Russian authorities apply GDPR-style rules to web analytics
1 March 2019Introduction
On 30 January 2019 a website owner appealed a judgment of the Tagansky First-Instance District Court of Moscow – which had restricted access to a website due to personal data breaches – to the Moscow City Court (02-4261/2018)1. According to the first-instance court, the website owner had:
- collected and processed user information which constituted personal data through Google Analytics and its Russian equivalent, Yandex Metrica; and
- failed to meet the data protection requirements prescribed by the Federal Law on Personal Data 2006 (152-FZ) (PDL).
Prior to this case, the majority of the Russian internet community had not considered statistical information concerning web traffic and user actions to constitute personal data. As such, Russian websites frequently used Google Analytics and Yandex Metrica without following the PDL. Roscomnadzor (the Russian data protection authority), which is the plaintiff in this case, will have to prove that the PDL applies in full to Google Analytics and Yandex Metrica before the Moscow City Court.
Facts
Google Analytics and Yandex Metrica usually collect user data through:
- 'cookies' (ie, small text files saved on a user's computer and read by Google Analytics and Yandex Metrica);
- 'Java scripts' (ie, program codes that runs inside a user's browser); and similar technologies.
- devices;
- browsers;
- behaviour (eg, whether they return to a webpage and the frequency at which they do so, as well as when they visit a webpage and their level of engagement);
- demographics (eg, probable age and gender);
- interests; and
- other characteristics2.
The most valuable data is the aggregated analytical and statistical reports based on the above details. By default, website owners cannot link user information to real names, social network accounts or any other attributes belonging to a clearly identified person.
Legal background
At first glance, the definition of 'personal data' set out in the PDL appears to be identical to that set out in Article 4(1) of the EU General Data Protection Regulation (GDPR). Pursuant to Article 3(1) of the PDL, personal data includes "any information relating to a directly or indirectly identified or identifiable natural person (data subject)". The PDL does not go into detail about the practical meaning of the term 'identifiable natural person'. In their Scientific and Practical Commentary to the PDL3, Roscomnadzor's executive officers stated that:
Information must not be considered as personal data if it is not possible to identify a natural person with this information without the use of additional information. It seems possible to conclude that this approach supports the balance of interests between all participants of the relations.
In the same way, the PDL defines 'data anonymisation' as a process that makes it impossible to attribute a piece of personal data to a particular data subject without the use of additional information. Based on the cited legal rules and Roscomnadzor's explanation, many Russian website owners used to believe that information processed by Google Analytics and Yandex Metrica could not constitute personal data due to the absence of additional information that would help to establish the identity of every user. They often considered such information as anonymised data within the above meaning of 'anonymisation'.
From a GDPR perspective, the information discussed in Roscomnadzor's commentary may still constitute 'personal data in a pseudonymised form' as defined in Article 4(5) of the GDPR. Russian law does not provide for the concept of pseudonymisation. Under Article 4(1) of the GDPR, an 'identifiable natural person' is anyone who can be identified, directly or indirectly, by reference to an online or another identifier. According to Recital 30 of the GDPR, online identifiers expressly include IP addresses and cookies.
Roscomnadzor's lawsuit appears to have been inspired by the GDPR, despite the fact that the GDPR is non-binding in Russia and the PDL includes no rules on online identifiers.
Following the first-instance judgment, Roscomnadzor released an explanatory note stating that it had not suspected Google Analytics and Yandex Metrica of breaching the law. Rather, it is the website owner which must:
- inform users that Google Analytics and Yandex Metrica will collect their data;
- request users to consent to such data collection; and
- publish a confidentiality policy4.
Decisions
The Tagansky First-Instance District Court of Moscow took a step forward in this regard and found the website owner guilty of, among other things, breaching the personal data localisation requirement set out in Article 18(5) of the PDL. According to this requirement, when collecting Russian citizens' data, website owners must conduct certain data processing operations through databases which are physically located in Russia. As follows from the judgment, Google Analytics and Yandex Metrica had processed Russian citizens' data in the United States.
However, neither the first-instance judgment, nor Roscomnadzor's explanatory note contain an explicit analysis of the meaning of 'personal data' in Russia. The Moscow City Court is expected to shed some light on how Russian websites should actually proceed with web analytics in the coming months.
Comment
If Roscomnadzor succeeds with this landmark judgment in the court of appeal, Russian websites will have to welcome users with GDPR-style cookie banners and privacy policies, and those that fail to comply will be caught with their hands in the 'cookie jar'. At present, even some government websites use Yandex Metrica without placing cookie banners or fulfilling other formalities in this regard.