Protection of personal data in countries of the world

The digital transformation of the state, business and society carries new risks and threats to information security. Corporate databases containing names, dates of birth, ID numbers and other sensitive information about employees or customers are increasingly being targeted by cybercriminals. The so-called "identity theft" becomes commonplace. Neither the political regime in the country nor the level of its economic development affects the security of personal data of citizens.

Identity theft (the term first appeared in 1964) is a crime in which a person's personal data is illegally used for material gain.

Identity theft is one of the main concerns of U.S. citizens, according to surveys. In the United States, SSN (Social Security Number) is used as an identity card. His number is requested by a large number of organizations to confirm the identity of citizens. By stealing an SNN number, attackers can, for example, ruin their victim's credit history. In the UK, NINO (National Insurance number) and NHS (National Health Service Number) are used to carry out identity theft.

GDPR (EU Personal Data Regulation)

Main article: GDPR (EU Regulation on Personal Data)

2022

"Three EU countries" and the UK agreed to share their citizens' biometric data with the US

On July 4, 2022, it became known that the United Kingdom signed an agreement with the US authorities on the exchange of biometric data of citizens stored in the police with US border services.

Representatives of the body met "informally" with U.S. Department of Homeland Security officials to discuss the program, according to a member of the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE).

"Three EU countries" and the UK agreed to share biometric data of their citizens with the US

The program is under the auspices of the Enhanced Border Security Partnership (EBSP), which is designed to increase the ability of the US Department of Homeland Security to detect threats through the exchange of biometric information. Israel joined that agreement in March 2022.

LIBE committee member and Pirate Party MEP Patrick Breyer said during a meeting last week the committee found that the UK - and three other EU member states, although their identities have not been revealed - had already signed an agreement to resume US visa practices, which provide access to biometric police databases.

In the UK, the Home Office did not deny that it had signed a cooperation agreement. A spokesman said:

The UK has a long and close partnership with the US, which includes sharing data for specific purposes. We regularly discuss with them new proposals or initiatives aimed at improving public safety and ensuring legal movements.

Under UK law, police can store a person's DNA and fingerprint samples for three years from the time those samples are taken, even if the person has been arrested but has not been charged, subject to approval from the biometrics commissioner. Police can also apply for a two-year extension. The same applies to those who are charged but not sentenced.

MEP Breyer, answering a question about exactly what data the United States wants to get, said that the answer is as much as possible. Asked what would happen at the U.S. border if the traveler was known to police in the program's participating states, the decision would be made by a U.S. immigration official on a case-by-case basis.

According to reports, the Enhanced Border Security Partnership (EBSP) initiative will initially be voluntary, but will become mandatory by 2027 under the US Visa-Free Program (VWP), which allows visa-free entry into the US for up to 90 days.^[1]

UK fines Clearview AI $9.4m for collecting images of people's faces without their consent

On May 23, 2022, it became known that Great Britain fined the American face recognition Clearview AI the Inc. company worth more than 7.5 million pounds sterling ($9.4 million or €8.8 million) for collecting images of people's faces without their consent. British the watchdog data also ordered the company to stop collecting British personal data countries and remove residents' data from its systems. More. here

FTC accused a number of heads of the XYZ.com registry of illegally collecting personal data of citizens

On January 17, 2022, it became known that the US Federal Trade Commission (FTC) accused a number of heads of the XYZ.com registry of illegally collecting personal data of citizens and subsequently reselling it to third parties. Read more here.

2021

Chinese authorities have banned the transfer abroad of data collected by car electronics

On August 12, 2021, the Chinese government demanded that automakers strengthen data protection and store key data of local production only in the country.

According to the new policy, published on the website of the Ministry of Industry and, information technology China local automakers must obtain regulatory approval, both if it is necessary to export important data and before updating automotive systems.

The policy does not provide for penalties if companies do not follow the rules, but this is guaranteed only until the end of 2021.

The PRC government has banned the transfer abroad of data collected by automotive electronics

It comes amid a push to China secure data generated by already connected cars, as the proliferation of smart cars such as increases Tesla concerns among power structures about the country's national security.

