Russia: Data Protection in the Automotive Sector
Data protection within Russia is generally regulated by the Federal Law of 27 July 2006 No. 149-FZ on Information, Information Technologies, and Protection of Information (as amended) (only available in Russian here) ('the Law on Information').
The collection, receipt, possession, storage, handling, and transfer of personal data of natural persons within Russia is regulated by the Federal Law of 27 July 2006 No. 152-FZ on Personal Data (as amended) (available in Russian here; an unofficial English version as of 2019 is available here) ('the Law on Personal Data').
There are no specific civil or criminal liability rules concerning data protection in the automotive sector in Russia. General laws are applicable, such as:
- the Criminal Code of the Russian Federation of 13 June 1996 No. 64-FZ (as amended) (only available in Russian here) ('the Criminal Code'); and
- the Code of 30 December 2001 No. 195-FZ on Administrative Offences (as amended) (only available in Russian here) ('the Code of Administrative Offences'); and
- the Civil Code of the Russian Federation of 30 November 1994 No. 51-FZ (as amended) (only available in Russian here) ('the Civil Code').
1. GOVERNING TEXTS
1.1. Key acts, regulations, directives, bills
The Law on Personal Data applies to data that state and municipal bodies, legal entities, and individuals that collect from a natural person within Russia.
The Law on Information regulates relations arising in the processing of information, the application of information technology, and the protection of information. In particular, it sets out governing principles and duties applicable to all operators of information systems, as well as rights conferred on individuals. For example, operators must observe the principle of confidentiality and undertake legal, organisational, and technical measures to ensure the protection of information against any illegal access, destruction, modification, or other illegal actions.
In terms of enforcement, Article 272 of the Criminal Code bars illegal access to legally protected computer information, if this act entails the destruction, blocking, modification, or copying of computer information. It provides different penalties, depending on the consequences and damage incurred, and whether the act involves criminal group activities, including fines (up to RUB 500,000 (approx. €5,860)), compulsory work (up to five years), limitation of freedom (up to four years) or imprisonment (up to seven years in the most aggravated cases).
The data operator and the data processor may also be punished under the rules concerning information protection. For example, the disclosure of information with lawful limited access is punishable with a fine under Article 13.14 of the Code of Administrative Offences (up to RUB 200,000 (approx. €2,350)).
The breaches of rules concerning personal data are punishable with fines which may be much higher. For example, the failure to keep personal data using a database located in Russia results in a fine of up to RUB 6 million (approx. €70,330) or up to RUB 18 million (approx. €210,980) for repeated offenses (Article 13.11 of the Code of Administrative Offences).
Criminal liability for the data operator and the data processor is also possible. For example, if the computer information was destructed, blocked, modified, or copied because of their fault, and it results (or could result) in grave consequences, the guilty persons may be sentenced to compulsory work or imprisonment for up to 5 years (Article 274 of the Criminal Code).
Laws applicable to the automotive sector
There is no specific Russian law applicable to connected vehicles.
This is permitted as an experiment in 13 (out of 85) of the Russian regions, including the largest cities, Moscow and St. Petersburg, under the Decree of Government of 28 November No. 1415 on Conducting an Experiment on the Operation of Highly Automated Vehicles on Highways (only available in Russian here). The term of experiment is limited to 1 March 2022.
There is no specific Russian law applicable to telematics.
There is no specific Russian law applicable to vehicle geolocation.
The requirements for newly-produced and imported vehicles are provided by the acts of Eurasian Economic Union ('EAEU') (where Russia is a Member State), in particular, the Technical Regulation of Customs Union No. TP TC 018/2011 on the Safety of Wheeled Vehicles (only available in Russian here) ('the EAEU Vehicle Safety Regulation').
Any other applicable laws
The Federal Law of 7 February 1992 No. 2300-1 on Consumer Protection (as amended) (only available in Russian here) ('the Law on Consumer Protection') is also applicable.
1.2. Regulatory authority guidance
No specific guidance for the automotive sector relating to data protection has been issued.
2. KEY DEFINITIONS
Personal data: Аny information relating directly or indirectly to an identified or identifiable natural person (Article 3(1) of the Law on Personal Data).
