It should be noted that while drafting the package of amendments to combat fraud (Antifraud-2) an attempt has already been made to more strictly regulate data contents that may be collected and processed by operators, but in the end the provisions allowing state bodies to develop regulations defining data contents permitted to be processed and operations with them were excluded. Additional amendments to the foregoing package to the extent related exactly to industry benchmarks might be expected.
It is still hard to say what industry benchmarks for personal data processing will look like, but they will likely consist of some recommendations or “best practices” that will unify data processing in various business sectors. The first benchmarks are expected to appear in industries with mass data processing: in education, housing and communal services, healthcare, and tourism.
Roskomnadzor promises that such benchmarks will establish, among other things, a list of requisite data, storage periods, the procedure for destroying information, and the legal grounds for processing. They will be wired into the principles of the Personal Data Law, including the principle of minimising the collected data. They will be wired into the principles of the Personal Data Law, including the principle of minimising the collected data. Work on the contents of industry benchmarks has already been launched at the Personal Data Competence Centre.
Below we consider the implications of this initiative for businesses and how they can adapt to these legislative changes.
- Despite criticism of such ground for processing as consent of the personal data subject, it still remains a significant legal ground. This is especially true in cases where a company has specific business processes that go beyond the standard services provided. At this point, such legal ground as a customer contract is no longer sufficient, since the collection of personal data goes beyond performance under the contract — in this case, consent is required. As international practice suggests, this is a fairly effective legal instrument, and the only question is how to use it correctly. As it appears, the main problem with the application of consent is currently the lack of systemic “soft law” in the form of recommendations and clarifications from state authorities, the lack of understanding among operators of how to apply it, the lack of sufficient awareness among personal data subjects to manage their own consent, and the historically established tradition of asking for consent for processing “just in case” in any situation.
- In principle, the objective pursued by industry benchmarks (reducing the number of given consents) is entirely achievable even now through a more meaningful application of such a ground for processing personal data as legitimate interest. This ground is widely used in international practice, while at the same time conscientiously adhering to the principle of data minimisation. However, there is currently a lack of official clarification regarding its use, specifically, of a recommended methodology for assessing the justifiability of this ground (analogous to the balancing test and assessment of damage to personal data subjects, which are used in international practice when assessing the justifiability of the use of legitimate interest in accordance with the GDPR. This methodology serves to document the justifiability of the choice of this legal ground and, if necessary, present it to the regulator in the event of questions or complaints regarding the use of legitimate interest in a particular case).
- The benchmarks as such represent a fairly new mechanism and have not received widespread use in international practiceCodes of Conducts introduced by Article 40 of the GDPR are recognised as a similar tool adopted taking account of the individual characteristics of various sectors of personal data processing and the specific needs of micro, small and medium-sized enterprises. At this stage, businesses may have many questions: how to define an industry, what to do if an operator wishes to expand its activities into a related industry or change it, what startups or ecosystems that often operate at the nexus of various industries should do. Beyond that, the benchmarks provide for the alignment of processes among organisations from the same industry, which is hardly possible, since the peculiarity of compliance with the personal data processing is an individual approach to the actual processing and specific business objectives. In addition, the bulk of the data is often collected by operators for marketing purposes, which is a cross-industry area typical for most sectors of the economy. At the same time, the list of marketing tools, as well as the scope of collected data, is constantly expanding. Therefore, if the objective of introducing benchmarks is data minimisation, it is necessary to ensure that this principle is applied by each operator independently or considering the identity of processes and tools in each specific case.
- Given the current trend towards opting out of consent, in the long-term operators should really consider more actively using legitimate interest as a justification for their data processing or adhere to principles and technologies for reducing personal data collected and processed. It should be noted, however, that the burden of proof of the lawfulness of the use of a legitimate interest actually lies with the operator, so it is necessary to document this process in detail and conduct a thorough assessment of the justification for its use.
