Russia: Amendments to the Law on Personal Data - strengthening privacy compliance
Russia's privacy landscape is set to change on 1 September 2022, with the entry into force of the Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data ('the Amendment Law'). Amending the Federal Law of 27 July 2006 No. 152-FZ on Personal Data ('the Law on Personal Data'), the Amendment Law introduces new provisions which will enhance data protection for Russian citizens. It also imposes stricter obligations on domestic and foreign data operators in terms of how they interact with data subjects and vendors and, more importantly, how they demonstrate and document their compliance generally and specifically in the case of data transfers. OneTrust DataGuidance breaks these new provisions down, highlighting the key differences between the existing law.
How has data protection regulation evolved in Russia?
The Law on Personal Data was adopted in 2006 to regulate relations concerning the processing of personal data. Its obligations originally concerned data operators (i.e. entities that determine the purpose and content of processing), however concepts of entrusting processing to another entity were later included.
Since then, the Law on Personal Data has been amended on more than 25 occasions, for example, to include new definitions and legal bases for processing, to authorise the use of psuedonymised data in various applications, and to clarify state functions and competencies in the field of data protection. More recently, new rules on consent and the use of publicly available data came into operation in March 2021.
A number of authorities, including the Russian Government and the Ministry of Digital Development, Communications and Mass Media, have also issued secondary legislation, regulating aspects such as the processing of biometric data, as well as the enforcement powers of the Federal Service for Supervision of Communications, Information Technology, and Mass Media ('Roskomnadzor').
With the passage of the Amendment Law, the landscape of data protection within and outside Russia is expected to change more significantly than before. Indeed, in response to the increasing frequency of cybersecurity incidents and the widespread sharing of personal data on the Internet, the Amendment Law reforms many provisions in the Law on Personal Data, to strengthen legal protection for data subjects and to enhance state control in this field.
What are the key changes?
Extraterritorial application (Article 1)
The Law on Personal Data is silent on this matter.
Following amendment, the Law on Personal Data will apply to the processing of the personal data of Russian citizens, which is carried out by foreign legal entities or foreign individuals on the basis of:
Relations with data subjects
Legal basis: contracts with data subjects (Article 6(1))
The processing of personal data is permitted on the basis of an agreement to which the data subject is a party or beneficiary.
Following amendment, explicit requirements will apply to such agreements. Namely, they should not contain provisions which:
Biometric data (Article 11)
The processing of biometric data is very much limited to cases provided for by federal law.
Following amendment, restrictions on using biometric data will continue to apply. In particular, the provision of biometric data must not be mandatory, except as provided for by federal law.
If, in accordance with federal law, it is not mandatory for the operator to obtain consent to the processing of personal data, the operator is not entitled to refuse service where the data subject objects to providing their biometric data and/or consent.
Data subject rights (Articles 14, 18, and 20)
Operators are obliged to respond to access requests within 30 days.
Following amendment, operators will be obliged to respond to access requests within ten working days.
In addition to shorter timeframes, operators will be expected to inform the data subject of how it fulfils the obligations established by Article 181 (i.e. accountability measures) and, where the provision of personal data is mandatory, the legal consequences of refusing such provision.
Vendor contracts and processor obligations (Article 6(3))
Operators have the right to entrust the processing of personal data to another entity, with the consent of the data subject and on the basis of an agreement concluded with the entrusted entity. Entrusted entities are required to comply with the operator's instructions.
Following amendment, entrusted entities will be subject to additional requirements, including observing the confidentiality of personal data and taking necessary measures to fulfil obligations under the Law on Personal Data.
In terms of processing agreements, operators will be required to define the following:
Finally, if an operator entrusts the processing of personal data to a foreign individual or foreign legal entity, the operator and such entrusted entity will be liable to the data subject.
Cross-border data transfers
Transfer mechanisms and prior approval (Article 12)
Subject to the Law on Personal Data and certain prohibitions, transfers may be made to countries that are either:
Transfers that do not satisfy these conditions may be made in the following cases:
Following amendment, transfer mechanisms under the Law on Personal Data will be restricted, while operators will be subject to additional conditions relating to notification and assessment.
Accordingly, transfers may be made to countries either:
Prior to the transfer of personal data, the operator will be required to:
Upon submitting a notification, operators will have the right to carry out transfers, until the Roskomnadzor's decision to prohibit or restrict the transfer. In which case, the operator will be responsible for ensuring the destruction of personal data previously transferred.
Compliance and accountability
Accountability measures: policies and procedures (Article 181)
Operators must adopt measures to demonstrate compliance with the Law on Personal Data, including:
Following amendment, explicit requirements will apply to operators' processing policies.
For each processing purpose, operators will be required to define and document the following:
Data breach notification (Articles 19 and 21)
There are no requirements concerning data breach notifications under the Law on Personal Data. However, operators are required to take certain actions in the event of an incident, upon request by a data subject or the Roskomnadzor.
Following amendment, operators will be obliged to engage with GosSOPKA, the state system for detecting, preventing, and eliminating information security incidents. This will include providing information on computer incidents that have resulted in the unlawful transfer (i.e. provision, distribution, or access) of personal data. Procedures for this is expected to be further elaborated.
More importantly, in the case of unlawful transfers, operators must notify the Roskomnadzor:
Data processing notification (Article 22)
Prior to the processing of personal data, operators are generally required to notify the Roskomnadzor. This requirement does not apply to such data which:
Following amendment, exceptions to the notification requirement will be reduced. As such, notification will not be required only in the following circumstances:
What is the impact?
The Amendment Law will enter into effect on 1 September 2022, although some provisions will be delayed until 1 March 2023 (please see Article 6(2) of the Amendment Law).
In terms of cross-border data transfers in particular, operators that have carried out transfers prior to 1 September 2022, and will continue to do so after, are required to notify the Roskomnadzor by 1 March 2023, pursuant to Article 12 of the Law on Personal Data (as amended) (please see Article 6(5) of the Amendment Law).
Karan Chao Senior Privacy Analyst