Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Russia: Amendments to the Law on Personal Data - strengthening privacy compliance

Russia's privacy landscape is set to change on 1 September 2022, with the entry into force of the Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data ('the Amendment Law'). Amending the Federal Law of 27 July 2006 No. 152-FZ on Personal Data ('the Law on Personal Data'), the Amendment Law introduces new provisions which will enhance data protection for Russian citizens. It also imposes stricter obligations on domestic and foreign data operators in terms of how they interact with data subjects and vendors and, more importantly, how they demonstrate and document their compliance generally and specifically in the case of data transfers. OneTrust DataGuidance breaks these new provisions down, highlighting the key differences between the existing law.

DKosig / Signature collection / istockphoto.com

How has data protection regulation evolved in Russia?

The Law on Personal Data was adopted in 2006 to regulate relations concerning the processing of personal data. Its obligations originally concerned data operators (i.e. entities that determine the purpose and content of processing), however concepts of entrusting processing to another entity were later included.

Since then, the Law on Personal Data has been amended on more than 25 occasions, for example, to include new definitions and legal bases for processing, to authorise the use of psuedonymised data in various applications, and to clarify state functions and competencies in the field of data protection. More recently, new rules on consent and the use of publicly available data came into operation in March 2021.

A number of authorities, including the Russian Government and the Ministry of Digital Development, Communications and Mass Media, have also issued secondary legislation, regulating aspects such as the processing of biometric data, as well as the enforcement powers of the Federal Service for Supervision of Communications, Information Technology, and Mass Media ('Roskomnadzor').

With the passage of the Amendment Law, the landscape of data protection within and outside Russia is expected to change more significantly than before. Indeed, in response to the increasing frequency of cybersecurity incidents and the widespread sharing of personal data on the Internet, the Amendment Law reforms many provisions in the Law on Personal Data, to strengthen legal protection for data subjects and to enhance state control in this field.

What are the key changes?

 

Existing provision

New provision

Scope

Extraterritorial application (Article 1)

The Law on Personal Data is silent on this matter.

Following amendment, the Law on Personal Data will apply to the processing of the personal data of Russian citizens, which is carried out by foreign legal entities or foreign individuals on the basis of:

  • an agreement to which the Russian citizen is parties, or other agreements with the Russian citizen; or
  • consent of the Russian citizen to the processing of their personal data.

Relations with data subjects

Legal basis: contracts with data subjects (Article 6(1))

The processing of personal data is permitted on the basis of an agreement to which the data subject is a party or beneficiary.

Following amendment, explicit requirements will apply to such agreements. Namely, they should not contain provisions which:

  • restrict the rights and freedoms of the subject of personal data;
  • establish cases of processing minors' personal data; or
  • require the inaction of the data subject, as a condition for concluding the agreement.

Biometric data (Article 11)

The processing of biometric data is very much limited to cases provided for by federal law.

Following amendment, restrictions on using biometric data will continue to apply. In particular, the provision of biometric data must not be mandatory, except as provided for by federal law.

If, in accordance with federal law, it is not mandatory for the operator to obtain consent to the processing of personal data, the operator is not entitled to refuse service where the data subject objects to providing their biometric data and/or consent.

Data subject rights (Articles 14, 18, and 20)

Operators are obliged to respond to access requests within 30 days.

Following amendment, operators will be obliged to respond to access requests within ten working days.

In addition to shorter timeframes, operators will be expected to inform the data subject of how it fulfils the obligations established by Article 181 (i.e. accountability measures) and, where the provision of personal data is mandatory, the legal consequences of refusing such provision.

Vendor management

Vendor contracts and processor obligations (Article 6(3))

Operators have the right to entrust the processing of personal data to another entity, with the consent of the data subject and on the basis of an agreement concluded with the entrusted entity. Entrusted entities are required to comply with the operator's instructions.

Following amendment, entrusted entities will be subject to additional requirements, including observing the confidentiality of personal data and taking necessary measures to fulfil obligations under the Law on Personal Data.

In terms of processing agreements, operators will be required to define the following:

  • a list of personal data and processing actions to be performed by the entrusted entity;
  • the purposes of processing;
  • the obligation to maintain confidentiality;
  • requirements provided for in Articles 18(5) and 181 (i.e. data localisation and accountability measures);
  • the obligation to furnish information to confirm measures adopted to fulfill the operator's instructions; and
  • the obligation to ensure data security, including requirements provided for in Article 19 and the requirement to notify the operator of data breaches.

Finally, if an operator entrusts the processing of personal data to a foreign individual or foreign legal entity, the operator and such entrusted entity will be liable to the data subject.

