Data depersonalization

Processing and protection of personal data in Russia

• Processing of personal data in Russia
• Protection of personal data in Russia

2024

Russia creates a standard for safe work with impersonal personal data

In Russia, active work is underway to create a standard governing the safe use of impersonal personal data. This became known in September 2024. This step is aimed at reducing the risks associated with the possibility of restoring the original information and establishing the identity of the data subject.

Big Data Association (Big Data Association), which includes the largest Russian companies, such as, and "Sber" Yandex , VK submitted their proposals for the development of such standards. Federal Service for Technical and Export Control (FSTEC) of Russia As he writes, Kommersant the discussed initiatives concern not only the development of a national data privacy standard, but also the creation of mechanisms to prevent the risks of de-denigration - a process in which personal information can be restored from an impersonal data set. The report of the relevant committee for the protection of information for FSTEC August 2024 emphasizes that the ABD proposed to consolidate data processing and exchange technologies, as well as clarify approaches to assessing the risks of re-identification. In particular, risks can arise when comparing data, associating it with unique characteristics of the user.

Freepik

The law, which entered into force on August 8, 2024, regulates the procedure for depersonalization of personal data, their processing and transfer to state information systems. According to this law, data operators are obliged to depersonalize them at the request of the Ministry of Digital Development, Communications and Mass Media (Ministry of Digital Development ). Impersonal data should be used to improve the effectiveness of public administration, which will allow more accurate decisions to be made without the threat of revealing the identity of a citizen.^[1]

Photos of Muscovites and their voices from CCTV cameras will be collected and processed in an impersonal form for the development of GIS and artificial intelligence

On July 30, 2024, the State Duma of the Russian Federation adopted a bill according to which photographs of Muscovites and their voices from video surveillance cameras will begin to be collected and processed in an impersonal form. These data arrays are expected to help develop technologies, particularly intelligent systems. Read more here.

Russia adopted a law on the procedure for processing impersonal personal data

On July 30, 2024, the State Duma of the Russian Federation adopted a law on improving the mechanism for processing personal data obtained as a result of depersonalization. The initiative is aimed at developing technologies, including artificial intelligence systems.

The document provides for ensuring access for developers to the data of Russians in the implementation of various projects. It is emphasized that this process excludes the possibility of establishing an identity: "no one - neither the state nor business - will be able to find out specific information about a person." Access to impersonal data sets will be carried out exclusively within the closed circuit of the state information system. This approach will ensure that AI models can be trained while meeting data conservation requirements.

Unsplash

The formation of sets of information will be carried out exclusively for specific tasks that will be determined by the government of the Russian Federation. Foreign citizens and Russian legal entities with preferential foreign participation, as well as persons with a criminal record involved in extremist or terrorist activities, will not be able to gain access to the formed arrays of information.

The law also defines a ban on the processing of data compositions if "the result of such processing can lead to harm to life, health of people, insult to morality, violation of the rights and legitimate interests of citizens and organizations, harm (damage) to the environment, defense of the country and security, states cultural heritage, other values ​ ​ protected by law." In addition, it is not allowed to provide the results of processing data compositions to foreign persons and foreign organizations. All data sets will meet certain requirements, and the authorized body has the right to restrict access to them in case of violations.^[2]

The bill on impersonal data was approved by the State Duma IT Committee, but continues to face criticism

On July 29, 2024, following an expanded meeting IT committee State Dumas , he recommended that deputies adopt in the second reading a bill regulating the depersonalization of personal data and their subsequent use. The document was significantly finalized together with the relevant committee and business. As conceived by the authors, the business will transfer the data processed by it to the state information system, which should be specially created, free of charge. Impersonal data is expected to help advance technology, including AI technology.

Freepik/rawpixel.com

The head of the State Duma's IT committee, Alexander Khinshtein, said at an expanded meeting that during the revision, 10 amendments were received to the bill, and all of them were recommended for adoption. Among them are the following: the peculiarities of processing of personal data obtained as a result of depersonalization should be established when forming the composition of such data and providing access to them; establishing the procedure for the formation of personnel compositions obtained as a result of their depersonalization, grouped by a certain feature, provided that their subsequent processing does not allow determining belonging to a specific person.

