"Nine times out of ten, the system works correctly."
Roskomnadzor uses an automated system to monitor Internet resources for compliance with the requirements of personal data protection (PD) legislation. Thanks to this system, checks are carried out without interaction with data operators, and the number of analyzed sites has increased many times over. Milosh Wagner, Deputy Head of Roskomnadzor, told Izvestia how this tool works and why it is necessary to switch from consents to processing personal data to standardization of work with data.
To check and protect
- The need to strengthen control over the circulation of personal data in 2020 was discussed by Russian President Vladimir Putin and Roskomnadzor head Andrei Lipov. In May 2021, it was announced that a system for monitoring violations in this area would be launched. What is its main meaning and how does it function?
- The Automated System for Monitoring the Rights of Personal Data Subjects on the Internet (AS MPDn) is designed to monitor the legality of data collection on Internet resources. The reform of control and supervisory activities has also affected Roskomnadzor. In 2020, a moratorium on control activities was introduced, and then the tasks were set to switch to a risk-oriented approach in its activities and to reduce the degree of interference in the work of companies during inspections.
Therefore, the main idea of the system is the transition to remote monitoring of Internet resources. The Federal Law on State Control and Supervision allows such a format of inspections without interaction with supervised entities.
With the help of AS MPDn we can see an objective picture of compliance with legislation in the field of personal data, and good business works quietly, without distracting checks. Previously, inspections took place manually: a Roskomnadzor employee personally analyzed the site, identified signs of violations, took screenshots, compiled them into a special file, printed them out, signed them, formalized the results and took response measures. Our employees used to manually analyze about 6,000 websites across Russia per year.
We decided to reduce the amount of manual labor during the checks of Internet resources, to increase their accuracy and speed, and, naturally, their coverage. And we succeeded. Thanks to the use of the system, we have reduced labor costs by 75-80%, and the coverage of resources checked annually has increased multiple times from 6,000 in manual mode to more than 50,000 in automatic mode.
In 2024, the system detected signs of violations of legal requirements on 77% of resources, i.e. more than three quarters of Internet resources were not working correctly. In the first six months of 2025, almost 27,000 checks have already been carried out, with signs of violations of legal requirements detected in 84% of cases.
The system is set up in such a way that the first resources to be checked are those from those areas of activity about which citizens complain to us, to Roskomnadzor ,most of all - organizations of the financial sector, online stores, educational institutions and housing and communal services. In cases where violation of legal requirements poses a significant risk to citizens, we take response measures. For example, in 2024 we sent about 6.5 thousand demands to organizations to bring their website activities in compliance with the law, this year - already 8 thousand demands.
- To what extent are algorithms able to find violations?
- The accuracy of detecting violations in automatic mode averages 89%, i.e. the system works correctly in almost nine out of ten cases. In general, for such services, this is quite a high indicator, given that semantic data is detected, not just numbers.
An important point: the AS MPDN is capable of detecting services that sell information about citizens, the so-called piercing services. Thanks to this tool, since the beginning of 2025, Roskomnadzor has blocked 195 mirror sites distributing personal data of Russians, and 1,388 bots selling personal information have been removed from Telegram.
-Are artificial intelligence technologies applied in the automated monitoring system ?
- We have been testing neural network technologies, using our own technological developments, which have been created at the Main Radio Frequency Center. In the test mode we looked at the work of neural networks and estimated their efficiency at 60%, which was significantly lower than the current value of the system at 89%.
In order for the expected accuracy of the analysis to improve at least for comparison with the algorithms operating in the AS MPD, it was necessary to compile training datasets in volumes exceeding the monitoring of all sites that Roskomnadzor had conducted for several years. At this stage, we considered such labor costs to be premature given the need to save money. On the whole, we now have an accuracy in detecting violations that we are satisfied with today. In other words, algorithms proved to be more attractive than neural networks in terms of the price/quality ratio.
From consents to standards
- Observing what happens on Internet resources that process personal data, what conclusions do Roskomnadzor come to? Is there a need to modernize the institute of legal grounds for processing?
