Digital Consent: Strive For Legal Regulation

Abstract

In this article, the authors substantiate the need for legal regulation of digital consents as an element of the architecture of the digital profile, which is actively developed and implemented by the state in the context of the digital transformation of state bodies. The authors analyze personal data, information as an object of civil rights, methods of their legal regulation, reveal the legal nature of digital consents using related categories. The paper examples the concept of digital consent as the free will of citizens and organizations, aimed at the emergence, change, termination of legal relations with state bodies and organizations, expressed in electronic form in the digital profile of the user's personal account by making a legally significant registry entry on the grant (revocation) of rights collection, transmission and use of data in accordance with the specified purpose of processing. The findings of the article relate to the context of big data, their commercialization, the digital economy and allow to address the acute problems of using personalized data of citizens and legal entities, to eliminate gaps in the legislation. The authors propose the introduction of restrictions for foreign companies on the circulation of databases of citizens and organizations in the Russian Federation, the use of only domestic information products and technologies, when providing digital consents, the introduction of import substitution in information technologies, the development of only domestic regulations, protocols and technologies and the management of state registries by state bodies.

Keywords: Digital consentdigital profiledigital rightspersonal datadigital economy

Introduction

The need for legal regulation of digital consents is stipulated by the adoption of the National Program “Digital Economy of the Russian Federation”, 2019 and the introduction of digital transformation in all spheres of public relations, including relations between citizens and organizations with state bodies (The National Program “Digital Economy of the Russian Federation”, 2019). The proclaimed objective of the introduction of digital consents is to provide, through the portal of public services, access to data on a citizen or legal entity contained in public information systems. Digital consents allow to use access to data remotely and provide the ability to quickly and efficiently make decisions using big data that is processed by government bodies and regards personal data of citizens, information on legal entities. According to the concept of the digital profile, the transfer of data about a citizen, an organization occurs only if the consent is received, and in the future the platform should allow to revoke the consent if necessary.

The main task of the state should be to ensure that all consents provided by the data owner when using digital profile services are stored in a single registry, as well as to provide access to the owner’s management of their digital consents, to ensure the security of data storage, and to build trust of data owners on the use of digital technologies.

Problem Statement

The subject of the study is to identify problems of legal regulation of digital consents for the provision of information given by individuals and legal entities contained in state registers to third parties. The authors analyze digital consents as a legal category, reveal its legal nature in relation to other legal categories, and analyze bills in this area of legal regulation. The authors also propose approaches to protecting information from unauthorized or accidental access and use.

Research Questions

Currently there is no legal regulation of the possibility of using digital consents, there is no enforcement experience of their use. In this regard, questions arise for this study. What is the legal nature of digital consents? How do digital consents relate to such categories as consent to personal data, digital rights, what principles should be laid down in the legal regulation of digital profiles using digital consents? How to identify a digital concent signer?

Purpose of the Study

The purpose of the study is to identify patterns, analyze the most important, debatable aspects of the need for legal regulation of digital consents. It is important to comprehend the understanding of the legal nature of digital consents in Russian law. It is urgent to develop recommendations on the legislative regulation of digital consents, as well as formulate proposals for amending existing legislation.

Research Methods

The methodological basis of the work is a combination of such general scientific research methods as the analysis of the phenomena studied and the synthesis of the research results, induction, deduction. In the process of developing various aspects of the research topic, formal-logical, systemic methods of cognition were used. When revealing the legal nature of digital consents, the comparative legal method was used when comparing with such categories as consent to the processing of personal data, digital rights, digital profile, etc.

Findings

An active interest in the topic of government digital transformation, including foreign interest (Kundu, 2019; Strohbach, Ziekow, Gazis, & Akiva, 2015) gives rise to the need for theoretical substantiation of new legal structures. These include digital consents (Rochfeld, 2018) in the structure of digital profiles, dynamically developed by government agencies.

To date, there is no common understanding either in the theory of law or in practical activities regarding one of the key issues of digital consents - their legal nature. If we consider digital consent as the will of citizens and legal entities, aimed at providing the information given to them in the information system, is it possible to consider them as civil legal relations and, accordingly, can one consider data transfer as a transaction. A positive answer to this question would allow to resolve the issue of the legal regulation of these relations, since it is sufficiently developed in Russian law. Article 153 of the Civil Code of the Russian Federation (The Civil Code of the Russian Federation, 1994) states that actions aimed at the establishment, amendment or termination of civil rights and obligations are a transaction. The list of civil relations is open.