In April 2021, China published the second version of a draft law on the protection of personal information, which calls on technology platforms to take stricter measures to ensure the safe storage of their users' data.

The statement, the Cyberspace Administration of China, said that it is necessary to carefully eliminate the problems that have been resolved, ensuring the complete information security of users.

The new rule will significantly tighten the supervision of the authorities over the country's largest companies, the newspaper predicts. Bloomberg The publication calls the requirement the most specific step by China to limit the capabilities of companies.

In September 2021, the Data Security Act will be implemented, which requires companies that process critical data to conduct risk assessments and report on their activities.^[2]

In Europe, IT companies were allowed to scan the personal correspondence of users of their services

In early July 2021, the European Parliament approved a law that gives IT companies the right to monitor the personal correspondence of users of the services of these companies in the EU in order to prevent the spread of child pornography.

According to the government document, tracking of illegal content will be carried out using a special program that will scan those sent to photos, videos, text messages, as well as traffic data. The project is designed for three years. During this time, it is expected to be possible to agree on new permanent rules to combat child sexual abuse online.

The European Parliament allowed IT companies to scan the personal correspondence of users of their services

537 MEPs voted for the bill, 133 against and 24 abstained. Despite the result, European lawmakers warned the rules were "legally flawed." MEPs also condemned the pressure they were under amid the issue of approving the law. Some called him "moral blackmail."

Whenever I asked sharp questions on the merits, immediately there were doubts about my commitment to the fight against child pornography, "said Dutch MEP Sophie In 't Weld.

Some parliamentarians are confident that allowing IT companies to check personal correspondence will provide them with loopholes for more complete surveillance of users. This claim was supported by European data protection regulators, who warned the European Parliament that the bill would undermine EU privacy rules.

According to Sophie In'T Weld, although the law was approved, it is unlikely that it will take effect after all, since it has yet to undergo judicial consideration. Given the many contradictions with privacy laws, the European Court of Justice is unlikely to allow its application^[3]

IKEA fined €1 million for mass surveillance of visitors and employees

IKEA was fined 1,000,000 euros for mass surveillance of visitors and employees. This became known on June 16, 2021. Read more here.

2020

US authorities ordered YouTube, Facebook and other companies to talk about methods of collecting and processing personal data of users

The US Federal Trade Commission gave it 45 days for Facebook, Twitter, WhatsApp, YouTube, Amazon, ByteDance, Discord, Reddit and Snap.

According to a statement by three members of the commission, "the FTC wants to understand how business models affect what content Americans see and hear, who they communicate with and what information they share," writes in December 2020. CNBC

The regulator is also interested in whether the methods of companies affect children and adolescents, as well as what is the financial interest of social networks and video streaming services.

Western media platforms have repeatedly found themselves at the center of scandals over the collection of user data. For example, Google secretly collected personal data about the treatment of patients and monitored its employees.

Twitter leaked users' phone numbers and email addresses to advertisers. YouTube collected data about children for advertising, and Facebook collected information about users and offered to make money on it

Kazakhstan approved the rules for the collection and processing of personal data

In November 2020, the order of the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan "On the approval of the rules for the collection and processing of personal data" came into force. The rules apply to relations arising between owners, operators, entities, as well as third parties in the process of collecting and processing personal data. Read more here.

The European Union allowed business to open access to impersonal personal data for the development of new services

At the end of November 2020, the European Union introduced new rules allowing companies to access impersonal public and personal data. This will allow European companies to compete with American and Asian tech giants and encourage innovation in areas such as climate and health protection. Read more here.

Publication of a ban on European sites using the "cookie wall"

On May 7, 2020, it became known that The European the data protection European Data Protection Board (EDPB) published an updated guide regarding obtaining site permissions from users to process them. information Among other things, the management now prohibits sites from making access to them dependent on whether the user has given consent to process their own (data the so-called "cookie wall" or wall cookie).

2019

Accenture: 69% of shoppers willing to ditch brand due to aggressive data collection

On November 1, 2019, it became known that Accenture interviewed 8,000 people in Canada, France, Germany, Italy, Spain, Sweden, Great Britain and the United States to find out what their experience with Digital Signage is and what determines user preferences when it comes to interacting with brands, retailers and service providers.