Cross-border data transfers

Transfer mechanisms and prior approval (Article 12)

Subject to the Law on Personal Data and certain prohibitions, transfers may be made to countries that are either:

  • party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108'); or
  • approved by the Roskomnadzor as providing adequate protection of the rights of data subjects.

Transfers that do not satisfy these conditions may be made in the following cases:

  • with the written consent of the data subject;
  • when provided for by international treaties of the Russian Federation;
  • when provided for by federal law, if necessary to protect constitutional order and national security;
  • on the basis of an agreement to which the data subject is a party; or
  • for protection of life, health, or other vital interests of the data subject or other persons, if it is impossible to obtain consent.

Following amendment, transfer mechanisms under the Law on Personal Data will be restricted, while operators will be subject to additional conditions relating to notification and assessment.

Transfer mechanisms

Accordingly, transfers may be made to countries either:

  • approved by the Roskomnadzor as providing adequate protection, which will include countries party to Convention 108; or
  • in cases where such transfer is necessary to protect the life, health, or other vital interests of the data subject or other persons.

Prior approval

Prior to the transfer of personal data, the operator will be required to:

  • carry out an assessment of the intended third country and foreign recipient; and
  • notify the Roskomnadzor to obtain approval for the intended transfer.

Upon submitting a notification, operators will have the right to carry out transfers, until the Roskomnadzor's decision to prohibit or restrict the transfer. In which case, the operator will be responsible for ensuring the destruction of personal data previously transferred.

Compliance and accountability

Accountability measures: policies and procedures (Article 181)

Operators must adopt measures to demonstrate compliance with the Law on Personal Data, including:

  • appointing a person responsible for organising data processing;
  • publicising a processing policy;
  • adopting legal, technical, and organisational measures for ensuring data security;
  • implementing internal controls and audits;
  • conducting risk assessments in the event of a violation of the Law on Personal Data; and
  • training employees.

Following amendment, explicit requirements will apply to operators' processing policies.

For each processing purpose, operators will be required to define and document the following:

  • the categories and the list of processed personal data;
  • the categories of data subjects whose personal data is processed;
  • methods of processing;
  • terms of processing and storage; and
  • procedures for the destruction of personal data upon reaching the goals of processing or upon the occurrence of other legal grounds.

Data breach notification (Articles 19 and 21)

There are no requirements concerning data breach notifications under the Law on Personal Data. However, operators are required to take certain actions in the event of an incident, upon request by a data subject or the Roskomnadzor.

Following amendment, operators will be obliged to engage with GosSOPKA, the state system for detecting, preventing, and eliminating information security incidents. This will include providing information on computer incidents that have resulted in the unlawful transfer (i.e. provision, distribution, or access) of personal data. Procedures for this is expected to be further elaborated.

More importantly, in the case of unlawful transfers, operators must notify the Roskomnadzor:

  • within 24 hours, regarding the incident, the alleged causes and harm caused to data subjects, the measures taken to address the incident, as well as information about the appointed responsible person; and
  • within 72 hours, regarding the results of internal investigations, as well as information about the persons whose actions caused the identified incident (if any).

Data processing notification (Article 22)

Prior to the processing of personal data, operators are generally required to notify the Roskomnadzor. This requirement does not apply to such data which:

  • is processed in accordance with labour law;
  • was obtained by the operator as part of an agreement to which the data subject is a party;
  • relates to members of a public association or religious organisation;
  • is authorised by the data subject for distribution;
  • includes only first names, last names, and patronymics of the data subjects;
  • is necessary for the one-off admission of a data subject onto premises where the operator is situated;
  • has been included in information systems that have the status of state automated information systems;
  • is processed without automation tools; or
  • is processed in cases provided for by transport security legislation.

Following amendment, exceptions to the notification requirement will be reduced. As such, notification will not be required only in the following circumstances:

  • personal data that has been included in the state information systems of personal data created in order to protect the security of the state and public order;
  • in the event that the operator carries out processing activities exclusively without the use of automation tools; or
  • personal data that is processed in cases provided for by transport security legislation.

 

What is the impact?

The Amendment Law will enter into effect on 1 September 2022, although some provisions will be delayed until 1 March 2023 (please see Article 6(2) of the Amendment Law).

In terms of cross-border data transfers in particular, operators that have carried out transfers prior to 1 September 2022, and will continue to do so after, are required to notify the Roskomnadzor by 1 March 2023, pursuant to Article 12 of the Law on Personal Data (as amended) (please see Article 6(5) of the Amendment Law).

Karan Chao Senior Privacy Analyst
[email protected]