It is difficult to agree with the position of the authors delimiting the concept of agreement and consent, which they understand as an element of the legal composition, a condition under which a person can conclude an agreement, make a deal. However, the law provides the possibility of unilateral transactions giving rise to legal consequences. In addition, the entity consenting to the provision of information to third parties, itself makes a unilateral transaction.

It is also difficult to accept the understanding of digital consent as a legally significant registry entry of data owner, person or legal entity, on the granting or revocation of the rights to collect, transfer and use data in accordance with the purpose of processing, since digital consent is primarily an expression of will, action vested into electronic form in the information system.

At the same time, the legal regime of protection of personal data (as a variety of digital consent objects) is public, imperative, providing for a wide range of obligations of the operator. Nevertheless, it is thought that this type of legal relationship is regulated comprehensively, partly by private-law methods, and partly by public-law. Private law relations may include relations between individuals, legal entities that provide data, information about themselves, on the one hand, and other organizations (for example, insurance companies, banks, etc.), on the other. Relations of citizens and legal entities with state bodies providing information about these persons contained in state registers with third parties are regulated by law.

Despite the fact that currently civil law does not deem information as an object of civil rights, however, it includes intangible goods in the list of such objects, and their understanding is open. This kind of objects includes data, information provided by individuals and legal entities, including in the information system.

However, levelling personal data of citizens to objects of intangible goods suggests the impossibility of alienation of these objects. Nevertheless, in legal science, individual authors propose to control the commercial use of the personality, which is used in foreign law.

Thus, this approach implies the application of the rules on transactions provided for by the Civil Code of the Russian Federation to digital consents, which, in turn, can fill the gap in the legal regulation of digital consents for the provision of information and data. Also, this approach will solve the problem of the contradiction of the Federal Law “On Personal Data” (Federal Law “On Personal Data”, 2006) and the emerging trends in the digital economy, including those related to the retribution of the information provided by state bodies to third parties on the basis of digital consent of citizens and organizations.

Another option for the development of legal regulation of relations of information, data circulation is the return of information as an object of civil rights in article 128 of the Civil Code of the Russian Federation. Currently to transfer large databases the construction of intellectual rights is used to databases, which is not applicable for the transfer of personal data and any specific information on persons.

Thus, the question remains acute in determining the turnover of personal information provided by citizens and legal entities to third parties. Legislative recognition of the turnover of such information will lead to the creation of a new market for such information. If personal information is considered as an object of intangible goods, then they cannot be contained in forms not listed by law, since in this case, they have a public law regime. Recognition of personal information as an object of civil circulation will allow the use of additional methods of protection against unlawful processing and dissemination of such information.

Introduction of the new article 141.1 in the Civil Code of the Russian Federation on 10.01.2019 on “digital rights” is of particular interest as under this provision binding rights and other rights specified in law and recognized, the content and conditions for the implementation of which are determined in accordance with the rules of an information system that meets the criteria established by law. Unless otherwise stated by law, the holder of digital rights is a person who in accordance with the rules of the information system has the ability to dispose of such rights.

It seems such rights should be directly named by law and secondly they should be tied to the information system, exist in the electronic environment. However, the rule indicated in the norm that the content of rights and the conditions for their exercise are determined in accordance with the rules of the information system is contrary to the principles of civil law. The information system cannot determine the rights and conditions, they are determined by the legislator. The task of information systems is to assist individuals in the exercise of their rights. We also consider it impossible to comply with the norm that the exercise of law is possible only in the information system. Some scholars believe that digital rights are not an object of rights, but a way of securing them in an electronic form.

It is interesting that according to this concept stated in the Civil Code of the Russian Federation, digital rights can also include objects of digital consents, depending on what is put into understanding of digital rights. However, the possibility of applying this rule should be expressly provided for by applicable law.

Amendments to the Civil Code of the Russian Federation also provide compliance with the written form of a transaction made by electronic or other technical means that allow the contents of the transaction to be reproduced on a tangible medium, these provisions may also apply to the legal regulation of digital consents.

The need for legislative regulation of the procedure for regulating digital consents is also associated with the implementation of the concept of a digital profile in the Russian Federation. Understanding the structure of the digital profile implies the possibility of the formation of various services that will improve the convenience and quality, terms of service to citizens, legal entities and individual entrepreneurs, as well as government bodies and organizations, providing them with additional tools for working, analyzing and managing data, and also reducing the their cost to state bodies. It is assumed that the services will be provided without a personal visit to government bodies and other organizations, using the registry model, online (in automatic mode). All actions of the data owner with digital consent when providing data using the digital profile service can be reflected in a single register of digital consent and be available in the user's personal account. In turn, digital consents can be classified by one-time validity, when consent is granted for one-time provision of information, and long-term, when the owner gives the right to provide multiple information for a certain period of time.