Vehicle Information Number ('VIN') (sole or in combination with further identifiers): A VIN is a combination of characters (numbers and/or letters) assigned to each vehicle (chassis) by the manufacturer which should be unique for a period of at least 30 years (Annex 7 to the EAEU Vehicle Safety Regulation). It should be marked on the chassis or frame (non-movable part), so that it could not be easily changed. It consists of 17 characters: (1) the code assigned to the vehicle manufacturer to enable vehicle identification (3 characters); (2) the code assigned by the vehicle manufacturer, serving to indicate the general characteristics of the vehicle (6 characters); (3) the code of year of vehicle issue (optional, 1 character); (4) the code of factory where the vehicle was issued (optional, 1 character); and (5) the code assigned to vehicle by the manufacturer (6 characters, final 3 of which are numerical), in order to provide clear identification of particular vehicle.
- Geolocation data: No applicable definition under Russian law.
- Telematic data: No applicable definition under Russian law.
- Biometric personal data: Information that characterises the physiological and biological characteristics of a person, based on which it is possible to establish his or her identity (Article 11(1) of the Law on Personal Data).
- Metadata: No applicable definition under Russian law.
- Voice data: No applicable definition under Russian law.
- Video data (inside/outside the vehicle): No applicable definition under Russian law.
- Anonymisation (relating to personal data): Actions as a result of which it becomes impossible without the use of additional information to determine the ownership of personal data to a specific subject of personal data Article 3(9) of the Law on Personal Data).
- Pseudonymisation: No applicable definition under Russia law.
- Data processing (relating to personal data): Any action (operation) or a set of actions (operations) performed with the use of automation tools or without the use of such tools with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, or destruction of personal data (Article 3(3) of the Law on Personal Data).
- Data controller (relating to personal data): Referred to as 'operator,' state body, municipal body, legal entity, or individual, independently, or jointly with other persons organizing and/or carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data (Article 3(2) of the Law on Personal Data).
- Data processor (relating to personal data): No applicable definition under Russian law. However, the Law on Personal Data refers to a person who processes personal data on behalf of an operator on the basis of an agreement concluded with this person, including a state or municipal contract, or by adopting an appropriate act by a state or municipal body, whose function can be interpreted as 'data processor' (Article 6(3) of the Law on Personal Data).
- Manufacturer: Any organization, regardless of its organizational and legal form, or individual entrepreneur, producing goods for sale to consumers (Preamble to the Law on Consumer Protection).
3. SUPERVISORY AUTHORITY
3.1. Who is the relevant supervisory authority overseeing compliance applicable to the automotive sector?
The authorized body for the protection of the rights of data subjects is the Federal Service for Supervision of Communications, Information Technology and Mass Media ('Roskomnadzor'). One of the main responsibilities of the Roskomnadzor is to organize the protection of the rights of data subjects. This obligation is implemented through the implementation of the entire range of powers by the Roskomnadzor, including control and supervisory measures.
4. CONNECTED VEHICLES
4.1. What are the practical implications of the following principles for connected vehicles and how can organisations manage them in practice?
The data subject (driver or passenger of the car) has the right to receive information regarding the processing of his or her personal data, including :
- confirmation of the fact of processing of personal data by the data controller;
- the legal grounds and purposes of processing;
- the purposes and methods of processing used by the data controller;
- the name and location of the data controller and information about persons (with the exception of the data controller's employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the data controller or on the basis of law;
- the processed personal data relating to the relevant data subject and the source of their receipt, unless another procedure for submitting such data is provided for by law;
- the terms of processing, including the terms of their storage;
- the procedure for the exercise by the rights provided for by the Law on Personal Data;
- information on the performed or expected cross-border data transfers; and
- the name or surname, first name, patronymic, and address of the person who processes personal data on behalf of the data controller, if the processing is entrusted or will be entrusted to such a person.
There is no legally-mandated requirement for the form of provision of information relating to personal data to car users. It can be done through a welcome screen which provides a touch option for 'consent.'
Choice and consent
The data subject decides on the provision of his or her personal data and agrees to their processing freely, of his or her own free will, and in his or her interest. Consent must be specific, informed, and conscientious. Consent can be given by the data subject or his or her representative in any form that allows to confirm the fact of its receipt, unless otherwise provided by law.
Processing of personal data is carried out only with the consent in writing of the data subject. Consent in the form of an electronic document signed with an electronic signature is recognized as equivalent to a written consent on paper containing a data subject's handwritten signature.
Consent can be revoked by the data subject.
