From 1 March Federal Law No. 519-FZ of 30.12.2020 “On Amendments to the Federal Law“ On Personal Data” comes into force, establishing new rules for the distribution (disclosure to an indefinite circle of persons) of personal data and the processing of personal data from open sources.
The new rules especially affect operators of online resources and services that allow users to share information with an unlimited number of people, as well as operators who use data from open sources in their activities (media, companies that use online behavior monitoring systems).
1. New terminology
The concept of "personal data made by the publicly available subject of personal data" is excluded and the concept of "personal data permitted by the subject of personal data for distribution" is introduced.
2. Introduced the obligation to obtain separate and more specific consents for the processing of PD
Consent to the processing of personal data permitted by the subject of personal data for distribution (hereinafter - "consent to distribution") must be formalized separately from other consents of the subject of personal data. The operator is obliged to provide the subject of personal data with the opportunity to determine the list of personal data for each category of personal data specified in the consent to distribution. Silence or inaction of a citizen cannot be considered consent.
Consent for distribution can be provided to the operator directly or using the special information system of Roskomnadzor (it is not yet operational).
The wording of consent must explicitly and unambiguously permit the distribution of personal data, and there must be a clear list of personal data in respect of which distribution is permitted. Ambiguous and unclear formulations will be interpreted in favor of the subject of personal data.
The consent to the distribution may establish bans on the transfer (except for providing access) of personal data by the operator to an unlimited number of persons, as well as bans on the processing or processing conditions (except for obtaining access) of personal data by an unlimited number of persons.
The prohibitions / processing conditions established by the subject of personal data do not apply to cases of processing personal data in the state, public and other public interests determined by the legislation of the Russian Federation.
Operators are obliged, no later than 3 working days from the date of receipt of the consent of the personal data subject, to publish information on the processing conditions and on the existence of prohibitions and conditions for the processing of personal data by an unlimited number of persons permitted by the personal data subject for distribution.
3. Introduced the obligation of each operator to prove the legality of the processing of personal data from open sources
In the case of disclosure of personal data to an indefinite circle of persons by the subject of personal data himself without providing the operator with consent, as well as in the event that personal data were disclosed to an indefinite circle of persons due to an offense, crime or force majeure circumstances, the obligation to provide evidence of the legality of the subsequent distribution or other processing of such personal data lies with each person who distributed or otherwise processed them.
Before processing personal data from open sources, it will be necessary to make sure that the subject of personal data has consent to the distribution of his personal data by the operator who disclosed the personal data, and check for conditions / restrictions on data processing by other operators.
The transfer (distribution, provision, access) of personal data permitted by the subject of personal data for distribution must be terminated by the operator at any time at the request of the subject of personal data. The subject of personal data has the right to apply with a similar claim to any person who processes his personal data in violation of the new rules, or to a court.