A direct ban on the formation of personnel compositions from special categories and biometric personnel is also introduced.

In addition, it was determined that the Russian government, in agreement with the FSB, will establish requirements for the depersonalization of personnel and the procedure for their transfer, which will be unified for all. A provision is also introduced, according to which the data operator is obliged, at the request of the Ministry of Digital Development Science, to depersonalize the processed data according to the method agreed with the FSB, and provide them to a special state information system where impersonal data will flow.

The Ministry of Digital Development, in turn, is obliged to ensure the confidentiality of persdata received from persdata operators. An array of data should not fall outside this state information system, work with data can only be carried out inside it. According to Alexander Khinshtein, this is a principled position, because of which many "spears" were broken - which was discussed and studied for a long time. It is envisaged that recording, extraction, transfer of data from the state information system is not allowed.

In this regard, special requirements are introduced for users of this state information system who will have access to impersonal data arrays. Among the requirements - users cannot be foreigners, persons with an unexplained criminal record, etc. A separate law prescribes a regional state information system that will operate on the territory of Moscow, given that there is a special experimental law on digital sandboxes.

The Minister of Digital Development, Communications and Mass Media Maksut Shadayev at a meeting in the State Duma on July 29 noted that one of the benificators of creating such a system is the state, since public administration should be carried out not on tables, but on primary data. Therefore, the state exercises powers - it determines cases when business will provide such data to this large state information system.

In the current design, you can start moving, and then refine it as you receive law enforcement practice, - concluded Maksut Shadayev.

At the same time, despite numerous improvements, the bill continues to face criticism. So, for example, Igor Ashmanov, a member of the Presidential Council for the Development of Civil Society and Human Rights, indicates that depersonalization is "in many ways a myth." Now data enrichment allows you to "unwind" impersonal data, especially if there are already huge digital profiles of citizens on the side of the business, which allow you to restore communication by unique signs.

The bill is useful and well-structured, but it is in a sense a concession to a business that wants to have datacets. For the development of AI in our country, data is not needed at all, Igor Ashmanov believes. This is a big business narrative that wants to monetize citizens' data and improve its recommendation systems.

For AI, which is key for us - defense, medicine, law enforcement, industry - we need big data, but this is not personal data of citizens, he said. - In sensitive areas - medicine and security - personal data is needed, but they should not be managed by businesses, but by people in uniform.

At a meeting in the State Duma, in particular, Irina Levova, director of strategic projects of the Big Data Association, noted that their organization representing big business had conceptual comments on the version of this bill prepared for the 2nd reading in the State Duma: the association believes that the proposed edition is useless for the development of projects in the field of AI. In addition, there is an ambiguity in the organizational and technical mechanics of the implementation of the proposed changes.

The main question of the industry is what exactly will be in the requirements, of which there are more than twenty under the bill: what requirements for depersonalization will be established, what requirements will be for data transmission channels to the state information system, whose system it is, what technical characteristics it has, what requirements are planned for datacets, etc.

All this needs to be clarified in order to understand how much it will cost the state and the industry, because there are situations when it is necessary to purchase some kind of equipment, perhaps some kind of software for depersonalizing data, Irina Levova noted.

The adoption of this bill will entail the need for many other by-laws, and there are procedures that allow businesses to participate in their discussion, said Maksut Shadayev. At the same time, the standard for state information systems is already strictly set, a lot of requirements are imposed on them, including safety requirements. And in terms of the bill on impersonal data, "half of the acts" should be issued in agreement with the FSB, including the method of impersonal identification, the procedure for interaction, requirements for users who will gain access to the data, the minister added.

Eldar Gayfutdinov, Deputy Head of the Office of the President of the Russian Federation for the Development of ICT and Communications Infrastructure, stressed that the bill is a legal basis for developers, and it should become a starting point for the formation of a data economy.

The Ministry of Digital Development of the Russian Federation introduces a mechanism for state regulation of the collection and provision of access to impersonal information

At the end of June 2024, it became known that the Ministry of Digital Development of the Russian Federation had developed a new version of the bill on impersonal data - information whose belonging to a specific subject cannot be determined without additional information. It is assumed that the state will regulate the process of collecting data and providing access to them.

