New legal initiatives to regulate Big Data
30 November 2018Big Data is a new technological phenomenon which has emerged in the context of today's global digital economy. It is normally used in conjunction with other innovative digital products, such as artificial intelligence, cloud computing and the Internet of Things.
Big Data is generally treated as any other form of information defined by the so-called 'three Vs' – that is:
- variety;
- volume; and
- velocity.
Although there is no universal or international legal definition of 'Big Data', Section 3.1.1 of ISO/IEC TR 20547-5:2018 (Information technology: Big data reference architecture – Part 5: Standards roadmap) provides the following official standard: "extensive datasets — primarily in the characteristics of volume, variety, velocity, and/or variability — that require a scalable architecture for efficient storage, manipulation, and analysis".
Many high-tech companies and IT service providers, including those operating on the e-commerce market, actively collect, use and process Big Data (eg, user data) through different methods (eg, profiling) for certain commercial reasons.
In Russia, Big Data has become a key area of interest for both digital businesses and the government. As regards the latter, two bills were recently submitted to Parliament for discussion:
- Bill 424632-7 on the Amendment of Parts 1, 2 and 4 of the Civil Code of the Russian Federation (the Digital Rights Bill); and
- Bill 571124-7 on the Amendment of the Federal Law on Information, Information Technologies and Data Protection (the Big Data Bill).
Both bills are essential developments, especially given the increasing interest in and high value of Big Data in the current digital reform. This article provides a brief overview of the relevant terms and provisions of each bill.
Digital Rights Bill
In addition to such innovative notions as digital rights and digital currencies, the Digital Rights Bill touches on the potential media for presenting Big Data by amending the existing definition of a 'database' set out in Article 1260(2) of the Civil Code. It also introduces a new type of civil law contract (ie, the data provision service agreement) by introducing a new Article 783(1) to the Civil Code. Notably, one of the main purposes of the Digital Rights Bill is the creation of a legal framework for collecting and processing "significant arrays of anonymous information", which is referred to as Big Data in the explanatory notice to the Digital Rights Bill.
Article 3 of the Digital Rights Bill proposes to amend the definition of 'database' set out in Part 4 of the Civil Code. Under Article 1225 of the code, a database is an individual form of intellectual property, which may be protected by copyright or related rights.
Article 1260(2) of the Civil Code defines a 'database' as an objectivised set of individual materials (eg, articles, calculations, normative acts, court decisions and other similar materials) systemised in such a manner that they can be searched for and processed using a computer.
Legally, from an IP perspective, where a database comprises materials protected by copyright or the systematisation and arrangement of certain content has creative value, the database is protected by copyright law. Where a database's content has no creative value, it may still be protected by a related rights law where the database maker can prove that it made a considerable financial, material or other investment to create the database, including when processing and including the relevant materials in the database. In this regard, unless proven otherwise, the Civil Code presumes that such 'considerable investment' takes place where the database contains no less than 10,000 individual data elements (materials).
The Digital Rights Bill suggests modifying the definition of a 'database' to encompass "individual data or information, including information on events and other facts". In other words, if the bill eventually becomes law, the definition of a 'database' will be broadened slightly to cover all types of information that is collected and processed, including Big Data. According to the explanatory notice to the Digital Rights Bill, such an amendment aims to address the current restricted interpretation of the definition.
In addition, the Digital Rights Bill proposes to regulate data provision service agreements (Article 2). Under this new contractual instrument, contractors will undertake to provide certain information to customers. Data provision service agreements may stipulate the obligation of one of the parties (or both parties) to refrain from performing activities which will result in the disclosure of information to third parties for a certain period. Therefore, if the bill eventually becomes law, this new type of civil law contract will allow parties to conduct business with Big Data on legitimate grounds.
Big Data Bill
The Big Data Bill proposes to introduce the following terms and definitions into the Federal Law on Information, Information Technologies and Data Protection:
- 'Big user data' – a set of information about an individual and/or their behaviour which includes no personal data, making it impossible to identify the individual without additional information or data processing. Such information can be collected from various sources, including the Internet (from more than 1,000 IP addresses).
- 'Big user data operators' – these include federal government authorities, government authorities of a Russian constituent, local government agencies, legal entities or individuals which:
- organise or process big user data independently or together with other persons; and
- determine the purpose of big user data processing, the volume of data subject to processing and the actions (operations) performed with big user data.
- 'Big user data processing' – any action (operation) or a set thereof performed by automated or other means involving big user data, including the collection, recordation, systematisation, accumulation, storage, clarification (eg, updating or modification), retrieval, use, transfer, deletion or destruction of big user data.
Further, the Big Data Bill introduces the following obligations on big user data operators prior to commencing Big Data processing:
- Big user data operators must publish an informational message on their website or, in the absence of such a website, by any other means available informing users of the terminal (equipment) in electronic form of their intention to perform such processing (except when such Big Data processing assumes, at no cost or for a fee, the transfer of big user data to third parties, the receipt of big user data from third parties or other processing of big user data for third parties (so-called 'big user data for the purposes of third parties')). Roskomnadzor must provide the requirements for the informational message and its form.
- For the purposes of third parties, big user data operators must obtain the informed consent (in electronic form) of users of the terminal (equipment) in order to identify their IP address ('informed consent'). Roskomnadzor must provide the requirements for this informed consent and its form.
- Big user data operators that undertake processing, including the collection of big user data by identifying at least 100,000 IP addresses (except federal government authorities, government authorities of a Russian constituent and local government agencies) must notify Roskomandzor of their intention to process big user data for third parties. The notification for Big Data processing must contain:
- the full name (first name, middle name and surname) and address of the big user data operator;
- the purpose of processing the big user data;
- a list of the actions involving the big user data;
- a general description of the processing methods used by the big user data operator; and
- the date of commencement of processing big user data for the purposes of third parties.
The Big Data Bill emphasises that big user data operators do not have the right to perform processing without fulfilling the abovementioned obligations. Further, the activities of business entities belonging to the same group of persons in accordance with the national competition legislation – in terms of transferring and/or receiving big user data and other processing of big user data between them – are not regarded as Big Data processing for the purposes of third parties.
In addition, the Big Data Bill proposes to implement a federal state IT system known as the Register of Big User Data Operators. The register must be created and maintained by Roskomnadzor, which may engage the respective organisations to do so. The register will be formed on the basis of information provided by big user data operators in accordance with the Federal Law on Information, Information Technologies and Data Protection. Big user data operators' notification for Big Data processing will form the basis for their inclusion in the register.
Finally, the Big Data Bill empowers Roskomnadzor to control and supervise Big Data processors' compliance with the established legal requirements. For these purposes, Roskomnadzor can:
- request certain information from individuals and legal entities;
- check that the information provided in notifications of Big Data processing is correct; and
- perform other activities to ensure that Big Data processing is legitimate.
Comment
These bills are the first legal attempt to regulate the commercial use of Big Data in Russia and have been severely criticised by the IT community. The Digital Rights Bill will be subject to subsequent readings and parliamentary approval before the president signs it into law. Despite the fact that the Big Data Bill was declined for financial and budgetary reasons, members of Parliament can obtain an official government opinion in support of the proposed (initial) draft. Alternatively, the initial text of the bill can be redrafted and the amended version can be resubmitted for a new consideration by Parliament in the future. Therefore, high-tech-businesses should keep an eye on any legal developments in this regard.