Almost 69% of consumers admitted that they would stop interacting with the brand if companies' collection of their personal data became too aggressive.

71% of those who participated in the survey replied that they were uncomfortable when brands had the information about them and their families that users did not consciously provide.

More than 75% of those in the survey said they felt uncomfortable collecting data using a microphone or voice assistant, and 51% noted that invasive advertising was on the rise.

At the same time, 73% of respondents are ready to share a large amount of information about themselves if brands transparently talk about its future use. It is also noted that loyalty in this case increased - in 2018, the same indicator was 66%.

According to the authors of the study, one of the tasks of brands is to show consumers the value of their personal information, convince that the brand does not abuse it and chooses the most comfortable and ergonomic way to collect data.

At the same time, 87% of consumers said it was important for them to shop with a brand or retailer that "understands me." To achieve this, the authors of the study advise brands to focus on every interaction with a customer along the way: from websites and mobile apps to physical stores. Accenture urges marketers to put people's interests first.

Шаблон:Quote 'Promising brands find ways to approach people's behavior in a humane and ethical way, the survey says.

The authors of the study assure: it is precisely how brands manage the collected personal data about customers that is the key to forming the impression of consumers of goods and services. As tools to create a smooth and inconspicuous experience with the user, the incentive for authentication on websites and mobile applications is called.

The good news is that brands are well positioned to take a thoughtful approach to data and create a consumer experience, and yet build the trust and emotional connection customers crave, says Glen Hartman, head of Accenture Interactive in North America, one of the world's digital marketing experts

According to Pavel Rodygin, head of Interactive Accenture in Russia, the problem of data collection in the Russian Federation is not yet as acute as in the West.

It's not just that our brands aren't as active at collecting customer information. Rather, consumers are not fully aware of where and how they leave their data, and what risks this may be associated with, stated Rodygin Pavel

According to Pavel Rodygin, the trend associated with user dissatisfaction is most noticeable in Russia in the financial sector, as well as when buying housing and cars.

{{quote 'author = noted Pavel Rodygin' Begins to cause rejection the need to provide personal or contact information in order to get loyal price conditions. Because of this, an increasing number of customers do not mind going to competitors who are ready to openly show the price and only ask for personal data if the offer or price really interested you, }}

Pavel Rodygin advises Russian brands to be transparent: people are more willing to share data when they understand how they will be used. And also not to be intrusive - you do not need to constantly "bombard" the client with your proposals, you need to create conditions so that it is easier for the client to find goods and services himself, for example, to use personalized recommendations. In addition, companies need to be careful - preventing the leakage of customer data, which often occurs not due to technical failures or external attacks, but due to the actions of their employees.

Companies in South Korea banned from collecting children's data without parental permission

In June 2019, the South Korean authorities passed new laws related to the protection of children's personal data. Companies will not be able to collect this information without the clear permission of their parents. Read more here.

2017

The journalist asked Tinder to send all the data about herself. She was sent an 800-page document

French journalist Judith Duportal requested^[4] data^[5] at dating service Tinder all the data the company holds about it. It turned out that this is an 800-page document with all the correspondence and interests of the user^[6].

Duportal indicated that any citizen of the European Union in accordance with the current legislation can demand the same from Internet companies. She was helped by a data protection activist and a human rights lawyer to draft an email to Tinder.

The 800-page document Tinder sent was:

• information on all the men who liked Duportal;
• all 1,700 messages she has sent since 2013;
• dates of login and all correspondence;
• her likes on Facebook;
• instagram photos;
• information about her education;
• information on the age of men who are interested in her.

amazed at how much data I voluntarily disclosed: from location, interests and work to images, musical tastes and food preferences," Duportal writes. She notes that all Tinder users do this by registering with the service and accepting its terms.

The European Union requires social networks to open access to correspondence to the authorities

The EU authorities are actively putting pressure on social network operators and manufacturers of secure messaging applications, demanding that law enforcement agencies be able to instantly access the content of the suspects' correspondence.

