The Ministry of Digital Development responded that TBank’s actions to obtain consent to process biometrics contradict the provisions of the law
For those who are LAZY to read the essence in pictures
TBank approvals
Position of the Ministry of Digital Development
Soon the fairy tale will be told, but the (judicial) case will not be done soon – Folk wisdom 🙂
1. Brief background
Let me remind you that on August 25, 2023, Tinkoff Bank JSC published UKBO in edition 43. The changes come into force on August 28, 2023. News.
Link to UKBO in edition 43 on the bank’s website
1.1 I would like to note that in the UKBO edition 43, Tinkoff Bank JSC added clause 2.24 (page 8 of the UKBO) in section 2. Basic provisions, and added clause 1.4 (page 8 of the UKBO) in the section General conditions for opening, servicing and closing bank deposits.
I believe that the addition of these paragraphs violates the provisions of subparagraphs 5 and 15 of paragraph 2 of Article 16 of the Law of the Russian Federation N 2300-1 “On the Protection of Consumer Rights”, as well as the provisions of paragraphs 1 and 3 of Article 11 of the Federal Law N 152-FZ “On Personal Data” and Article 15 of Federal Law N 572-FZ “On identification and (or) authentication of individuals using biometric personal data”
1. So paragraph 2.24 from section 2. Basic provisions states
2.24. The client gives his consent to the processing of his biometric personal data, obtained as a result of photographing and/or voice recording, by any means, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), extraction, use, transfer (provision, access), depersonalization, blocking, deletion, destruction for the purpose of concluding, executing, changing and/or terminating contracts and/ or agreements with the Bank, issuing electronic means of payment, ensuring the security of the Client’s funds, as well as implementing measures aimed at preventing third parties from performing actions for the Client through Remote Service.
At the same time, on the Tinkoff website in the help section – Why does the bank use biometric data at
Previously, we stored and used biometric data in the bank. Now they must be stored in the Unified Biometric System. We use this data to protect you and your accounts from fraudsters. By law, in order to continue to protect you as reliably as possible, we are required to obtain your consent to process data and transfer it to EBS. We tell you what biometric information is and how the bank uses it.
…..
Without the client’s consent, no bank, including Tinkoff, has the right to use clients’ biometric data and transfer them to the EBS. What should I do if I don't want to transfer my data?
On the same page in the section – What other customer data does the bank store? the following is indicated (link to the saved page in Internet Archive
Biometric data used at TinkoffThis:
– Images of the client's face. At the meeting, the representative takes your photo – this is necessary to conclude the contract. We then process the photo in a special way and create a digital impression of the image. It is this impression, and not the photograph itself, that refers to biometric data.
– Voice samples that we obtain from customer conversations with an operator on the phone. We also process the voice recording to obtain a digital impression. Biometric data is considered to be an impression rather than recording conversations with support.
The collection and processing of such data is provided for in paragraphs 2.24 and 3.4.4 UKBO.
At the same time, taking into account the provisions of the Federal Law “On Personal Data” N 152-FZ Article 11. Biometric personal data
1. Information that characterizes the physiological and biological characteristics of a person, on the basis of which one can establish his identity (biometric personal data) and which is used by the operator to establish the identity of the subject of personal data, can only be processed with written consent of the subject of personal data, except for the cases provided for in Part 2 of this article.
2. Processing of biometric personal data can be carried out without the consent of the subject of personal data in connection with the implementation of international treaties of the Russian Federation on readmission, in connection with the administration of justice and the execution of judicial acts, in connection with the implementation of mandatory state fingerprint registration, mandatory state genomic registration, as well as in cases provided for by the legislation of the Russian Federation on defense, on security, on countering terrorism, on transport security, on combating corruption, on operational investigative activities, on public service, the criminal executive legislation of the Russian Federation, the legislation of the Russian Federation on the procedure for leaving the Russian Federation Federation and entry into the Russian Federation, on citizenship of the Russian Federation, legislation of the Russian Federation on notaries.
