The subject of the study is the process of formation and development of the institute of personal data in the Russian Federation and the European Union. Special attention is paid to the comparison of the domestic and Western models of personal data regulation. During the research the author used comparative-analytical and system-structural methods of scientific cognition. The author of the article concludes that the peculiarities of the development of the political and legal model have significantly affected the formation of the institute for the protection of personal data in the Russian Federation and the European Union.
Personal data, personal data protection, Data Protection Institute, European Union, GDPR, EU General Data Protection Regulation, information security, information legislation, privacy, public interests, computer system security, personal data processing, national security
The formation of the institute of personal data is closely connected with the development of the constitutional rights and freedoms of man and citizen, and first of all, with the right to privacy, which, as a legal category, originally born in the United States. In English, all aspects of private life are designated by the single term "privacy", which has no literal equivalent in Russian.
One of the first attempts to formulate the essence of the concept of "privacy " was made in 1890 by the famous American lawyers Samuel Warren and Louis Brandeis, who defined it as "the right to be alone" - the right to be left alone or the right to be left to oneself.[1] In their article "The Right to Privacy" in the Harvard Law Journal, they argued that privacy is threatened by new inventions and business practices and argued for the creation of a special "privacy right". The increased attention to human rights at that time was primarily due to the devastating consequences of the Second World War. This is also reflected in the definition of the right to privacy: "Everyone has the right to respect for his personal and family life, his home and his correspondence" – the European Convention on Human Rights (ECHR).
An important role in the formation and formulation of the right to privacy was played by the activities of American courts. For example, in 1965, in Griswold v. Connecticut, U.S. Supreme Court Justice Douglas derived the right to privacy and to privacy from the basic tenets of the U.S. Constitution. The words he used to summarize the court's decision are widely known: "We are dealing with a right to privacy that is older than the Bill of Rights."[2]
The concept of private life formed in the United States had a great influence on the formation of the modern system of human rights and freedoms. On December 10, 1948, the UN General Assembly adopted the Universal Declaration of Human Rights, article 12 of which established that no one may be subjected to arbitrary interference with his personal and family life, arbitrary attacks on the inviolability of his home, the secrecy of his correspondence, or on his honor and reputation; everyone has the right to the protection of the law against such interference and such attacks.
In 1950, a similar rule was enshrined in article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms in the following wording: "Everyone has the right to respect for his personal and family life, his home and his correspondence". Thanks to these documents, the right to privacy has been recognized as an inalienable right of every person.
At the beginning of the second half of the XX century, information technologies began to develop, allowing much faster processing of a much larger amount of information. In the 60s, these technologies are becoming increasingly available to a wide range of people, which is of some concern to the Council of Europe.
Thus, in 1968, the Parliamentary Assembly published recommendation No. 509. It expresses concern about possible threats to the right to privacy because of the use of new technologies for data processing. As a result, the Assembly requested the human rights committee to study this issue. Many consider this moment to be the starting point for Data Privacy.
The first reaction follows from Germany, in the city of Hessen in 1970, the first ever law on personal data is adopted. It is important to note that this was only a local law that was applied exclusively on the territory of this land, and not at the federal level.
Then in the United States in 1974, the Privacy Act was adopted, in which the US Congress for the first time establishes a link between the right to privacy and personal data. This law specifies that a person's personal life may be directly affected because of the collection, use and dissemination of personal information by public authorities.
Neither one nor the other legal act can be called a full-fledged law regulating the processing of personal information. However, the right to personal data protection is beginning to emerge from the shadow of the right to privacy.
Germany is the first in the field of Data Privacy: the first national law on personal data (Bundesdatenschutzgesetz) appears in 1977. The special attitude of the German public to this issue is primarily related to local historical events. In the middle of the twentieth century, the Germans experienced two contradictory political regimes: on the one hand, the Third Reich, on the other hand, the FRG and the GDR. These structures were based, among other things, on mass surveillance of the population. Such upheavals have led to the fact that privacy has subsequently become extremely popular in this country. That is why Germany is still considered one of the world leaders in the protection of privacy and personal data.
Another significant country for Data Privacy is France, which is only one year behind Germany. The adoption of the Data Processing, Data Files, and Individual Freedoms Act in 1978 was also associated with local events.
In the early 70s, the French government developed the SAFARI project, the meaning of which was to create a single data register using a social security number, which would allow identifying any citizen. The processing of all this information was planned to be carried out thanks to advanced computing technologies at that time.
In 1974, the newspaper Le Monde published an article about this called "SAFARI ou la chasse aux Français" (SAFARI or hunting for the French), which provoked a loud scandal on the topic of mass surveillance.