In June 2017, the European Commission plans to consider the possibility of adopting relevant laws. European Commissioner for Justice Vera Jourova says politicians across Europe are demanding new legislation from the European Commission that will provide law enforcement officers with the ability to bypass encryption in fast messaging applications.^[7]

In particular, back in the summer of 2016, the ministers of France and Germany openly called the Telegram Messenger application a problem that requires permission. French Interior Minister Bernard Cazeneuve said that the European Commission should pass laws obliging IT companies to remove decryption from messages of suspected terrorist activities at the first request of law enforcement agencies, and suggesting the imposition of severe sanctions on those who refuse to assist.

Flag of the European Union

According to Zhurova, "three or four" options for solving the "problem" of encrypted communications are being considered, ranging from voluntary agreements between IT companies and law enforcement agencies, to the adoption of laws obliging the first to remove encryption on demand.

To date, investigators, judges, police and other law enforcement agencies depend on the goodwill of [secure messenger] operators and their willingness to provide access and evidence. We cannot ensure the proper level of security of Europeans, being dependent on someone's goodwill, - said Zhurova.

The European Commissioner also made it clear that the European Commission expects active resistance from social media operators, and that "voluntary agreements" with them, if they can be achieved, will only be a temporary measure. The adoption of relevant laws will inevitably follow ahead, even if their preparation and adoption will take several years.

Earlier in the EU countries, it was already proposed to impose sanctions against social media operators if they refuse to meekly cooperate with the authorities. For example, in Germany, it was proposed to fine companies such as Facebook and Twitter for 50 million euros if they do not delete and block "obviously criminal" content within 24 hours after it appears.

In addition, calls were made for operators of social networks to change the conditions for using their services so that they comply with the laws of the European Union. This, first of all, is about making these companies responsible for their actions under European laws.

It is worth noting that similar processes are taking place in the United States: law enforcement agencies are trying to achieve privileged access to encrypted communication channels in order to simplify their work to capture criminals and terrorists. In particular, a legal dispute between the FBI and Apple became widely known: the FBI leadership demanded that Apple remove encryption from the correspondence of the "San Bernardino shooter," the Islamic terrorist Rizwan Farouk, who killed 14 people in 2015 and wounded 22 more.

Apple categorically refused to open access to Farouk's smartphone, citing the rules for ensuring the privacy of its customers. As a result, Apple won the court, but only "technically": the US authorities refused to continue the process, having received an access code to Farouk's smartphone from somewhere from the outside.

Obviously, however, such a process was not the last. As well as the fact that operators of social platforms will resist to the last. The main argument on their part is the lack of guarantees that law enforcement alone will receive privileged access, not someone else.

Of course, for law enforcement agencies, the prospect of obtaining instant, without unnecessary bureaucracy, access to the correspondence of suspects, or better, all users of social media in general, is extremely tempting. This is a general trend in the world. As a pretext, as usual, a terrorist threat is used, but in such cases there is always a danger that completely innocent people will suffer from the actual destruction of the secrecy of correspondence, "says Dmitry Gvozdev, general director of the Security Monitor company. - Most likely, in response to laws forcing to remove encryption from some messengers, others will appear, in other jurisdictions where there are no such strict requirements. Whether the obligation to transfer access will become mandatory everywhere - time will tell.

SAP: New data protection requirements in Europe will kill start-ups

In January 2017, the German corporate manufacturer software SAP criticized the tightening of data protection requirements in Europe. According to the company, the new law will kill startups.

In April 2016, the European Parliament approved a reform on data privacy. The new rules regulate data processing standards in the field of police and legal cooperation, the creation of a single level of data protection throughout the European Union, as well as the ability to provide citizens with control over their personal data on the network.

The girl walks near the illuminated SAP logo inside the building of the company headquarters in Waldorf (Germany)

The bill, which will come into force in May 2018, toughens the punishment of companies for leaking their customers' data. For each such loss of user information will face a fine of up to 4% of total revenue, but a maximum of 20 million euros.

According to Bernd Leukert, director of product development and innovation development and member of the board of directors of SAP, such a punishment is too high, especially for one leak.

If you have 25 violations, you will lose all revenue. Growing bureaucracy complicates work in your business segment and makes growth difficult, and these days speed is very important, "said Leikert.