3. Providing biometric personal data cannot be mandatory, except for the cases provided for in Part 2 of this article. The operator does not have the right to refuse service if the subject of personal data refuses to provide biometric personal data and (or) consent to the processing of personal data, if, in accordance with federal law, the operator’s receipt of consent to the processing of personal data is not mandatory.
Taking into account the fact that the provision of banking services is not included in the list listed in paragraph 2 of Article 11 of Federal Law N 152-FZ, we can conclude that organizations providing banking services
– does not have the right to refuse service to citizens if the subject of personal data refuses to provide biometric personal data and (or) consent to the processing of personal data,
– and also does not have the right to include in their contracts conditions requiring unconditional consent to the processing of their biometric personal data
But clause 2.24 of the Criminal Code of Tinkoff JSC directly contradicts the provisions of clauses 1 and 3 of Article 11 of Federal Law N 152-FZ, since this clause actually means that a citizen is deprived of the right to conclude a Universal Agreement without giving his consent to the processing of his biometric personal data.
As stated above, the Tinkoff Bank website states the following (link to the saved page in Internet Archive
The biometric data used at Tinkoff is:
……
– Voice samples that we obtain from customer conversations with an operator on the phone. We also process the voice recording to obtain a digital impression. Biometric data is considered to be an impression, not recordings of dialogues with the support service.
The collection and processing of such data is provided for in clauses 2.24 and 3.4.4 of the UKBO.
At the same time, Order of the Ministry of Digital Development N 453 in paragraphs 13 and 14 states
13. The parameters of biometric personal voice recording data placed in a unified biometric system, including in accordance with Part 9 of Article 4 of Federal Law N 572-FZ, for identification and (or) authentication must meet the following requirements:
…..
message spoken by an individual must match the sequence of letters and/or numbers generated by the software information system of a body or organization;
recording vote must contain the specified sequence completely and should not be interrupted;
when recording a voice, the emotional and psychological state of an individual must be normal, not excited, without obvious signs of illness that would prevent the delivery of the message specified in paragraph ten of this paragraph, or that could disrupt the timbre and (or) sound of the voice;
It is prohibited to obtain biometric personal data from voice recordings by transcoding phonograms recorded using technical means of the public telephone network.
1.2 In addition, since the UKBO describes, among other things, the conditions for opening current accounts and deposits, the Universal Agreement and the terms of the UKBO are also a public contract, since, according to Article 834 of the Civil Code, the Bank Deposit Agreement
2. A bank deposit agreement, in which the depositor is a citizen, is recognized as a public contract
At the same time, clause 1.4 General conditions for opening, servicing and closing bank deposits (page 18) was added to the UKBO edition 43, which reads
1.4 When contacting the Bank to conclude a Deposit Agreement (Savings account agreements) and if the Client does not have a Card Account in the currency of the Deposit (Demand Deposit) The Client also applies to the Bank with an Application for concluding a Payment Card Agreement (for opening a Card account) in the appropriate currency on the terms of the Tariff plan at the choice of the Bank.
That is, clause 1.4 General conditions for opening, servicing and closing bank deposits UKBO not only imposes on citizens the mandatory conclusion of a Payment Card Agreement, but even deprives them of the right to choose the tariff plan for a given payment card, since the tariff plan for a given payment card is established at the Bank’s discretion, and not by the choice of the citizen.
Moreover, in accordance with the provisions of Article 16. Inadmissible terms of the contract that infringe on the rights of the consumer, prohibitions and obligations imposed on the seller (performer, owner of the aggregator) of Law N 2300-1 “On the Protection of Consumer Rights”
1. Inadmissible terms of the contract that infringe on the rights of the consumer are terms that violate the rules established international treaties of the Russian Federation, this Law, laws and other regulatory legal acts of the Russian Federation adopted in accordance with them, regulating relations in the field of consumer rights protection. Inadmissible terms of the contract that infringe on the rights of the consumer are void.
…..
2. Inadmissible terms of the contract that infringe on consumer rights include:
…..
