Court PositionThe Supreme Court of the Russian Federation dismissed claims of RoskomdanzorFederal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) against an insurance company over the processing of personal data on its website. The principal claim was about the form of the insurance policy that asks for visitors’ email addresses and telephone numbers.
The insurance company successfully defended its position in three courts. Notwithstanding this, Roskomnadzor decided to bring a claim to the Supreme Court of the Russian Federation. The Supreme Court, however, decided not to send the case for trial to the Judicial Chamber on Economic Disputes.
In the opinion of the courts, it is impossible to identify a particular person based only on an email address. Accordingly, an email address does not constitute personal data. In addition to this, the courts noted that the form on the website is used for receiving feedback and is not intended for identifying the consumer of the financial services. According to the court, this form does not allow one to accurately identify a person on the basis of the telephone number and email address provided since it does not require the provision of full personal data or identifiers such as passport details or INN (taxpayer identification number).
The court further noted that email addresses are not invariable and if an account is deleted, another user can re-register for the same email address. This is similar to the process of telephone number
Conclusions and RecommendationsIt appears to us that this position of judicial instances should be treated with utmost caution. It is vulnerable to criticism from the standpoint of the literal interpretation of legislation as well as from the standpoint of the position of regulatory executive bodies in this area and doctrine. In addition to this, it runs counter to the global practice of defining personal data. Despite the significance of the Supreme Court’s positions on particular cases, in the current circumstances one cannot act in reliance on the assumption that the position taken by the Russian Supreme Court in this case will be repeated in the same form in further cases.
First, the legislation does not stipulate the ability to accurately identify a person as a feature of personal data. Article 3 of the Federal Law “On Personal Data” states that personal data means any information directly or indirectly relating to an identified or identifiable individual. Russian case law has seen positions according to which information must be recognised as personal data not based on the criterion of “absolute identification,” but rather by virtue of its “relation” to an identified or identifiable individual. For example, personal data included information gathered with the help of cookies and an IP address.
The law, therefore, does not require that a data subject must be necessarily accurately identified. The key aspect is the ability to determine that a certain set of data belongs to an identified or potentially identifiable individual even when such individual has not been accurately identified. Otherwise, there would be a situation where, for example, information collected with the help of cookies, IP addresses and any other identifiers (such as place of residence, telephone number, place of work, etc) would not count as personal data. This would lead to a situation where this data will not be protected by the Federal Law “On Personal Data,” which in turn would lead to significant infringements of individuals’ rights (this will, for example, mean that the collection of such data does not require the data subject’s consent).
Second, the argument that the identifier must be invariable to be recognised as personal data is also highly controversial and there are no grounds to believe that in the future, and especially in cases with a different background, the decision will always be the same. In principle, almost any personal data is variable, except for data relating to certain invariable traits of a personality (for example, biometric data). For example, you can change your passport or telephone number. You can even change your name and surname.
Third, it appears that the statement that if personal data is collected not for identification purposes, such data is not personal, is not based on law.
From a practical standpoint, we recommend sticking to the most conservative approach and treating email addresses as personal data like other identifiers.
According to information available to us, this is the position shared by Roskomnadzor and it will be used in the course of various checks. In addition to this, if case law is revised at some point in the future, organisations will have to bring their operations in line with the new practices, meaning introducing changes to their business process and extending personal data protection to all data that was not recognised as such before. In addition, for example, when data is collected without the data subjects’ consent, in the case of a change in case law, you will need to procure such consent or another legal basis post factum, which may be extremely troublesome.