The legal definition of personal data in the regulatory environment of the Russian Federation: Between formal certainty and technological development

Abstract

The regulatory environment of the Russian Federation is attracting increasing interest due to its recent focus on the aspects of data protection and the Internet governance. Starting from 2006, a comprehensive regulation of the information issues in Russia began to emerge, having immediate practical effect not only on national parties, but also – due to developments in approaches to jurisdiction – to parties acting in digital environment internationally. The purpose of the research is to consider ‘narrow’ approach to the legal definition of personal data (as the trigger of personal data legislation) in the regulatory environment of the Russian Federation in the context of regulation of informational and telecommunication technologies with a particular focus on ‘Big Data’. The problem considered implies the balance between the principle of formal certainty of legal norms, on the one hand, and technological developments, on the other. The formal definition of personal data shall be interpreted uniformly to ensure consistent and predictable application of law which appears not reliably possible at the moment, although the Russian definition of personal data corresponds to the CETS Convention No. 108 which Russia is a party to. As the analysis of the Russian court practice shows, the courts are applying the broad definition interpreting it as if it has at least two additional criteria: that a set of data should be enough to identify an individual and that only a set of data in possession of a particular operator should be considered. It is suggested that these criteria find reflection in “surgical” amendments to the legislation, and the United Kingdom's Data Protection Act, 1998 can serve as a source of adoption in terms of comparative law. Furthermore, the article discusses whether the ‘narrow’ approach may be viewed as contributing to privacy protection in the age of Big Data, rather than lowering barriers of privacy. The authors explain that the ‘narrow’ approach may be considered positive in this aspect because it allows keeping the existing general privacy regulation workable in a reasonably predictable manner. Besides, the research may serve as an introductory material into the Russian data protection legislation.