29
Fri, Mar
38 New Articles

Personal Data Protection in Russia

Personal Data Protection in Russia

Russia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

During recent years issues related to the protection of personal data have been actively discussed and developed, and Russian authorities have begun paying more attention to compliance by businesses with the personal data processing rules.

The Russian law on personal data protection requires that the so-called data controllers – normally companies or organizations collecting or otherwise processing personal data – process personal data only with the consent of the data subject, or with the purpose of performing under an agreement, or under a statutory requirement (e.g., an employer-employee relationship). or according to international treaties (e.g., involving air transportation). Controllers must also introduce legal, organizational, and technical measures to prevent unauthorized or accidental access or the destruction, change, blocking, copying and/or dissemination of personal data. These measures include, inter alia, the appointment of a data protection officer, the adoption of a data processing policy, and implementation of an internal document describing potential threats to personal data protection and possible measures of prevention of these threats. 

In addition, data controllers are obliged to notify the data protection authority upon the commencement of personal data processing. The kinds of data processed, the purposes of the processing, the measures taken to protect the data, and the location of the database containing the personal data must be disclosed in the notification. 

The law on data protection also prescribes certain obligations regarding the receipt and execution of data subjects’ requests on the description of data processed, as well as on the clarification, amendment, or deletion of personal data. Moreover, the law explicitly requires data controllers to delete personal data once the purpose of its processing is achieved.

There are also restrictions on the cross-border transfer of personal data. While data transfer to countries that are parties to the Strasbourg Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data and those included in a special list approved by the authority in charge is allowed subject to the general requirements, cross-border transfer to other countries may be conducted only in certain cases, such as on the basis of written consent that is compliant with the prescribed requisites or for performance of an agreement with the data subject.

The personal data localization rules introduced in Russia on September 1, 2015, have given rise to significant discussions in the business community. According to these rules a data controller, when collecting Russian citizens’ personal data, is required to ensure that the recording, systemization, accumulation, storage, clarification (updating, modification), and retrieval of Russian citizens’ personal data are conducted in databases located within Russia. Effectively, this means that the initial collection and update of data must be carried out in Russia and then it may be transferred and used abroad – but the up-to-data database of personal data must be always located in Russia.

The notable feature of the localization rules is its multi-jurisdiction character in respect even of web sites which are owned by foreign companies with no presence in Russia but which are aimed at the Russian market. Special criteria have been developed in order to determine whether such businesses are “aimed” at Russia, such as the use of the “.ru” domain name, a Russian version of a web site, availability of payments in Russian currency, and so on.

Failure to comply with the localization rules results in the blocking of the operation of the violating web site. This measure has been already tested in the widely known case of LinkedIn, which, following a decision by the considering court, is currently inaccessible in Russia. The case clearly shows that Russian authorities are ready to enforce the rules irrespective of the fame of the companies.

Another sign of the more stringent control over activities connected with personal data is the adoption by the Russian Parliament of a bill significantly expanding the definition of administrative violations in the personal data domain and increasing fines for such violations. Although these amendments have not passed all adoption stages, they will most likely be introduced in the current version. 

In the past few years personal data as a subject of law has become a valuable asset and instrument of doing business, and companies should take these laws into account in adopting smooth processing procedures and implementing protection measures.

In addition, further elaboration of data regulation is anticipated. For instance, “big data,” which is becoming one of the backbone elements of IT and e-commerce companies, is under the scrutiny of the Russian authorities, which have discussed possible ways of regulating it. Thus the possibility that stricter control will come soon cannot be ruled out. 

By Anton Bankovskiy, Partner, CMS Russia  

This Article was originally published in Issue 4.2 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Our Latest Issue