5) conditions that determine the acquisition of some goods (works, services) mandatory acquisition of other goods (works, services), including providing for the mandatory conclusion of other agreements, unless otherwise provided by law;
…..
15) other conditions that violate the rules, established by international treaties of the Russian Federation, this Law, laws and other regulatory legal acts of the Russian Federation adopted in accordance with them, regulating relations in the field of consumer rights protection.
Thus, it is obvious that the provisions of paragraph 2.24 of the Criminal Code and paragraph 1.4 of the General Conditions for Opening, Servicing and Closing Bank Deposits of the same Criminal Code directly contradict the provisions of subparagraphs 5, 15 of paragraph 2 of Article 16 of the PZPP, and paragraph 2.24 of the Criminal Code also directly contradicts the provisions of paragraphs 1 and 3 Article 11 of Federal Law N 152-FZ
Taking this into account, I filed a claim in a court of general jurisdiction against Tinkoff Bank in October 2023
Here you can immediately ask the question, at what stage is the trial? )
Answer – the first instance has not yet considered the case on its merits
1.3 Why so long?
Answer below
Were involved in the case as third parties
– Rospotrebnadzor (they worked as they should, although they had to return the complaint for new consideration through the Manager)
– Roskomnadzor (they essentially said – We have paws, It’s not my fault, it’s all the Ministry of Digital Development 🙂 )
– Ministry of Digital Development (I had to run after them the most)
In parallel, responses were received from the Central Bank of the Russian Federation
This lengthy consideration is due to the fact that
1.3.1 in the Office of Rospotrebnadzor I had to either return the complaint for a new consideration after refusing to initiate a case under Article 14.8 of the Code of Administrative Offenses
1.3.2 in the Office of Roskomnadzor and the Central Office of Roskomnadzor they wrote replies without substance, that is, they simply consisted of clerical stuff. And only after a personal meeting with the Deputy Head of Roskomnadzor Milos Eduardovich Wagner, the Central Office of Roskomnadzor sent an answer that the responsible department in terms of issuing biometrics and a Simple Electronic Signature (hereinafter referred to as SES) is the Ministry of Digital Development, Communications and Mass Communications of the Russian Federation (hereinafter referred to as the Ministry of Digital Development)
1.3.3 During the trial, Tinkoff Bank suddenly announced that I allegedly voluntarily consented to the processing of biometric personal data on 11/03/2023 by simply logging into either the Internet bank or a mobile application
So, Tinkoff Bank wrote in its review (page 3 of the Review)
while 03.11.2023 Plaintiff through your personal account on the website gave consent to the processing of his biometric data, which is confirmed by Consent to the processing of biometric data, signed with a simple electronic signature,
And I wrote below (page 7 of the Review)
03.11.2023 by entering your password in the application and preliminary familiarization with the conditions, the Plaintiff gave his Consent to the processing of biometric data.
That is, Tinkoff Bank itself cannot even decide how the said consent was allegedly obtained. That is, Tinkoff Bank cannot even provide information that does not contradict itself.
1.3.4 The Central Bank of the Russian Federation gave answers within its competence only after 3 appeals and SIX requests to Tinkoff Bank. Since Tinkoff Bank refused to provide me with information, in some incomprehensible way the bank allegedly obtained my consent to process biometric data
1.3.5 The final stage was the pursuit of receiving a response from the Ministry of Digital Development, which will be discussed below
Summarizing the introduction, the following questions are posed in my claim:
Based on the above and on the basis of paragraph 1 of Article 39 of the Code of Civil Procedure, I ask you to consider my claims as clarified in the wording indicated below
I ask the court
1. In pursuance of Article 166 of the Code of Civil Procedure and Article 16 of the Law of Civil Procedure, acknowledge the provisions of clause 2.24 of the UKBO of Tinkoff Bankpostulating the client’s automatic consent to the processing of his biometric data, contrary to the provisions of Part 1 and paragraphs 5, 15 of Part 2 of Article 16 of the Law of the Russian Federation, as well as the provisions of Article 11 of Federal Law No. 152 Federal Law and Article 15 of Federal Law No. 572 Federal Law, that is Insignificant.