The initiative involves the creation of a state information system (GIS), where business will transfer personal data of its clients and employees free of charge. The bill, as stated, is aimed at "providing favorable legal conditions for the collection, storage and processing of data using new technologies," in terms of establishing the procedure for depersonalizing personal information and obtaining consent to its processing. It is assumed that the requirements introduced will help reduce the volume of turnover of processed personal data and increase their security.

Unsplash

The new version of the bill, according to Forbes, provides that the Russian government will establish requirements for data packages and the timing of their submission to the GIS. In addition, the authorities will determine who and under what conditions - free or on a paid basis - will access these datasets.

In fact, the document assumes that commercial companies will be able to exchange impersonal data only through the "state lake." According to Alexandra Orekhovich, a teacher at the Moscow Digital School educational platform, the essence of the new bill boils down to the fact that all companies, without exception, are obliged to transfer arrays of personal data at the request of the Ministry of Digital Development. At the same time, the person himself has no opportunity to influence the transfer of his personal information, as well as withdraw them from the system.

This can be any data. In theory, the company is obliged to depersonalize them, but if it cannot, it will transfer undisclosed personal data to the Ministry of Digital Development. At the same time, no one asks the owner of such information, the subject itself, no one is obliged to inform him about the fact of the transfer, says Orekhovich.[3]

Roskomnadzor will depersonalize data on blocking sites

On February 2, 2024, Roskomnadzor published an order on changes in the rules for the operation of the information system, through which operators receive data on blocked sites. The agency proposes to depersonalize information related to the procedure for restricting access to network resources. Read more here.

2023

The Ministry of Digital Development has developed two ways to depersonalize the personal data of Russians

In early December 2023, it became known that the Ministry of Digital Development of the Russian Federation had prepared amendments to the law "On Personal Data," defining two mechanisms for depersonalizing personal information. Such a process is necessary, among other things, for the formation of large-volume datacets designed to train artificial intelligence models.

According to the Vedomosti newspaper, one of the options proposed by the Ministry of Digital Development assumes that personal data operators will depersonalize the information they receive on their own. The second scheme provides for the transfer of information to the Ministry of Digital Development in its original form: in this case, depersonalization will be carried out by the Voskhod Research Institute subordinate to the Ministry of Federal State Institution. This approach, it is argued, will allow combining data cleared of markers indicating a specific person, from hundreds of state systems, registers and databases.

The Ministry of Digital Development of the Russian Federation has prepared amendments to the Law "On Personal Data," defining two mechanisms for depersonalizing personal information

Depersonalization of personal data is necessary to ensure security. After performing such a procedure, cybercriminals will not be able to use the information in case of leakage for fraudulent purposes. The Ministry of Digital Development notes that impersonal data of a large volume will become available to developers, primarily for the development of applications and AI services. We are talking about arrays of information that do not allow the reverse restoration of markers and identity identification. Such datacets will be able to exchange departments and business.

However, from the point of view of personal data operators, the process of depersonalization is ambiguous. Despite the fact that this does not require any special equipment, additional server power is needed, which often only large companies have. In addition, as of the end of 2023, there are no official recommendations on what methods of depersonalizing information should be used by personal data operators.^[4]

Head of Ministry of Digital Development Shadayev reported to Putin about new approaches to depersonalizing big data

July 19, 2023 Minister of Digital Development, Communications and Mass Media of the Russian Federation Maksut Shadayev reported to the president Russia Vladimir Putin on joint work State Dumas with the Information Policy Committee on a bill on the regulation of big data. As specified in the press service, Ministry of Digital Development amendments to the law on data depersonalization were prepared:

• priority - issues of ensuring the protection of citizens' rights when processing big data and using AI technologies;
• the procedures for depersonalizing big data have been agreed and the procedure for forming the necessary data sets for machine learning, as well as the conditions for access to them by neural network developers, has been clearly regulated;
• there is a direct and unambiguous ban on the processing of big data if this can lead to the risk of harm to the life, health, safety and property of citizens;
• external developers can access large data only if any information is excluded that will allow identifying a specific citizen;
• external access to the formed data is prohibited to foreign persons and Russian legal entities with preferential foreign participation.

