Support Centre

Russia

Summary

Law: Federal Law of 27 July 2006 No. 152-FZ on Personal Data (as amended 2022) (available in Russian here; an unofficial English version as of 2019 is available here) ('the Law on Personal Data')

Regulator: The Federal Service for Supervision of Communications, Information Technology, and Mass Media ('Roskomnadzor')

Summary: Data protection in Russia is governed by several laws including the Law on Personal Data, which entered into force in 2006 and follows a similar approach to the EU's Data Protection Directive (Directive 95/46/EC). Other notable laws include Federal Law of 27 July 2006 No. 149-FZ on Information, Information Technologies and Protection of Information (only available in Russian here) ('the Law on Information').

Since its adoption, the Law on Personal Data has been amended on numerous occasions to include new data localisation requirements and to clarify the rules on consent, among other things. Most recently, the Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data (only available in Russian here) ('the Amendment Law') was adopted to impose stricter obligations on domestic and foreign data operators in terms of how they interact with data subjects as well as processors, and demonstrate their compliance generally and specifically in the case of data transfers. The majority of the Amendment Law's provisions entered into effect on 1 September 2022, while others entered into effect on 1 March 2023.

Insights

Similar to many other countries around the world, the regulation of artificial intelligence (AI) in Russia is a hot topic as AI is becoming increasingly popular and widely used in various fields of daily life and business. One of the main issues is determining the legal status of AI. Other key issues include the definition of responsibility for the action of AI, ethical aspects of AI use, and regulation of autonomous systems. Vyacheslav Khayryuzov, Partner at Arno Legal, discusses the salient regulations currently in place in these areas and what developments are expected in the near future.

Russia's privacy landscape is set to change on 1 September 2022, with the entry into force of the Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data ('the Amendment Law'). Amending the Federal Law of 27 July 2006 No. 152-FZ on Personal Data ('the Law on Personal Data'), the Amendment Law introduces new provisions which will enhance data protection for Russian citizens. It also imposes stricter obligations on domestic and foreign data operators in terms of how they interact with data subjects and vendors and, more importantly, how they demonstrate and document their compliance generally and specifically in the case of data transfers. OneTrust DataGuidance breaks these new provisions down, highlighting the key differences between the existing law.

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Federal Law of 27 July 2006 No. 152-FZ on Personal Data (the Law on Personal Data).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the Law on Personal Data with the  GDPR.

You can access the latest version of the report here.

The Russian Parliament adopted Bill No. 1176731-7 on Activities of Foreign Undertakings in the Information Telecommunication Network in the Territory of the Russian Federation, dated 17 June 2021 ('the  Law'), aimed at establishing a specific regulatory and legal framework for the activities of foreign (non-Russian) companies operating in the information network (internet) within the Russian Federation. Maxim Boulba and Elena Andrianova, from CMS Russia, provide an overview of the scope of the Law's application, as well as the requirements and sanctions introduced by the Law.