According to the bill, the basic principles for creating a digital profile are:

- an individual has the right to freely control access to his data stored in various state information systems;

- the use and transfer of data from the digital profile of an individual occurs only with his consent, if data transfer is not provided for by the legislation of the Russian Federation; an individual controls the process of granting and withdrawing consent;

- to provide digital consent for access to data from his Digital Profile, a citizen must be identified and authenticated using a simple or qualified electronic signature;

- the most requested data, such as digital copies of documents, will be stored in a digital profile, while the rest of the data is stored in the information systems in which it was originally created;

- data is accessed directly from the digital profile if such data is stored in digital profile information systems, or through links to data sources using identifiers assigned in the corresponding information systems;

- the liability of personal data operators in the processing of personal data using the digital profile infrastructure is established in accordance with the legislation of the Russian Federation;

- linking multiple identifiers in various information systems provides a technological identifier ESIA - ESIA ID;

- data exchange takes place in a trusted, secure environment and helps to reduce the transaction costs of government agencies and commercial organizations related to the collection, confirmation and updating of such data;

- connection of commercial organizations to the infrastructure of the digital profile is carried out on a voluntary basis, unless otherwise provided by the legislation of the Russian Federation.

A detailed study of the concept of the digital profile should be aimed at protecting its participants, including participants in financial markets (Ageeva, Lang, Loshkarev, Chugurova, & Churakova, 2018).

In this regard, one of the important issues in the provision of digital consents is the issue of identification and authentication of persons providing consent. According to the bill of the Russian Federation N 747513-7 FZ ("On amendments to certain legislative acts in (in terms of clarification of identification and authentication procedures, 2019) amendments to certain legislative acts (in terms of clarification of identification and authentication procedures)", 2019) its main task is to establish the rules and basic approaches to regulating issues of remote identification and authentication of persons of a legally significant nature.

The bill aims to define concepts such as: identification, authentication, digital profile, as well as their legislative consolidation, introduces the legal institution of the digital profile with its detailed regulation, gives the Government of the Russian Federation the authority to determine the procedure for receiving and providing information using the digital profile, and adjusts the methods expressing the citizen’s consent to the provision of communication services that are technologically inextricable with the radiotelephone services increasing their consumer value, introduces into the legislation the legal institute of electronic citizen identification, establishes the possibility of applying in civil relations an unlimited number of identifiers in advance, as well as methods of identification and authentication.

In connection with the proposed changes to the legislation, additional regulation of the requirements for citizen’s identification will be required, including valid forms of identification of a citizen, cases where the result of identification and authentication of a person using information technology can be confirmed by an electronic document provided through an information system that provides remote identification and face authentication, the possibility of using biometric data, for identification, access to databases inspection capacity of citizens and legal persons held in the court decisions databases and registers of the tax service.

In this area, the experience of foreign countries solving issues of identification and authentication using mobile devices is relevant (Jiang, Wang, Huang, Long, & Huo, 2018). The experience of Estonia is remarkable, which allowed an individual to receive the status of a digital resident remotely from any state, thereby confirming the possibility of commercial relations between state bodies, commercial organizations and individuals in the context of digital transformation (Sullivan & Burger, 2017).

One of the problems with the use of digital consents is the increasing importance of program code, since access to a servant for providing information will be associated with it, security control will be more technical than legal. Protection should be carried out, in particular, with encryption, cryptography technologies, the introduction of protection mechanisms directly into technical devices and services that make identification, the introduction of special protocols is necessary.

Information technology in the provision of consent of citizens, organizations to third parties, using the data contained in state registries, should not turn digital consents into legal fictions, but allow fixing the free will of individuals to grant (revoke) the rights to collect, transfer and use data in accordance with the specified purpose processing. In this regard, the concerns of foreign authors about the forced digital participation of citizens in information technologies between government bodies and citizens, organizations, the possibility of using the refusal of digital consent (Barassi, 2019; Draper & Turow, 2019) are relevant.

Digital consents should provide convenience, trust, security from theft of information, efficiency, reliability of identification. New technologies used to confirm the fact of providing digital consent should be made in an information system created on the basis of domestic production. For this, it is necessary to introduce restrictions for foreign companies to use databases of citizens of the Russian Federation, use domestic information products and technologies, import substitution in information technologies, develop domestic regulations, protocols and technologies, and state bodies should manage state registries.