2. In pursuance of Article 166 of the Code of Civil Procedure and Article 16 of the Law of Civil Procedure, acknowledge the provisions of clause 1.4 of the section General conditions for opening, servicing and closing bank deposits of UKBO Tinkoff Bankpostulating the client’s obligation to conclude a debit card agreement according to a tariff plan of the bank’s choice when concluding a deposit agreement, contrary to the provisions of part 1 and paragraph 5 of part 2 of article 16 of the PZPP, that is Insignificant.
3. Oblige JSC Tinkoff Bank to remove from its UKBO clauses 2.24 and 1.4 of the section General conditions for opening, servicing and closing bank deposits, no later than 10 days from the date the court decision enters into legal force
4. Pursuant to Article 166 of the Civil Code, recognize that giving consent to the processing of biometric data of a client of a credit institution by simply logging into a mobile application or logging into the Internet bank of a credit institution or entering a PIN code at an ATM (including when using a third-party bank card ), provided that the client does not take any additional actions when logging into the mobile application, or logging into the Internet bank of a credit institution, or when using an ATM of a credit institution (that is, does not perform conclusive actions aimed specifically at specifically giving separate consent to the processing of biometric data ) contradicts the provisions of Article 9 of Federal Law No. 152 FZ
5. In pursuance of Article 166 of the Civil Code, admit that the consent indicated by the defendant to the processing of my biometric data dated November 3, 2023 was received in violation of the provisions of Article 9 of Federal Law No. 152 Federal Law and therefore has no legal force, that is, void.
6. To recover compensation for moral damages in the amount of 19,000 rubles from Tinkoff Bank JSC
Thus, it can be understood that globally the requirements can be divided into two categories
– requirements to recognize as illegal the imposition of a debit card when opening a deposit
– requirements to recognize as illegal the presence of automatic consent for the processing of biometrics in the UKBO and to recognize as illegal the receipt of consent for the processing of biometrics during a regular login to the Internet bank.
So that the post does not turn into a kilometer sheet since I won the court in the first instance.
I am attaching for now that it is nonsense, or rather the position of TBank, which was written by a lawyer of TBank
And also the response of the Ministry of Digital Development dated 05/31/52024 No. P24-267165 about the date of accreditation of Tinkoff
And the response of the Ministry of Digital Development dated July 11, 2024 No. P25-16410-OG based on the results of a REPEATED personal reception
2. Responses from departments and cases under the Code of Administrative Offenses
I will not cite here all the departmental responses that came to me over almost a year, I will only note those that gave substantive answers, and not just written tons of clerical paper
2.1 Rospotrebnadzor turned out to be the most normal agency. Since he refused to initiate a case under Article 14.8 of the Code of Administrative Offences, and after filing a complaint with the head of the department, he returned the case for a new consideration and opened a case under Article 14.8 of the Code of Administrative Offences, and also issued an order to eliminate the violations.
TBank was offended and went to the Arbitration Court where it lost at the moment and in the appellate instance
Taking into account the Prejudice, this decision will be used in an appeal in a court of general jurisdiction.
2.2 Roskomnadzor, after FOUR appeals of its refusal to initiate proceedings under Article 13.11 of the Code of Administrative Offenses, sent THREE messages about the fact of an administrative offense to the Roskomnadzor Office for the Central Federal District
2.3 The Central Bank of the Russian Federation answered its part and sent the rest to the Ministry of Digital Development
2.4 The Ministry of Digital Development, after two personal visits, gave a CLEAR position on the INACCEPTABILITY of obtaining consent for the processing of biometric data as usual when logging into a mobile application, online banking or using an ATM.
I won the court of general jurisdiction in the first instance, but TBank filed an appeal, but I have not received it yet. As soon as I receive it, I’ll share their masterpiece, or rather nonsense 🙂
So citizens whose biometric data TBank leaked to the EBS can also sue, at least for the sake of compensation for moral damage caused.