Vladimir Putin at the meeting

According to Ministry of Digital Development, the department creates an appropriate state information system to organize work with big data. Impersonal datacets will be loaded into it by both government agencies and business, access to which will be provided to authorized developers. Such impersonal data sets cannot be unloaded from it and taken away. It will be possible to test and train their neural networks on them, the ministry added.

The fact that a depersonalization center may appear in the Ministry of Digital Development in 2024 was told in early July 2023 by the deputy head of the department, Alexander Shoitov. According to him, to create a center, it will first need its layout - a special software and hardware complex. At the same time, during the creation of the model, research will be carried out in the field of depersonalization of personal data.^[5]

Roskomnadzor told about the future model of working with impersonal personal data

In mid-June 2023 Roskomnadzor , the told about the future model of working with impersonal personal data. According to the deputy head of the department, Milos Wagner the service supports the proposed Ministry of Digital Development of the Russian Federation model of working with data, where personal information of citizens is in a protected circuit, without being taken out, with the study of models and technologies obtained as a result of the use of such information.

This will minimize the risk that instead of artificial intelligence technologies, the services of "Internet penetration and other intelligence on open sources" will receive development, "he explained.

Roskomnadzor supports the proposed Ministry of Digital Development of model of working with data, where personal information of citizens is in a secure circuit, without being taken out

According to Wagner, impersonal data still remains personal data, since it characterizes a person, maybe without direct identifiers. By June 2023, the exchange of impersonal data of citizens is already underway, and their owners cannot do anything about it, said a representative of Roskomnadzor.

The topic of business development through access to personal data is now very relevant. But we must do this so that citizens whose data will be operated on do not turn into silent and disenfranchised observers of how their personal information is transmitted and disseminated, "said Milos Wagner.

Earlier in June 2023, the Ministry of Digital Development reported that the department expects that the law, which obliges business and the state to form impersonal datacets for AI training, will be adopted in the spring session of the State Duma in 2023. The law is designed to regulate the method of depersonalization.

By June 2023, a project is being implemented in the Russian Federation to create a national "data lake," which should systematize the storage and processing of data for state analytical services, simplify the preparation of reports by government agencies and budget organizations - thanks to the automated formation of documents according to given algorithms. All collected data will fall into the lake in an impersonal form.^[6]

2022

Ministry of Digital Development will allow companies to independently depersonalize data

On October 7, 2022, it became known that the Ministry of Digital Development of the Russian Federation would allow business to independently depersonalize the personal data of Russian users before being transferred to the National Data Management System (NSD). The agency has developed appropriate amendments to the law "On Personal Data."

According to Vedomosti, the concept of creating a unified data system approved by the Government of the Russian Federation assumed a new approach to working with public data from 2022: the unification of the processes of their collection, processing, storage and use. In May 2021, the Ministry of Economic Development and Ministry of Digital Development prepared a bill on the creation of the NSD, which would just have to perform these functions. On the platform, it was planned to combine data from hundreds of state systems, registers and databases so that departments and businesses could exchange them. In May 2022, the departments presented a revised version of the document, which proposed to provide business with the opportunity to receive national data on a paid basis and use the NSD infrastructure.

Freepik

The Experimental Legal Regimes (EPR) Act provided for the possibility of using impersonal data to train artificial intelligence (AI). Development companies and big data market participants were supposed to be able to work out technologies and train models on various types of data.

Irina Zinovkina, director of consulting at InfoWatch Group of Companies, believes that it will be much easier for companies to depersonalize the data they process than for a single future aggregator to process the data flow from everyone.

Nikita Nazarov, technical director of the IT company HFLabs, added that it is more reliable to depersonalize data on its own and only then transfer it to the information system in terms of protection against leaks.^[7]

Business may be required to transfer customer data to the authorities without depersonalization

On July 12, 2022, it became known that business could be forced to transfer personal information of citizens to the government upon request, which would be depersonalized by the authorized body without the consent of the person himself. The corresponding bill was prepared by the Ministry of Digital Science of the Russian Federation.

As noted, the first version of the bill, which passed the first reading in March 2021, provided that depersonalization data could only occur with the consent of a person, and business could then freely use them.

After that, the Ministry of Digital Development submitted the draft law finalized for the second reading to the government three times. The third version included a requirement for businesses to transfer already impersonal data to the state.

