How the Russian Code of Ethics for Working with Data Works

Contents:

• Will the Code become a national law regulating the collection of user data?
• What is GDPR?
• The Russian Code and the European GDPR - how are they similar?
• Will the Code be able to protect the interests of users?

Large companies in the Russian Big Data market, including Tinkoff Bank, Sber, Yandex, Mail.ru, Megafon, MTS, and others, developed and signed a Code of Ethics for the Use of Data at the end of 2019. This Code defines the rules for processing user data and is advisory in nature. It is important to note that companies do not face fines for violating the Code, even in the event of a customer data leak. The only penalty for violators is exclusion from the "register of bona fide data market participants," which does not provide significant benefits. Compliance with ethical standards in data processing remains an important topic for ensuring user trust and the development of the Big Data market in Russia.

The Code establishes rules for the collection, processing, storage, and use of personal data. Companies are obliged to avoid misleading users in their contracts. When processing data, it is necessary to exclude intentional discrimination based on race, nationality, or any other origin. Organizations must ensure the protection of data from unauthorized access by taking the necessary security measures. Compliance with these standards helps to increase user trust and comply with legislation on the protection of personal data.

In accordance with the Code, the company must avoid collecting information about users under the pretext of market research. For example, questionnaires for monitoring the labor market should not contain questions regarding sexual orientation or political views if they are not consistent with the objectives of the study. This ensures compliance with ethical standards and the protection of users' personal data.

Will the Code become a national law regulating the collection of user data?

In 2006, the Law "On Personal Data" was adopted in Russia, which regulates the storage of and access to personal data. This law is aimed at protecting the rights and freedoms of citizens when processing their personal information, ensuring the secure handling of data. Personal data legislation plays a key role in ensuring the privacy and accountability of organizations handling citizens' personal information.

Experts emphasize that law alone is insufficient for comprehensive regulation. Nikita Danilov, head of the legal committee of the Big Data Association, notes that "the Code primarily concerns working with big data, not personal data." This raises important questions about the need for more careful monitoring and protection of personal information in the digital age. Without due attention to personal data, the risks of leaks and misuse remain high.

In early April 2021, data containing the SNILS, TIN, home addresses, and places of work of people who applied for loans at Dom.RF Bank appeared online for sale. The bank reported that the vulnerability was identified during the remote submission of initial loan applications. At the time of publication, the Central Bank had not yet completed its investigation.

On April 20, the press service of Roskomnadzor announced the launch of an investigation into a data leak from the "Freedom for Navalny" website. This resource collected the email addresses of Alexei Navalny's supporters. If violations are found, those found guilty could be fined up to 100,000 rubles. This situation highlights the importance of protecting personal data online and the need to comply with legislation in the field of information processing.

Oleg Blinov, a teacher at Moscow Digital School, asserts that the main goal of the Code is to convince government agencies that the field of data processing does not require additional regulation. To achieve this goal, the business community is uniting to develop uniform standards and regulations. By combining their efforts, they will create effective mechanisms that will ensure a balance between data protection and freedom of enterprise.

Blinov emphasizes that businesses recognize their social responsibility and consciously impose certain restrictions on themselves. This approach demonstrates companies' commitment to sustainable development and their concern for the social and environmental aspects of their activities. Responsible business conduct not only strengthens reputations but also responds to the challenges of the modern world, creating a positive impact on society.

In Europe, user data is regulated at the national level through the General Data Protection Regulation (GDPR). One of the key principles of this regulation is the minimization of data collection. This means that the collection of users' personal data should be limited to only that information necessary for achieving specific processing purposes. The GDPR aims to protect the rights and freedoms of citizens by ensuring transparency in data processing and giving users more control over their personal information.

Some experts believe that the Russian Code may become similar to the European General Data Protection Regulation (GDPR). This may lead to stricter requirements for the processing and storage of personal information, which in turn will increase the level of data protection for citizens. The comparison with the GDPR emphasizes the importance of respecting user rights and transparency in the processing of their data. The implementation of similar standards in Russia could help improve trust in digital services and strengthen the country's position in the field of data protection on the international stage.

What is the GDPR?

The GDPR came into force in the European Union in 2018, giving users control over their personal data collected by organizations. Companies are required to comply with strict requirements and are not allowed to transfer customer data to third parties without a legal basis. Users can exercise the right to be forgotten at any time, allowing them to request the deletion of all data from the company's database if they no longer wish to use its services. This commitment to respecting customer rights is considered the gold standard in data security, although some consider it an obstacle to doing business. The GDPR has significantly changed the approach to the processing and protection of personal data, highlighting the importance of compliance in today's environment.