According to him, the reform on data privacy will hurt European startups. In particular, small companies operating in the field of sales and marketing and processing a large amount of customer data will suffer, the Financial Times said.

In addition, there is a danger that EU data protection rules will become widespread outside the European Union, for example, in the United States.

We could have local rules, but we will have to solve these issues at the global level, - complained the top manager of SAP.

Earlier, SAP Chief Financial Officer Luka Mucic questioned the relevance of the EU concept of data privacy. In his opinion, the law will impede the development of many new technologies, including Big Data and machine learning.^[8]

2016

UK personal data scam breaks records

According to a study by Cifas, a non-profit agency for the collective use of data and the prevention of fraud in this area, in 2016 cases of identity theft in the UK reached an unprecedented high level ^[9]].

In 2016, there were a record 172,919 cases of identity fraud - more than in any of the previous years. This is supported by statistics from the Cifas national fraud database, where 227 such cases have been recorded. To date, personal data fraud cases account for more than half of all Cifas fraud cases, with 88% of them committed online.

Fraudsters use a variety of methods to gain the trust of the victim: mail theft, hacker attacks, obtaining information on the "dark web," obtaining personal data on social networks, or using "social engineering" methods, when an attacker posing as an employee of a bank, police or verified retailer manages to convince the victim to disclose personal data.

Europe. Economics of open banking APIs

European financial market participants also actively use big data technologies, and with strict regulation and unification of exchange. What is the European GDPR - an analogue of Russian 152-FZ. And Russian companies may face these innovations already in 2018 using the example of their Cypriot subsidiaries.

Payment Services Directive Part Two (PSD2)

• entered into force on the territory of EuroUnion in January 2016
• should be implemented by the participating countries within a two-year period
• deprives banks of a monopoly on managing customers' money - providing APIs for third parties will become not a right for them, but a duty

Customers will be able to choose third-party innovative interfaces for accounts opened even in the oldest, conservative credit institutions.

• focusing exclusively on projects to create the Application Programming Interface (API) creates risks for banks from emerging fintech players.

Adopted the European Regulation on Personal Data (GDPR)

In May 2016, the EU adopted the Pan-European Regulation on Personal Data (General Data Protection Regulation,) GDPR - a replacement for Data Protection Directive (officially Directive 95/46/EC on the protection of individuals in relation to the processing of personal data and on the free movement of such data)). All organizations, regardless of their jurisdiction, must comply with the new rules if their activities are related to the processing of personal data of personal data subjects located in the EU (including citizens of the Russian Federation)^[10] here

Restricting the transfer of data from Europe to the United States

In January 2016, it became known about the intentions of the European Union (EU) to exclude the possibility of transferring personal data of Europeans at the request of the American authorities due to concerns about possible surveillance by the National Security Agency (NSA).

According to Reuters, citing European Commissioner Vera Jourova, the EU wants to get guarantees from the United States to limit the powers of the American government to form requests for the disclosure of personal data of residents of European states.

Europe wants to limit the transfer of personal data to the United States

We need guarantees to ensure effective judicial control over the actions of state authorities regarding access to data for national security, law enforcement and the protection of public interests, "Zhurova said at a conference in Brussels.

According to EU data protection laws, companies cannot transfer personal information of citizens outside the European Union to countries in which the level of confidentiality does not meet EU requirements. The United States refers to such states.

In the fall of 2015, a court in Luxembourg invalidated the Safe Harbor agreement concluded between the EU and the United States on the exchange of data for commercial purposes. The agreement made it possible to store the personal information of Europeans on American servers. The court decision then noted that the transfer of personal data of users will be carried out in accordance with the strict requirements of European law.

By early 2016, Brussels and Washington could not agree on a new bilateral agreement that would replace the Safe Harbor. The European Commission demands to complete negotiations by the end of January 2016, otherwise it will begin to take coercive measures (which ones are not specified) against companies. Vera Zhurov notes that Europe is striving for greater transparency of restrictions on the actions of the American authorities in collecting personal data.^[11]

See also

• GDPR (EU Personal Data Regulation)
• European Data Strategy
• Regulation of personal data in the Russian Federation
• Personal Data Law No. 152-FZ
• Protection of personal data in Russia

Notes