According to the latest version of the document, business is obliged to transfer information to the state upon request. This does not require the consent of the subject of personal data, that is, the client.

The composition of the information and the purpose of its use will be determined by the government. Government agencies, as well as domestic developers of artificial intelligence, will receive free access to it.

As the source noted, the bill in its current form is aimed at transferring personal data to government services, and not at regulating the impersonal data market. In fact, it is aimed at monopolizing this market^[8] to^[9].

Chernyshenko instructed to develop a plan to open databases of impersonal data of the Rosselkhoznadzor, the Federal Tax Service and Rosstat to companies to create AI systems

At the end of January 2022, it became known about this Ministry of Digital Development order of the Deputy Prime Minister Dmitry Chernyshenko to develop a plan to provide businesses with access to state impersonal data for training. artificial intelligence It is assumed that the first access to their data sets will be opened,,, and Rosselkhoznadzor. FTS Rosstat Ministry for the Development of the Russian Far East Federal Registration Service

Chernyshenko instructed companies to open databases of Rosselkhoznadzor, FTS and Rosstat to create AI systems

The fact that Dmitry Chernyshenko instructed the head of the Ministry of Digital Development, Maksut Shadayev, to submit an agreed schedule for ensuring business access to data sets of ministries and departments by February 1, 2022, writes Kommersant with reference to a document prepared following a meeting with the heads of digital transformation of ministries and departments. The press service of Chernyshenko confirmed this information to the publication and said the following:

Amendments to legislation are being worked out to provide developers of AI solutions with access to state data sets, and to resolve issues of depersonalization.

The Ministry of Digital Development clarified to the newspaper that the department included in the schedule:

• conducting strategic sessions;
• development of standards for industry solutions using AI;
• publication of the results of the introduction of AI in federal executive bodies;
• Create a single repository of datasets and their policies.

According to Pavel Svarnika, director of the Lanit-Integration Strategic Development Center, data sets accumulated by the state during many years of digital interaction with citizens and legal entities are a source of endless information for business. They will allow adjusting tariffs for services, launching demanded services, more precisely predicting the parameters of investment projects, and business, in turn, can take on part of the burden of providing public services, the expert believes.^[10]

2021

The Ministry of Digital Development has developed a procedure for the removal of impersonal personal data

As it became known in early September 2021, the Ministry of Digital Development of the Russian Federation has developed a procedure for the removal of impersonal personal data. The document defines the rules for the destruction of information by a participant in an experimental legal regime (EPR) when such status ceases.

According to RIA Novosti with reference to the relevant order of the Ministry of Digital Development, it provides for the timing of blocking and destroying impersonal data, the procedure for fixing their destruction and sending relevant documents to the controlling and authorized bodies.

The Ministry of Digital Development presented the procedure for deleting impersonal personal data

According to the document, in cases of termination of the status, the EPR subject blocks impersonal data no later than the end of the working day following the day of termination of the status, and destroys impersonal data within up to seven working days from the date of such a case. To destroy impersonal data, the information protection means that have passed the compliance assessment procedure are used, which includes the information destruction function.

The fact of destruction of such data should be recorded in the act, which indicates information about the date, time and place of its compilation, about the carriers of impersonal data, about the list and volume of information destroyed, as well as about the means of information protection through which the destruction was carried out. This act must be sent Roskomnadzor FSB to and within three working days from the date of destruction of impersonal data.

Copies of documents, materials and other information are attached to the certificate, which confirms the fact of destruction of impersonal data. In case of failure to provide the necessary documents, the supervisory authority may decide to carry out control measures against the subject of the experimental legal regime.^[11]

The Ministry of Digital Development will allow business to depersonalize the personal data of Russians without their consent

At the end of May 2021, it became known about the new version of the bill regulating the circulation of impersonal data in Russia. According to the document developed by the Ministry of Digital Development, Communications and Mass Media of the Russian Federation, companies will be able to depersonalize these Russians without their consent. This innovation will not affect several categories of citizens, including law enforcement officers, judges, victims, witnesses and other participants in criminal proceedings.

As Kommersant writes with reference to the updated bill of the Ministry of Digital Development, it retains the requirement for business to transfer impersonal data to the state "for state and municipal administration." At the same time, it is stipulated that their transfer to developers of services based on artificial intelligence will be carried out no earlier than three years later. The developers will receive these for free.

