Q&A: the data protection legal framework in Russia

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

Federal Law No. 152-FZ on Personal Data dated 27 July 2006 (the PD Law) is the main law governing personally identifiable information (personal data) in Russia. The PD Law was adopted in 2005 following the ratification of the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data. In general, the PD Law takes an approach similar to the EU Data Protection Directive and is based on the international instruments on privacy and data protection in certain aspects, but the Russian regulation places special emphasis on the technical (IT) measures for data protection. Notably, the PD Law has concepts similar to the one contained in the General Data Protection Regulation, which became effective in the EU on 25 May 2018. Data protection provisions can also be found in other laws, including Federal Law No. 149-FZ on Information, Information Technologies and Information Protection (2006) and Chapter 14 of the Labour Code of the Russian Federation (2001).

Canadian privacy law reform is coming – are you ready?

In the next two years, it is likely organizations across Canada will become subject to more detailed and more stringent privacy laws. When the change comes, many businesses – having benefitted from a relatively lax form of regulation – will be unprepared. The public sector, too, is mostly subject to laws shaped into their current form prior to the new millennium.

UK: Data Protection Contracts – What Tends To Be Missing And What To Do About It

The General Data Protection Regulations (GDPR) has required organisations to adapt from relying on vague data protection clauses that were in many cases included by default in services agreements to the stringent requirements of Article 28 regarding controller-processor arrangements.

European Union: Draft EU Guidelines On The Concepts Of Controller And Processor – Key Elements For Life Sciences Companies

On 7 September 2020, the European Data Protection Board (“EDPB”) initiated a public consultation on draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR. Any interested party could provide comments by 19 October 2020 using the dedicated form.

[artigo] Privacy and data protection in India and Germany: A comparative analysis

This research report offers a comparative analysis of privacy and data protection in Germany and India. It compares the two regimes on four counts. First, it examines how the right to privacy and/or its allied rights have developed in the two countries historically. In this, it explores the political factors contributing to the understanding and acceptability of the principles of privacy in the decades after the Second World War. Second, it delves into the instruments and forms of state surveillance employed by both the countries and analyses how the presence of parliamentary and judicial oversight on intelligence agencies impacts individual privacy. In the third section, it compares how biometric identity systems have been deployed in the two countries, the safeguards designed around the same, and the legal challenges they have thrown up. Lastly, it evaluates data subject rights as defined under the General Data Protection Regulation (GDPR) together with the Bundesdatenschutzgesetz-Neu (BDSG-Neu) and how they compare with those as defined under the Draft Personal Data Protection Bill, 2018 in the Indian context.

[artigo] From privacy to data protection: the road ahead for the Inter-American System of human rights

The right to privacy and data protection are key elements to understand how data has become the centerpiece of many changes in human interaction, new business models and technological development in an increasingly hyperconnected world. In a so-called data driven economy, the task of asserting principles, concepts and legal bases for data processing is fundamental to devise how such rights can be indeed protected. The Inter-American System of Human Rights recognises this right. In contrast to the European system that since 2000 recognises the right to data protection as an autonomous right – differentiating it from the right to privacy – the Inter-American System is on track to improve the standards of protection of both rights. Considering all thirty-five States of the Americas, eighteen have a specific data protection regulation; seven are discussing the Bill and eleven do not have a specific data protection regulation. The purpose of this article is to present the stage of development of the inter-American System of Human Rights in relation to the protection of the right to privacy and data protection and also demonstrate the challenges that such system will have to face as it move towards the effective guarantee of such rights.


