Support The Moscow Times!

Privacy Law Seen as Costly Burden

The unpleasant e-mails started flooding Olga Stolyarova's inbox last week when an online leak of confidential information allowed millions of Internet users to see that she had ordered lacy lingerie.

Stolyarova's purchase history and her contact information were stored in the cache of the Yandex search engine, together with similar information from customers who had visited about 80 Russian online stores.

The Saratov region resident said the leak had embarrassed her badly.

"I have received all kinds of letters," she said in an interview.

Breaches of privacy are a regular occurrence in modern Russia, where many people seem to have quickly forgotten the Soviet government's obsession with secrecy.

For years, leaks were not even punishable by law. But not anymore, with a new bill shielding private information that came into force Monday.

The bill criminalizes privacy breaches and compels anyone who handles personal information — from banks, oil companies and Internet shops to farms, schools and hospitals — to use state-approved data protection equipment, software and procedures.

While the bill is well intended, it channels an obsolete Soviet approach that will mire companies in superfluous red tape and exorbitant expenses, industry experts said.

But no one argues that privacy needs to be protected.

Just days before the online shopping leak, 8,000 text messages sent by clients of the MegaFon mobile operator popped up on search engines, including Yandex and Google. In another recent leak, private information about people who posted mail with the EMS Russian Post surfaced online.

The search engines have blamed the companies for the leaks.

The outbreak of cases has prompted some bloggers to speculate that the Kremlin was orchestrating the affair to illustrate the need for the new law or that data protection companies were looking to justify the need for their services.

Both have denied the allegation — but they have reason to act. Russia signed the European convention on data protection in 2001 but has taken a decade to adapt its legislation accordingly. Data protection services, meanwhile, are hungrily looking at the some 7 million firms and organizations that will fall under the law.

The European convention allows people who handle personal information to decide on measures to protect the data, and penalties are linked to how much harm a leak would cause.

The Russian legislation, however, introduces rigid mandatory measures for everyone, regardless of how much harm a leak would cause, information security experts said last month in an open letter to the Kremlin.

The measures themselves are based on guidelines previously used by the Federal Security Services, which, in turn, are modeled on Soviet templates, according to the open letter, available on IT industry web sites such as Anti-malware.ru.

The rules require companies to obtain written permission to handle personal data from the people who provide it and to purchase certified data protection equipment.

That would affect some 7 million companies and organizations, all of which handle data about their employees, the letter said, adding that the rules may cost the country up to 6 percent of its gross domestic product, or 2.67 trillion rubles ($96 billion.)

A company with 100 employees will have to spend about 200,000 to 300,000 rubles ($7,200 to $10,800) to comply with the data protection rules, said Alexei Rayevsky, head of SecuRit, a Moscow-based information security company.

Leading cell phone operator Mobile TeleSystems has put its costs for new equipment at $42 million to $45 million.

But most companies will be tempted to ignore the rules because fines for using non-certified data protection equipment stop at 10,000 rubles to 20,000 rubles ($360 to $720) — peanuts for many businesses, Rayevsky said. "If punishments are not toughened, the law may became a formality," he said by telephone.

The legislation carries the threat of revoking operating licenses for noncompliance, but many of the 7 million operators do not have any licenses that can be taken away, he added.

A further disincentive is the murkiness of the new rules. Companies will be hard-pressed to confirm that they meet state standards because most standards are outlined in technically worded directives used internally by the FSB and the Federal Service for Technical and Export Control, said Dmitry Kuznetsov, a senior executive with Positive Technologies, a Moscow-based data protection firm.

The documents are too convoluted for a regular IT administrator to navigate, Kuznetsov said.

"The system is only more or less understandable to people who have worked with the documents before," he said by telephone.

Businesses are already losing money over the new rules, Kuznetsov said.

"Some companies are spending money to prepare all kinds of documents in case they are checked by a government body, not on protecting themselves from hackers," he said.

Kuznetsov also said the bill is unable to prevent intentional leaks, a problem especially typical for official databases containing home phone numbers, police and medical records and even banking account information that are offered for sale online and at pirate stands at Moscow's computer markets.

"It is almost impossible to identify the person responsible for the leak if he took precautions," Kuznetsov said.

Pirates, admittedly, are growing more careful. A company called the Moscow Center for Economic Security that advertised a database of Muscovites' telephone numbers denied carrying the item when contacted by The Moscow Times.

"It's just advertising on our web site," said the female operator who took the phone call. She refused to elaborate or give her name.

The problems, however, don't stop with flawed legislation because not all victims of data leaks are even aware that their rights have been violated.

Olga Stolyarova, whose lingerie purchases at an online sex store were made public in the online leak, only learned that she could sue when a Moscow Times reporter called her to ask whether she planned legal action. "Is it possible?" she asked.

There are many others like her, unaware that they can sue at the very least for damages, said Mikhail Anshakov of the consumer rights watchdog Public Control. "We still don't have enough of a legal culture," he said.

His organization has tracked an increase in several types of privacy lawsuits, in particular from bank clients whose personal information has been handed over by the bank to debt collectors. But most don't bother to sue, especially since the compensation is usually meager, he said.

This is the fault of the judiciary, not legislature, Anshakov said. "Let's say a judge awards a compensation of 500,000 rubles," he said. "Tomorrow, he would have 50 more people lining up to sue for damages. He's not interested in helping them because he sees them as little more than a disturbance."

Read more