The Ministry of Digital Development will allow business to depersonalize the personal data of Russians without their consent

The Ministry of Digital Development claims that the new version took into account some proposals of the Big Data Association, which includes Yandex, VK (formerly Mail.ru Group), Sberbank, Gazprombank, Tinkoff Bank, Qiwi, MTS, MegaFon, VimpelCom, Rostelecom, oneFactor.

The bill does not have enough information about what should be considered impersonal data, how and in what form they should be transmitted, and if the document is adopted, this "may lead to a decrease in the privacy and security of user data," Yandex told the publication.

Experts interviewed by the newspaper call the new option a compromise: in three years, the commercial value of the data will already be exhausted, but it will still be in demand for the development of AI models.

According to Vadim Perevalov, a member of the Commission on Legal Support of the Digital Economy of the Moscow Branch of the Russian Bar Association, refusing to require Russians to agree to depersonalize personal data brings Russia closer to European regulation.^[12]

Ministry of Digital Development plans to allow the sale of impersonal data of Russians

In early March 2021, it became known about the proposal to Ministry of Digital Development of use impersonal personal data of Russians "including for entrepreneurial activity." The agency has developed amendments to the draft federal law "On Amendments to the Federal Law" On Personal Data, "which was adopted by the State Duma in the first reading on February 16, 2021.

According to the proposed Ministry of Digital Development of amendments, the depersonalization of personal data can be carried out only with the consent of the subject or in other cases provided for by the legislation of Russia in the field of personal data.

Freepik

As conceived by the ministry, business will be able to freely process impersonal data. At the same time, in order to ensure the protection of personal data of Russians, it is proposed to introduce a number of restrictions for operators who process data. For example, the operator will not be able to use other information, actions and methods that will help determine the ownership of personal data to a specific subject.

In addition, in addition to impersonal data, it will be prohibited to transfer information to third parties that will identify a specific person. De-denigration of data will be banned, except in cases where it is necessary to protect the life or health of a person.

The bill will increase the effectiveness of the system for protecting the rights of personal data subjects - our citizens, as well as enable businesses to use data obtained as a result of depersonalization. At the same time, the rights of Russians to safely process and preserve their personal data will be respected, - said Dmitry Reutsky, Acting Director of the Information Security Department of the Ministry of Digital Development.

As RBC notes, the Ministry of Digital Development offers companies to use impersonal personal data of Russians, provided that there are no attempts to establish the identity of their owner. But experts interviewed by the publication believe that it will be difficult to follow this.^[13]

2013: Data Depersonalization Legal Requirements

The depersonalization of personal data should provide not only protection against unauthorized use, but also the possibility of their processing. To do this, impersonal data must have properties that preserve the main characteristics of impersonal personal data ^[14]."

Impersonal Data Properties

• completeness (preservation of all information about specific subjects or groups of subjects that was available before depersonalization);
• structuring (preservation of structural links between the impersonal data of a particular subject or group of subjects corresponding to the links available before the impersonal);
• relevance (the ability to process requests for processing personal data and receive answers in the same semantic form);
• semantic integrity (preservation of semantics of personal data during their depersonalization);
• applicability (the possibility of solving the tasks of processing personal data facing an operator who depersonalizes personal data processed in personal data information systems, including those created and functioning within the framework of the implementation of federal target programs (hereinafter referred to as the operator, operators), without first de-exposing the entire volume of records about entities);
• anonymity (impossibility of unambiguous identification of data subjects obtained as a result of depersonalization without applying additional information).

Typical approaches to data depersonalization

• Data not de-identified (NDA use with contractors)

• Data features are lost after depersonalization (excessive data masking)
• Data connectivity is lost after depersonalization
• There is no single tool for data depersonalization
• Only data is de-identified according to the appendix documentation
• Same data depersonalization policies for different tasks
• Data depersonalization takes a long time
• After changing sources (for example, after installing patches), significant time is required to change depersonalization processes

Depersonalization of the most critical data in real time

What data should be masked in real time?

• VIP customer data
• Contact information
• Financial information
• Trade secret
• Any other sensitive information
• Information to which different user groups have access

Notes