The principles laid down in the European Convention for the Protection of Rights and Fundamental Freedoms were developed in the special provisions of the Council of Europe Convention 108 on the Protection of the Rights of Individuals with regard to the Automatic Processing of Personal Data of 1981, which considers data protection as the protection of the fundamental rights and freedoms of individuals, in particular their right to privacy with regard to the processing of personal data. Subsequently, in the Directive of the European Parliament and of the Council of the European Union of 24 October 1995, No. 95 / 46EC on the protection of the rights of individuals with regard to the processing of personal data and on the free movement of such data laid the foundations for a pan-European system for the protection of personal data.
In 2000, Article 8 of the Charter of Fundamental Rights of the European Union defined the right to the protection of personal data as an independent fundamental right.
By the end of the 90s, the main giants-monopolists of the Internet-are beginning to form. Today, they are commonly referred to as the Big Five or GAFAM (Google, Amazon, Facebook, Apple, Microsoft). With the direct participation of these American corporations, a new system of monetization of commercial activities on the Internet is being born. The Google search engine and the Facebook social network start showing ads based on an analysis of the behavior of their users (this method is called targeting). Contextual advertising is quickly becoming extremely popular and Amazon, Microsoft and Apple are connecting to this system.
To ensure that advertising remains the most relevant, the five named companies, with Facebook and Google clearly leading the way, actively collect huge amounts of data about users from around the world. At the same time, technologies are rapidly developing that allow us to analyze all this information and identify striking features of user behavior.
In response to contextual advertising, the EU adopted the ePrivacy Directive in 2002, which regulates the use of cookies, including the collection of data for advertising.
At the same time, there are major leaks of personal data because of hacker attacks, and due to the human factor. Their peak is in the tenth years. A prime example is the leak of almost all of Ashley Madison's data. We are talking about a Canadian dating site designed for people who are married. In 2015, the site's databases were attacked by hackers and all private information was posted online. In addition, the data of about 1,200 users from Saudi Arabia, where the punishment for treason goes up to the death penalty, was freely available. In such circumstances, it is difficult to underestimate the importance of personal data protection.
In the light of all these developments, the European Union concludes that it is necessary to update the outdated Directive of 1995. The main problem was that it was not directly applied in the EU member states, which in turn led to significant differences at the level of national legislation. The new regulation would operate directly in every European country and would create an increased level of personal data protection throughout the Union. Discussions for the adoption of a new law began in 2012, and in 2016 the final text of the regulation was officially published and entered into force on 25 May 2018 (GDPR).
In Russia, certain elements of the right to privacy were legislated and analyzed in the pre-revolutionary period. So, the Postal Charter of 1857 and the Telegraph Charter of 1876 fixed the secrecy of correspondence, the criminal-legal protection of this secret was carried out on the basis of the norms of the Code on Criminal and Correctional Punishments of 1845, the Criminal Code of 1903. Thus, the Criminal Code of 1903 (Articles 162-170) established a ban on the interference of officials in the administration of justice in the personal and family life of a person.
After the revolution, the approach to the problem of human rights has changed significantly. Thus, the Constitution of the RSFSR of 1918, although it contained a section on human rights called "Declaration of the Rights of the Working and Exploited People" (the declaration was adopted earlier at the III All-Russian Congress of Soviets), but it did not even fix elementary rights, a minimum of personal, political, economic, and cultural human rights. It included only the prohibition of exploitation, the right to equalize land use, the liberation of the working masses from the yoke of capital, and the right of workers to manage.
In 1924, a new constitution was adopted – the Constitution of the USSR, which no longer contained a Declaration of Rights, it proclaimed only national freedom, equality, and a single union citizenship. At the same time, in the Constitution of the USSR, a separate chapter was devoted to the establishment of a Unified State Political Administration to combat political and economic counter-revolution, espionage and banditry, which directed repressions that trampled on all human rights.
For the first time, the chapter on the rights and duties of citizens appeared in the Constitution of the USSR adopted on December 5, 1936. on the eve of mass repressions of 1937-1938. The Constitution enshrined a wide range of personal rights and freedoms, such as freedom of conscience (Article 124), inviolability of the person (Article 127), inviolability of the home and the secrecy of correspondence (Article 128). In theory, this was a major achievement of Soviet law, but in practice, it was just a formality. Thus, by the order of the NKVD of the USSR of December 29, 1939. All international telephone conversations of employees of foreign embassies and foreign correspondents were ordered to be recorded in shorthand, and all incoming and outgoing international correspondence was censored by decision-making bodies. Not only were international relations controlled by state security agencies, but inside the state " a large place in the control of people and society was given to the use of informants." Despite the obvious violation of the right to privacy by such practices, such actions are justified by States as necessary security measures.