In 2009, German politician Malte Spitz requested copies of all GPS data stored about him from his mobile phone provider. The resulting information was shared with a data visualization company, which created an interactive map of his movements, integrating it with publicly available data from his social media accounts. This map displays routes, time spent in transit, and information about incoming and outgoing calls and messages. Such detailed user information allows marketers to conduct more targeted and effective advertising campaigns, leveraging customer movement and behavior data to improve the results of their strategies.

With the adoption of the GDPR, companies are required to collect only the minimum necessary information about users and inform them about the transfer of personal data to third parties. Violations of this law can result in fines of up to 4% of their annual turnover. Compliance with the GDPR is important not only for avoiding financial penalties but also for increasing user trust in a brand.

According to InfoWatch, 395 data breaches from public and private organizations were registered in Russia in 2019. As a result of these incidents, more than 172 million records containing personal and payment information were leaked online. Despite the serious consequences of these breaches, Russia has yet to tighten penalties for such violations, despite discussions on this issue for over six years. This underscores the importance of taking measures to protect information and the need to amend legislation in this area.

The Russian Code and the European GDPR - What Are Their Similarities?

Information security specialist Sergey Vakulin believes that business consolidation to develop the Code will not prevent government regulation of data processing. Expected changes in Russia regarding data management could pave the way for the implementation of similar regulations, similar to the European GDPR.

Analysts argue that the Data Ethics Code is the Russian equivalent of the GDPR. This confirms the growing importance of adhering to data protection standards in Russia, which contributes to increased user trust and improved personal information processing. The implementation of these regulations could lead to stricter controls over data processing and increased accountability for companies. Therefore, compliance with the Data Ethics Code is key to ensuring user rights and protecting their personal information.

The Code is not a static document; it is constantly updated and evolving. The list of companies that have signed on to this code continues to grow. We hope that in the future, it will become the equivalent of the GDPR for our region, improving data protection and increasing trust in companies handling personal information. This is essential for creating a secure and transparent environment for users. Vladimir Itkin, Qlik's Director of Key Account Management in Russia and the CIS, emphasized the importance of this process.

Qlik noted that initiatives are currently being developed to reduce the amount of customer information collected for advertising campaigns. However, the temptation to obtain maximum data remains strong. Itkin, an expert, believes that companies will stop collecting detailed customer information only if the government imposes strict legal restrictions and significant fines for violating them.

Leonid Cherny, Director of Data Management at PJSC MegaFon, emphasizes that data ethics and the GDPR are different concepts. The GDPR is a regulatory act that establishes the rights of data owners to manage their use, requiring explicit consent. In contrast, the Code of Ethics is a declaration by market participants who undertake voluntary obligations in the field of data processing. This code is based on the principles set out in the DMBOK, which emphasizes the importance of an ethical approach to working with data.

Will the Code Protect the Interests of Users?

According to Oleg Blinov, a teacher at Moscow Digital School, the Code regulating the ethical use of user data will not lead to a decrease in the volume of online advertising. On the contrary, it assumes its increase and increasing intrusiveness. The application of ethical standards in data processing will most likely lead to more aggressive marketing strategies aimed at attracting user attention. Thus, advertisers will strive to engage with audiences more effectively, which could make advertising more intrusive and less enjoyable for users.

The chapter on advertising and marketing contains an important aspect: it states that it is fair practice to offer potential customers the opportunity to opt out of receiving personalized offers. This means that the Code stipulates that personalized advertising, regardless of its scale, does not require user consent. Simply offering users the option to opt out of such offers is sufficient, opening up new horizons for advertisers and marketers to create more targeted and effective advertising campaigns.

The situation with the Code demonstrates a desire by businesses for more lenient obligations, allowing them to protect themselves from government interference. Businesses assert: "We control everything ourselves, and we do not need government intervention." Experts note that the Code contains vague wording, making it unclear what benefits users will receive from this document. The Code's primary objective is to ensure that companies process and use data responsibly.

The "Principles" section includes six key subsections emphasizing the importance of adhering to the Code. However, there are no significant additional obligations. In practice, this means that data processing will remain unchanged, Blinov emphasizes.