It must be ensured that consent is explicit and clear, and all requirements for obtaining it from the car driver and/or passenger are satisfied. There is no specific legally mandated form in which consent should be obtained. Various considerations must be taken into account, such as frequency of information provision and consent requests, particularly considering the possibility of multiple users/drivers.
When processing personal data, the operator is obliged to take the necessary legal, organizational, and technical measures, or ensure their adoption, to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, provision, or dissemination, as well as from other illegal actions in relation to personal data.
The manufacturer/data operator should define specific data security standards and audit procedures.
The content and volume of the processed personal data must correspond to the stated purposes of the processing. The processed personal data should not be redundant in relation to the stated purposes of their processing.
All data that is collected should be able to be justified for a defined, legitimate purpose.
The processing of personal data should be limited to the achievement of specific, pre-determined, and legitimate goals. Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed.
This principle does not allow the processing of personal data indefinitely or to determine its timing solely at the discretion of the operator, although the latter has a significant degree of flexibility in determining the processing goals and the moment of their achievement. Unfortunately, in practice, this principle is often violated by operators who continue to store personal data, despite the achievement of the purpose of such processing.
Accountability and record of processing
The operator is obliged to publish or otherwise provide unrestricted access to the document defining their policy in relation to the processing of personal data and to information on the implemented requirements for the protection of personal data. The operator collecting personal data using Internet or other telecommunications is obliged to publish the same, as well as to provide access to the specified document via the respective telecommunication network.
Data sharing and international transfers
Operators and other persons who have gained access to personal data are prohibited from disclosing to third parties and from distributing personal data without the consent of the data subject unless otherwise provided by federal law.
When collecting personal data, including through the information and telecommunication networks, such as the Internet, the operator is obliged to ensure that the recording, systematization, accumulation, storage, clarification (update, change), and extraction of personal data of Russian citizens uses databases located in the territory of the Russian Federation.
Generally, cross-border transfers of personal data are possible only to foreign states that are parties to the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as other foreign states that ensure adequate protection of the rights of data subjects (specifically listed by the Roskomnadzor).
Cross-border transfers to foreign states that do not provide adequate protection can be carried out in the following cases:
- with the written consent of the data subject for the cross-border transfers of his or her personal data;
- when provided for by international treaties of the Russian Federation;
- when provided for by federal laws, if it is necessary in order to protect the foundations of the constitutional system of the Russian Federation, ensure the country's defense and state security, as well as ensure the security of the stable and safe operation of the transport complex, protect the interests of the individual, society, and the State in the field of the transport complex from acts of illegal interference;
- for the execution of a contract to which the data subject is a party; or
- for protection of life, health, and other vital interests of the data subject or other persons if it is impossible to obtain written consent of the data subject.
A data operator carrying out cross-border activities and having a presence in the territory of different countries may be subject to various laws on personal data that are in conflict with each other, which is a direct consequence of the lack of unification at the international level.
In this case, the company has little left, except that the choice of the 'lesser of two evils,' based on the analysis of all possible risks associated with non-compliance with the relevant legal requirements (i.e. the amount of fines and other consequences, reputational and media risks, etc.). For example, the need to transfer personal data abroad in connection with a request from a foreign government agency originating from a country that does not provide an adequate level of protection, even if such a request is based on the law of that country, is not a legitimate basis for such transfer in accordance with the requirements of the Law on Personal Data. In this regard, the lawful transfer of such data is only possible with the consent of the data subject.
Taking into account the possible harm to the data subject, the volume and content of the processed personal data, the type of activity in which personal data is processed, and the relevance of threats to the security of personal data, the Government of the Russian Federation established the following in the Decree of the Government of 1 January 2012 No. 1119 on the Approval of Requirements for the Protection of Personal Data in the Case of Processing in Personal Data Information Systems (only available in Russian here):
- the levels of protection of personal data during their processing in information systems, depending on the threats to the security of these data;
- requirements for the protection of personal data during their processing in information systems, the implementation of which ensures the established levels of protection of personal data;
- requirements for material carriers of biometric personal data and technologies for storing such data outside of information systems.
To fulfill the obligation to identify threats to the security of personal data, it is necessary to develop a threat model. When developing a threat model, it is recommended to follow the following steps:
- determine the level of security of each information system used by the operator;
- determine the main types of potential violators based on an analysis of the circle of persons who have the ability to access (authorized or unauthorized) the information systems;
- compile a list of trusted persons and actual violators and analyze the possibilities of actual violators; and
- conduct a classification of threats to the security of personal data and make a list of them.