Already in the 1940s, with the expansion of the repressive and punitive policy towards dissidents, with the tightening of the totalitarian regime, the problem of human rights was actually "closed". The issue of human rights was raised again only during the political "thaw" of the late 1950s and early 1960s, when the first theoretical studies on political and legal doctrines appeared in the USSR.
In 1977 in relation to ratification of the International Covenant on Civil and Political Rights of December 16, 1966, a new Constitution of the USSR was adopted. The Constitution of the USSR of 1977 became the first and only constitution for the entire Soviet period that included in a separate section a standard set of civil, political, economic, social, and cultural rights for developed European countries. Articles 54-56 of the Constitution of the USSR of 1977 guaranteed the inviolability of the person, home, as well as the protection of the law of personal life, the secrecy of correspondence, telephone conversations and telegraph messages. Article 57 of the USSR Constitution of 1977 stipulated that respect for the individual, protection of the rights and freedoms of citizens is the duty of all state bodies, public organizations, and officials.
For the first time in Russia, the right to privacy as an independent right was formulated in the Declaration of Human and Civil Rights and Freedoms, adopted on the eve of the collapse of the Union state by the Supreme Soviet of the RSFSR on November 22, 1991. It prohibits the collection, storage, use and dissemination of information about a person's private life without their consent. Subsequently, this rule will be enshrined in the Constitution of the Russian Federation of 1993.
In 1995, the Federal Law "On Information, Informatization and Information Protection" of February 20, 1995, No. 24-FZ, for the first time, legislated the concept of personal data. According to article 2 of this Federal Law, personal data is information about the facts, events and circumstances of a citizen's life, which allows identifying his identity. In addition, this law established general principles for the collection and use of information about citizens, according to this law, personal data was classified as confidential information.[3] It should be noted that the development of a special law on the protection of personal information began in Russia even before the adoption of Directive 95/46/EC of the European Parliament and of the Council of Europe on October 24, 1995 "On the protection of the individual in relation to the processing of personal data and the free circulation of this data". The initial draft of the law with the working title "On personal information" was developed in 1998 in the Committee on Information Policy and Communications of the State Duma of the Russian Federation with the participation of a working group of experts in the field of information legislation. However, this draft law was never considered in the State Duma of the Russian Federation.
Then, after more than two years, another working group was formed in the Security Council of the Russian Federation, which prepared the draft of the Federal Law "On Personal Data" of 27.07.2006, No. 152-FZ, which was subsequently adopted.
At the subordinate level, the Government has adopted resolutions explaining the main provisions of the application and use of legislation in this area. Among such by-laws are: Decree of the Government of the Russian Federation of November 17, 2007 No. 781 "On Approval of the Regulations on ensuring the Security of Personal Data during their Processing in Personal Data Information Systems", Decree of the Government of the Russian Federation of September 15, 2008. No. 687 "On Approval of the Regulation on the specifics of personal data processing carried out without the use of automation tools", Decree of the Government of the Russian Federation No. 512 of July 6, 2008 "On Approval of Requirements for Material carriers of Biometric personal Data and technologies for storing such data outside of personal data information systems".
In 2002, the Federal target program "Electronic Russia" was adopted, which was implemented from 2002 to 2010. The state customer-coordinator of the Program was the Ministry of Information Technologies and Communications of the Russian Federation, the Ministry of Economic Development and Trade of the Russian Federation, the Federal Agency for Information Technologies, the Federal Agency for Education, and the Federal Security Service of the Russian Federation. By the order of the Government of the Russian Federation of 2010, it was decided to approve the state program of the Russian Federation "Information Society" for 2011-2020.
So, the institute of personal data has passed a long way of formation and development, both in foreign and domestic legislation. It was formed and gradually separated from the right to privacy and family life. In connection with the gradual transition to the information society, characterized by the widespread use of information and computer technologies, operations for the collection, processing, and use of personal data began to need legal regulation. The first specialized regulations were adopted by European States. The Russian Federation subsequently adopted the positive experience of foreign countries, adopting laws at the federal level and developing by-laws. The legislation on personal data continues to develop actively, which indicates the need for a timely response from the legislative authorities in terms of regulating the basic provisions governing the emerging public relations in this area.
1. Vazhorova, M. A. History of the emergence and formation of the Institute of personal data // State and law: theory and practice: materials of the international scientific conference (Chelyabinsk, April 2011).
2. Gesetz und Verordnungsblatt für das Land Hessen. 1970. № l.
3. Loi de 1978 sur le traitement des données, les fichiers de données et les libertés individuelles.
4. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
5. Miraev A. G. The concept of personal data in the Russian Federation and the European Union/ / Yuridicheskaya nauka (VAK), 2019. №5.
6. Vasilyeva Zh. S., Medvedev V. A. Trends in the development of legislation in the field of personal data protection// Bulletin of the Russian University of Cooperation, 2017, No. 2 (28).