sold this information to banks.
The plaintiff’s claims: compel the defendants to stop using the users’ open data to evaluate the latter’s borrowing capacity and sell their services, to collect 1 ruble from the defendants as nominal reimbursement.
Hearing of the case: The plaintiff reached a settlement with one of the defendants, NBCH. As it follows from the settlement, NBCH relied on LLC “Double’s” lawful use of data from the social network. Within 30 days from the date of approval by the court of the settlement NBCH shall reassess its legal relationship with LLC “Double” so that it doesn’t violate the rights of the plaintiff or shall terminate it. In addition, NBCH shall not use the technology and products of third parties, as well as one’s own technology and products, the operation of which would require extraction of data from the plaintiff’s database without the relevant consent of the plaintiff.
As for the second defendant (LLC “Double”), on October 12th, 2017 the Moscow City Arbitration Court dismissed Vkontakte’s claim in full.
Comments on the case: The attention of the press to this case is quite justified. On the one hand, the data is publicly accessible. On the other hand, neither the plaintiff, nor the users of the social network gave their consent to have the information extracted from the database and used for commercial purposes. Moreover, there might be a commercial subtext here as well – the fact is, Mail.Ru Group (the plaintiff’s owner) began to invest in products used to evaluate loan risks for Russian banks itself (this was pointed out by the defendant, LLC “Double”[26], and was reported on the internet earlier[27]). Thus, the court had to decide whether or not LLC “Double” could use publicly accessible user data in one’s commercial interests.
The Moscow City Arbitration Court dismissed the claim. The court indicated that the plaintiff did not establish the creation of a database, the origin of exclusive rights to the database, evidence of costs associated with creation, work related to collection and processing of materials for the database, evidence of the defendant extracting materials from the plaintiff’s database has not been presented either.
The defendant (LLC “Double”) explained that its software processes open user data only and is, in essence, a search engine.
In its decision the court specified that based on the subject-matter of the claim and the grounds therefore, the court did not analyze the issues related to lawful processing of personal data. During the course of the proceedings the plaintiff should establish exclusive rights to the database and the defendant’s use of the database.
We would like to note that the Vkontakte case was tried in the court of primary jurisdiction. The plaintiff has thirty days to appeal the decision.
Further review of the Vkontakte case will show if Russian judicial practice will follow in the footsteps of American courts which in August 2017 allowed hiQ Labs to use the open data of LinkedIn social network users[28]. hiQ Labs used the mentioned data to create algorithms capable of predicting the behavior of employees (for example, the probability of getting fired).
In other cases the outcome was the opposite. In November 2016 Facebook prohibited Admiral Insurance from using data related to users’ behavior to calculate insurance rates for automobile owners[29]. Admiral Insurance collected information about the users’ “likes” and “posts”, analyzed it and offered a discount of up to 350 pounds per year for insurance to those users whose behavior in the network is associated with cautious driving (for example, the users that use short sentences and set an exact date and time to meet their friends received a bigger discount etc.).
In our opinion, and as was aptly noted by some of the authors[30], the use of Big Data technology[31] (and social network user data fall in this very category) requires the users’ consent if these data are used for commercial purposes, and not for statistical or other research purposes. We would like to remind you that pursuant to Article 6, part 1, paragraph 9 of the Law on Personal Data, the general rule is that the processing of personal data for statistical or other research purposes does not require consent if these data are anonymized.
Conclusion
The judicial practice that deals with violations of legislation on personal data is non-uniform. In this respect, a special role in regulating the relations related to personal data is assigned to Roskomnadzor, which is the key authority today overseeing compliance with the legislation on personal data. And we think that the approach of Roskomnadzor and the courts should be coherent so that we can form a consistent and uniform judicial practice. As exemplified in the LinkedIn case, Roskomnadzor and the Russian court showed their commitment to fighting violators. Without assessing the approach of Roskomnadzor and the courts to fighting violators, we advise Russian and foreign companies whose activity is targeted towards the Russian market to thoroughly review their work with personal data, identify “the weak spots” and implement measures to minimize the risks related to inappropriate processing of personal data.
[1] For details see: http://money.cnn.com/2017/09/26/technology/facebook-russia-data-blocked/index.html; http://www.rbc.ru/technology_and_media/28/08/2015/55e0b9749a79472ccf8c2d4b.
[2] See: https://www.facebook.com/roskomnadzor.official/posts/1929306397348132:0.
[3] According to the data provided by Mediascope agency, the number of Facebook visitors constituted approximately 19.2 million. For details see: http://mediascope.net/press/news/329016/?sphrase_id=165578.
[4] See: Federal Law No. 242-FZ dated July 21st, 2014 “On amendments to certain legislative acts of the Russian Federation for clarification of the procedure of personal data processing in information and telecommunication networks.