Personal data must be provided to the data subject by the operator in an accessible form, and it must not contain personal data relating to other data subjects, unless there are legal grounds for disclosing such personal data.
The current requirement for the accessibility of personal data is broadly formulated. The right of the data subject to transfer his or her data from one dataoperator to another one is not provided.
Privacy/Security by Design and by Default
This is not a concept currently developed under Russian law. It may evolve in the future.
There is no restriction on third-party data sharing. The disclosure is mandatory if made under the request of law enforcement agencies (e.g. police) or by the court.
This concept is not specifically dealt with in the context of automotive data. The personal data, in theory, is inalienable. Generally, the data subject has the right to privacy and their consent is required for data collection, subject to exceptions provided under the Law on Personal Data (e.g. for governmental aims).
5. AUTONOMOUS DRIVING
5.1. What are the practical implications of the following principles for autonomous driving and how can organisations manage them in practice?
The principles mentioned under section 4 and their practical implications are also applicable in the context of autonomous vehicles. Considering the limited use of such vehicles in Russia, the specific data privacy legal requirements applicable to them, in particular, the requirements of the Law on Personal Data, will need to be considered. In particular, the corresponding infrastructure such as connected maps, real time traffic information, lane markers, electronic road signs, etc. will need to be developed with due consideration of the Law on Personal Data. Such infrastructure will require time and investment to be implemented and is yet to be developed and implemented in Russia.
6.1. What are the practical implications of the following principles for telematics and how can organisations manage them in practice?
Technology, such as global positioning systems ('GPS') and on-board vehicular data, is commonly incorporated now in cars on Russian roads. Telemetry data can include location of a vehicle, its speed, idling time, fuel consumption, tyre pressure, and engine faults, also extending to associated services like preventive diagnostics, debugging, and maintenance. This is of significance for businesses of both automobile manufacturers and insurance companies. However, use of telemetry data is still low in Russian automobile insurance products, to our knowledge, except for the 'ERA-GLONASS' system (see section 7.1. below).
7. VEHICLE GEOLOCATION
7.1. What are the practical implications of the following principles for vehicle geolocation and how can organizations manage them in practice?
All cars produced or imported into the territory of the Russian Federation from 1 January 1 2017 must be equipped with ERA-GLONASS modules. ERA-GLONASS is the Russian state system of Emergency Response to Accidents, aimed at improving road safety and reducing deaths from road accidents by reducing the time for alerting emergency services. In fact, this is a partially copied version of the European eCall system with some differences in the transmitted data and partially backward compatible with the European parent. The principle of operation of the system is quite simple and logical: in the event of an accident, a module ('IVS') built into the car, in a fully automatic mode and without human intervention, determines the severity of the accident, determines the location of the vehicle via GLONASS or GPS, establishes communication with the infrastructure of ERA-GLONASS, and in accordance with the protocol, transmits the necessary data about the accident (some kind of distress signal).
8.1. What are the practical implications of the following principles for manufacturing and how can organisations manage them in practice?
Data protection principles and their practical implications for manufacturers are similar to those described in section 4.1. above.
9.1. Please outline any other additional data protection and/or cybersecurity requirements for the automotive sector, including in relation to the following, if applicable:
Internet connectivity and eSIM management
Smart vehicles with embedded SIM cards and internet access would be subject to the requirements of the Federal Law of 7 July 2003 No. 126-FZ on Communications (as amended) (only available in Russian here) ('the Law on Communications') and any communications service provider would be required to adhere to comply with its requirements. In the event that the service provider entrusts the processing of personal data of a subscriber to a third party in order to conclude and/or fulfill an agreement on the provision of communication services to which the subscriber is a party, and/or in order to exercise the rights and legitimate interests of the service providers, or of the subscriber, the consent of the subscriber to the transfer of his or her personal data to such a third party and data processing is not required.
Car-to-car and car-to-X communication
SIM cards used in smart vehicles be subject to the Law on Communications. The owners of such SIM cards are to be identified and included in the database which could be made public. Information about a subscriber must be excluded at any time from the public database of subscribers at his or her request or by a court decision or other authorized state bodies of the Russian Federation.
Suren Avakov Partner
Arakov Tarasov & Partners, Moscow