- The main legal mechanism used by data operators to obtain information and to process personal data is consent to the processing of personal data. This tool was originally conceived to enable a person to manage and provide personal data and thus influence the security of personal life. Our main conclusion is that today this mechanism is hopelessly outdated and in need of reform.
Organizations include conditions in consents that can hardly be called data processing in the interest of the individual. They take consent that the data about the person will be used for targeting, improving the quality of services, transferring it to other organizations to promote goods and services, and so on. Without providing such "consent", one cannot use the service, although the service itself does not require the data specified in the consent and does not depend on the services imposed by the consent - a complete distortion of the legal meaning and purpose of this tool.
For example, in the mobile application of a telecom operator, the user is offered to agree to the terms of a service that is supposed to act as a financial assistant. Embedded in the text of the terms and conditions is a mandatory consent to data processing by a third-party service, which takes up as much as 200 pages of small print. A person approves this document with one click, and at the same moment the information about him is sent to 50-60 companies in addition to the operator itself.
The institution of legal grounds should protect people, not make them dependent. This tool of the pre-digital era has now turned into its absolute opposite - a way to induce a person to provide information about him or her without his or her will, knowing in advance that the person is in a dependent position and cannot refuse to give this "consent", so, we believe, this institute should be reformed.
- You have repeatedly emphasized the need to exclude the processing of personal data only by virtue of consent. If this happens, is it necessary to expand other legal bases, for example, the contract with the data subjects? Which approach, in your opinion, would be fairer?
- Consent in the personal data law is first in the list of 13 equal grounds and is apparently mistakenly perceived as the main one. However, for companies, the undeniable advantage of consent is that it is quite easy to take it from a person, the use of consent does not carry legal and administrative risks for the organization, and if consent to data processing is withdrawn, the organization can easily find another basis for processing.
We believe that consent to data processing can only be obtained from an individual if the law explicitly requires the operator to take such consent. In such a case, the voluntariness of consent will be guaranteed during the development and "passing" of the normative act, and the person will not be in a dependent position when giving such consent.
About the expansion of other legal bases. We only welcome the introduction into business practice of their application. Nothing at the legislative level needs to be done. We are open to dialogue and are willing to review with (but not instead of) companies their processes in order to move from collecting consents to more mature and responsible behavior towards the individual. We are already conducting such consultations with some organizations and are seeing tangible progress along the way.
- Companies collect vast amounts of diverse information without always thinking about the purpose of that collection. How do you think the data collection mechanism should be structured?
- Many organizations collect data about an individual, trying to solve many disparate tasks at the same time. However, not every organization has a qualified expert on personal data legislation on its staff, can afford to conduct an honest analysis of the processes and implement the statutory principles of working with such sensitive information. And very few are really capable of developing their own information technologies and implementing customer retention strategies without direct contact with the customer. As a result, we get annoying calls, tactless offers, and sometimes the feeling that we are being watched.
Moreover, we have begun to observe that the most favorable regime, reduced supervisory activity and the number of cases of administrative responsibility are perceived by some as a green light in the competition for the most sophisticated ways to "cheat" a person, including the most unscrupulous conditions of data collection. These include 200-page consents, acceptance of a contract by entering a PIN code at an ATM, rubber lists of counterparties to whom a person supposedly entrusts data processing, and "unremovable" checkboxes for consent, and so on. In this situation, we see the need to strengthen the role of the state in defining the rules of behavior, in establishing the boundaries of what is permissible in relation to the common man and his data.
It is necessary to formulate clear instructions on how to comply with the principles of personal data processing. Strict industry standards should define the list of data and terms of their processing necessary for this particular business in this particular area of relations, which will eliminate the need to obtain the consent of the person for their processing.
Such industry standards should be developed by specialized agencies in the following areas of activity: healthcare, education, finance, housing and utilities and others in coordination with Roskomnadzor.
Special operators as an alternative to emergency regulation
- Nowadays, all personal data operators, be it an ecosystem with tens of millions of users or a flower kiosk, are formally equal, despite their different capabilities in information protection. How do you see the prospects for a new model of organizing data processing, including through large operators?