Conclusion

In conclusion, a scientific understanding of digital consent should be derived. Digital consents are the acts of the free will of citizens and organizations aimed at the emergence, change, termination of legal relations with state bodies and organizations, expressed in electronic form in the digital profile of the user's personal account by making a legally significant registry entry on the granting (revocation) of rights to collect, transfer and use of data in accordance with the specified purpose of processing. The practical significance of the study is to highlight the problems associated with the introduction of a digital profile platform project with the participation of commercial organizations, government bodies and the possibility of using digital consents in the provision of data, information by legal entities and individuals contained in state registries.

References

• Ageeva, G. E., Lang, P. P., Loshkarev, A. V., Chugurova, T. V., & Churakova, E. N. (2018). Peculiarities of protecting the rights of participants of financial markets in court. In E.G. Popkova (Ed.), International Conference Project “The Future of the Global Financial System: Downfall of Harmony”. Lecture Notes in Networks and Systems, 57 (pp.545-552). Cham: Springer.
• Barassi, V. (2019). Datafied citizens in the age of coerced digital participation. Sociological Research Online, 24(3), 414-429. https://doi.org/10.1177/1360780419857734
• Draper, N. A., & Turow, J. (2019). The corporate cultivation of digital resignation, New Media & Society, 21(8), 1824-1839. https://doi.org/10.1177/1461444819833331
• Federal Law “On Personal Data”. (2006). Retrieved from: http://www.consultant.ru/cons/cgi/online.cgi?req=doc&ts=31831140607034663685335869&cacheid=FBB13BC6BEAC60D2CCDBEADC4D32DDB7&mode=splus&base=LAW&n=286959&rnd=DDDEAB67AF96D64D784EE7167B428F94#5w0qxaz6uy Accessed: 10.10.2019. [in Rus.].
• Jiang, Y., Wang, C., Huang, Y., Long, S., & Huo, Y. (2018). A cross-chain solution to integration of IoT tangle for data access management. In J.E. Guerrero (Ed.), Proceedings of IEEE 2018 International Congress on Cybermatics: 2018 IEEE Conferences on Internet of Things, Green Computing and Communications, Cyber, Physical and Social Computing, Smart Data, Blockchain, Computer and Information Technology (pp. 1035-1041). Hoes Lane: IEEE. https://doi.org/10.1109 / Cybermatics_2018.2018.00192
• Kundu, D. (2019). Blockchain and trust in a smart city. Environment and Urbanization Asia, 10(1), 31-43. https://doi.org/10.1177/0975425319832392
• Rochfeld, J. (2018). How to qualify personal data? A theoretical and legal assessment in the European Union. Revista de Direito, Estado e Telecomunicacoes: Law, State and Telecommunications Review, 10(1), 61-84. https://doi.org/10.26512/lstr.v10i1.21500
• Strohbach, M., Ziekow, H., Gazis, V., & Akiva, N. (2015). Towards a big data analytics framework for IoT and smart city applications. In Xhafa F., Barolli L., Barolli A., Papajorgji P. (Eds.), Modeling and Processing for Next-Generation Big-Data Technologies (pp.257-282). Modeling and Optimization in Science and Technologies, 4. Cham: Springer. https://doi.org/10.1007/978-3-319-09177-8-11
• Sullivan, C., & Burger, E. (2017). E-residency and blockchain. Computer Law and Security Review, 33(2017), 470-481.
• The bill of the Russian Federation N 747513-7 FZ "On amendments to certain legislative acts in (in terms of clarification of identification and authentication procedures) amendments to certain legislative acts (in terms of clarification of identification and authentication procedures)" (2019). Retrieved from: http://www.consultant.ru/cons/cgi/online.cgi?req=doc&ts=162061581304296368147740357&cacheid=5F2CFC8EE1FA6BA716C76F53C4967D52&mode=splus&base=PRJ&n=185263&rnd=DDDEAB67AF96D64D784EE7167B428F94#v1hnpqedg6 Accessed: 10.10.2019. [in Rus.].
• The Civil Code of the Russian Federation. Retrieved from (November 30. 1994). Retrieved from: http://www.consultant.ru/cons/cgi/online.cgi?req=doc&base=LAW&n=320453&fld=134&dst=1000000001,0&rnd=0.13811423978097537#03199002975074259 Accessed: 10.10.2019. [in Rus.].
• The National Program "Digital Economy of the Russian Federation" (approved by the Presidium of the Presidential Council for Strategic Development and National Projects, dated June 4, 2019. No. 7 (2019). Retrieved from: http: //www.consultant.ru/document/cons_doc_LAW_328854 Accessed: 10/02/2019. [in Rus.].