Location Data: Perils, Profits, Promise

Christopher James Riederer |

2020 Doctoral Thesis |

Most of the modern online economy is based on websites offering free services and content in exchange for advertising access and user data. Web companies collect vast troves of data about their users in order to better target their advertisements. An important subset of this harvested data is the locations visited by users. Location data is valuable as it is a “real world” signal compared to online behaviors: a visit to a store is a stronger signal than a visit to a website, and location data can reveal user attributes that are interesting to advertisers. The collection of this data, however, raises many concerns. Location data can reveal important attributes that users may not wish to disclose: ZIP codes can reveal income and race, visits to places of worship may allow discrimination, and insurers may want to know about trips to hospitals. The risks exist at both an individual level, with location tied to physical safety, and at a collective level, with inference about group membership a necessary step towards discrimination. In this thesis, I examine issues of privacy and fairness in the use of location data. In the first portion, I empirically demonstrate new attacks on the anonymity and privacy of users, including a theoretical basis for user identification. In the second portion, I propose and analyze new solutions for dealing with privacy, anonymity, and fairness in the collection and use of location data. In contrast to previous work which presents privacy in abstract ways or ignores the power of data aggregators, the work presented here focuses on concretely informing users and incorporates the economic incentives driving privacy and fairness concerns. |

How to Put the Data Subject’s Sovereignty into Practice. Ethical Considerations and Governance Perspectives

Peter Dabrock |

AIES ’20: Proceedings of the AAAI/ACM Conference on AI, Ethics, and SocietyFebruary 2020 Pages 1–2. |

Ethical considerations and governance approaches of AI are at a crossroads. Either one tries to convey the impression that one can bring back a status quo ante of our given “onlife”-era [1,2], or one accepts to get responsibly involved in a digital world in which informational self-determination can no longer be safeguarded and fostered through the old fashioned data protection principles of informed consent, purpose limitation and data economy [3,4,6]. The main focus of the talk is on how under the given conditions of AI and machine learning, data sovereignty (interpreted as controllability [not control (!)] of the data subject over the use of her data throughout the entire data processing cycle [5]) can be strengthened without hindering innovation dynamics of digital economy and social cohesion of fully digitized societies. In order to put this approach into practice the talk combines a presentation of the concept of data sovereignty put forward by the German Ethics Council [3] with recent research trends in effectively applying the AI ethics principles of explainability and enforceability [4-9]. |

Public Interest, Health Research and Data Protection Law: Establishing a Legitimate Trade-Off between Individual Control and Research Access to Health Data

Mark J Taylor and Tess Whitton |

Laws 2020, 9, 6. |

The United Kingdom’s Data Protection Act 2018 introduces a new public interest test applicable to the research processing of personal health data. The need for interpretation and application of this new safeguard creates a further opportunity to craft a health data governance landscape deserving of public trust and confidence. At the minimum, to constitute a positive contribution, the new test must be capable of distinguishing between instances of health research that are in the public interest, from those that are not, in a meaningful, predictable and reproducible manner. In this article, we derive from the literature on theories of public interest a concept of public interest capable of supporting such a test. Its application can defend the position under data protection law that allows a legal route through to processing personal health data for research purposes that does not require individual consent. However, its adoption would also entail that the public interest test in the 2018 Act could only be met if all practicable steps are taken to maximise preservation of individual control over the use of personal health data for research purposes. This would require that consent is sought where practicable and objection respected in almost all circumstances. Importantly, we suggest that an advantage of relying upon this concept of the public interest, to ground the test introduced by the 2018 Act, is that it may work to promote the social legitimacy of data protection legislation and the research processing that it authorises without individual consent (and occasionally in the face of explicit objection). |

State of Privacy and Data Protection in E-Government, Policy and Law in India: A Review

Asst. Pro. Mrs. Varsha Athavale |

Vol. 68 No. 9 (2020): International Conference On E-Business, E-Management, E-Education and E-Governance (ICE4-2020) |

Information and communication technology (ICT) is potent instrumentfor providing borderless, interconnected and de-territorialised delivery of services. Use of Information and Communication Technology (ICT) in government operations facilitates efficient, speedy and transparent process for providing services and for performing government administration. This enables e-governance which is an important part ofe-government.Many developing countries are using it to achieve Sustainable Development Goals which are decided by UN. These 17 Sustainable Development Goals (SDG) are reflected in India’s development plans through National Institution of Transformation (NITI) Ayog. Various ministries are given targets to provide missions, schemes and programs and Government of India launched several projects, missions to achieve these targets. For this, several ICT tools are developed and deployed, which have helped to enhance efficiency of government missions and projects.National Policies regarding Information Technology and Policy for data sharing areframed. |