- As a rule, companies strive to collect as much information about their customers as possible, but in the case of compromised information, all their efforts are directed not at helping the person, but at dodging administrative responsibility. This exacerbates a situation in which the data actually has no owner capable of taking responsibility for its processing and security.
The hacking of databases and their demonstrative publication is part of the hybrid war being waged against Russia. Often these are planned hacker attacks initiated from abroad. The state should have large trusted partners in the information space who are able to ensure the protection of people's personal data.
Storage and processing of significant amounts of personal data (from 100 thousand records of personal data) can be entrusted only to companies that have really confirmed their ability to organize secure processing of personal data. Such companies should be subject to increased security requirements. Such operator must be a Russian legal entity, have at least five employees with higher education in the field of information protection responsible for the protection of personal data bases of the operator. It must have financial security of liability for losses due to possible data leakage in the amount of at least 100 million rubles. It must use for personal data processing databases only on the territory of the Russian Federation and confirm (rather than declare) that the processing of personal data of citizens is carried out taking into account the requirements for information security.
Smaller data operators will receive from such large operators a turnkey service for data handling and protection, compliance with personal data legislation and virtually zero probability of administrative liability for personal data leaks.
We believe that big business should take a paternalistic stance together with the state, including in the area of personal data protection. However, this proposal will require large companies to stop pretending that what is happening with personal data in the country is not their concern. In such conditions, small and medium-sized organizations will focus exclusively on improving their own efficiency, without being distracted by resource-consuming information protection measures.
- Is the functioning of such specialized operators technically possible?
- We asked this question to information security specialists, and they confirmed the technical feasibility of such a solution. Moreover, the implementation of such an approach reduces the value of information from small processors, who have only transactional data, without identifiers of information about a person, to almost zero.
We have also discussed the concept of this approach with authorized security authorities. Today they have a number of questions on how to build this system in a normative and organizational way. We must recognize that the amount of personal data in civil circulation has not improved the quality of most services, but it has increased the vulnerability of our citizens to fraudsters. Now the circulation of personal data is a matter of national security, a matter of sovereignty of the state and society. That is why the state will go the way of limiting and further controlling who, why, for how long, how and what kind of personal data of its citizens can be processed. And if in the foreseeable future there will be no large special operators of personal data, the state will be forced to take this role, but on completely different terms than those offered today.
- In circumstances when a person is required to provide personal information on an almost daily basis, how should one treat it and what should one do if one does not want to share personal data?
- Providing personal information is the price that people around the world have to pay for the ability to receive digital services, to receive them quickly, in a "one-touch" manner. This "new normal" is a direct result of the intense digitalization of all industries, and, I emphasize, all over the world.
This is why mistrust of technology, the fear and discomfort of being collected everywhere, is one of the greatest challenges for those who create digital technologies and services to improve our lives and develop our societies.
There can be no simple recommendations for the individual here. If you are not willing to share information to get a service, then you will have to give up the service. But if the value of the service for you is significant, then it is necessary to determine for yourself what is more important - privacy or service in "one click". In any case, it is better to refrain from making decisions under pressure, in a short time, if you are in an uncharacteristic emotional state. However, if in a particular life situation you have a feeling that someone is violating the confidentiality of your data or illegally demanding personal information, you can contact us, Roskomnadzor.
If your life situation is such that you have become a victim of fraudsters, if an organization abuses the right of the strongest in civil law relations or if you need to defend your right to privacy in court, you can contact the Center for Legal Assistance to Citizens in the Digital Environment, which was established on the initiative of Roskomnadzor. Pre-trial and judicial assistance is absolutely free of charge.
Since the center was established in September 2021, more than 17,000 people have already received such assistance. a man. This structure has branches in Moscow, as well as in the North-Western, Volga and Siberian federal districts, but residents of any region - from Kaliningrad to Kamchatka - can get help.
Переведено сервисом «Яндекс Переводчик»