[5] An IP-address (Internet Protocol Address) is defined as a unique identifier (address) of a device connected to the internet. For details see case law where the courts failed to recognize IP-addresses as personal data: Resolution of the Thirteenth Arbitration Court of Appeal dated July 5th, 2017 No. 13АП-5614/2017, 13АП-5604/2017 in case No. А56-12177/2016.
A static IP-address is permanently assigned to a device (end user).
[6] See Judgment of the Court (Third Chamber) dated November 24th, 2011 in Case C-70/10 // URL: http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30dd95c89b4481e24ac5abc888ab62....
[7] See: Resolution of the Third Arbitration Court of Appeal dated September 08th, 2017 in case No. А74-13090/2016; Resolution of the Eighth Arbitration Court of Appeal dated September 05th, 2017 No. 08АП-7948/2017 in case No. А75-16756/2016.
[8] See: Ruling on appeal of the St. Petersburg City Court dated November 15th, 2016 No.№ 33-22976/2016 in case No. 2-2932/2015.
[9] See: Explanation of Roskomnadzor dated September 02nd, 2013 "On issues related to classification of photo and video images, fingerprint data and other information as biometric personal data and the specifics of processing these data”.
[10] See: Ruling on appeal of the Moscow City Court dated December 12th, 2016 in case No. 33-42101/2016.
[11] Ruling on appeal of the St. Petersburg City Court dated January 31st , 2017 No.33а-1151/2017 in case No. 2а-4760/2016.
[12] See: Ruling of the Nizhny Novgorod Regional Court dated May 12th , 2015 No. 4а-288/2015; Ruling on appeal of the Moscow City Court dated May 22nd, 2014 in case No. № 33-14709.
[13] See: Ruling on appeal of the Tula Regional Court dated April 28th , 2015 in case No. 33-850.
[14] See: Ruling of the Primorsky Krai Court dated January 19th , 2015 in case No. 33-470, 33-11759.
[15] See: Ruling on appeal of the Supreme Court of the Republic of Sakha (Yakutiya) dated October 23rd, 2013 in case No. 33-4172/13; Resolution of Western-Siberian district Arbitration Court, dated October 21st , 2016 № Ф04-4431/2016 по делу № А45-2491/2016; Ruling on appeal of the Samara Regional Court dated June 2nd , 2017 in case No. 33а-7253/2017.
[16] See: Resolution of the Supreme Court of the Russian Federation dated March 14th, 2017 No. 46-АД17-2; Resolution of the Eighteenth Arbitration Court of Appeal dated December 27th, 2016 No. 18АП-15436/2016 in case No. А76-15768/2016.
[17] See: Resolution of the Fourth Arbitration Court of Appeal dated August 2nd, 2017 No. 04АП-3856/17 in case No. А19-342/2017; Ruling on appeal of the Supreme Court of the Republic of Crimea dated July 3rd, 2017 in case No. 33а-5225/2017.
[18] See: Ruling on appeal of the Novosibirsk Regional Court dated July 4th, 2017 in case No. 33-6394/2017.
[19] However, the position of the courts regarding TIN is not uniform. In particular, some court decisions clearly indicate that TIN does not constitute personal data: ruling on appeal of the St.Petersburg City Court dated February 3rd, 2015 No. 33-1644/2015 in case No. 2-3097/2014.
[20] See: Ruling on appeal of the Volgograd Regional Court dated December 1st , 2016 in case No. 33-14837/2016.
[21] See the ruling of the Moscow City Court dated November 10th, 2016 in case No. 33-38783/16.
[22] The explanation is available at the link http://minsvyaz.ru/ru/personaldata/#1438546529980 (page viewed on – September 28th, 2017).
[23] See, for example, https://www.kommersant.ru/doc/3236682 (page viewed on – September 28th, 2017).
[24] See, for example, http://www.rbc.ru/technology_and_media/31/01/2017/58901c239a7947304d9de73e (page viewed on – September 28th, 2017).
[25] For convenience, this case shall hereinafter be referred to as “VKontakte case”.
[26] See, for example, http://www.rbc.ru/technology_and_media/31/01/2017/58901c239a7947304d9de73e (page viewed on - September 28th, 2017).
[27] See, for example, https://corp.mail.ru/ru/press/releases/9507/ (page viewed on - September 28th, 2017), https://vc.ru/17097-mrg-banks (page viewed on - September 28th, 2017).
[28] See, for example, https://www.reuters.com/article/us-microsoft-linkedin-ruling/u-s-judge-says-linkedin-cannot-block-startup-from-public-profile-data-idUSKCN1AU2BV (page viewed on – October 23rd, 2017).
[29] For details see https://www.theguardian.com/money/2016/nov/02/facebook-admiral-car-insurance-privacy-data (page viewed on – September 25th, 2017).
[30] A.I.Savelyev. Itemized scientific-practical commentary to the Federal Law “On personal data”. P.92. Statut Publishing House.
[31] In this article Big Data, the definition being by no means comprehensive, shall refer to various means (methods, ways, tools) used to process large volumes of data (for example, social network user data) to meet specific aims and objectives.