Data protection in Russia

We would like to take this opportunity to inform you about new developments regarding Russian data protection laws. 

It is to be noted in particular that since 2015 personal data ("PD") of Russian citizens must be stored in Russia, as a matter of principle. Experience has shown that the pertinent authorities make full use of the range of sanctions provided by the data protection laws. The following is a summary of a memo which was drawn up by Russian attorney colleagues describing (i) the scope of the applicable laws and (ii) the intensification of the sanctions for breaches. With regard to the sanctions, the amendments to the Code of Administrative Offence passed the third reading on 27 January 2017 and most likely will be approved by the President.

Overview

On 1 September 2015, a law amending various Russian data protection laws came into force (the “Law”). 

In particular, the Law amended the law on personal data ("Personal Data Law") by introducing new obligations with regard to the storage of Russian citizens' PD.

Basic concepts and definitions

The Law applies, in particular, to PD operators and IT system operators.

The Personal Data Law is silent about its extra-territorial scope of application. However, based on the definitions of an IT system operator and PD operator, it is concluded that if a foreign entity, a public body or another entity processes PD of Russian citizens, it is bound by the Personal Data Law or PD-related international treaties.

In other words, the Personal Data Law, including the sanctions with regard to breaches, applies to the processing of Russian citizens' PD outside Russia.

Therefore, it would be correct to conclude that the Law applies to all legal entities and physical persons involved in the processing of PD, including foreign legal entities which are not represented in any way whatsoever within Russia. The Law basically addresses two main issues: 

  1. it describes arrangements to combat infringers of PD owners' rights; and 
  2. it introduces a duty to store PD of Russian citizens, using databases locate within the Russian Federation.

Obligation to use Russian data centres

The second part of the Law imposes an obligation on all companies, organisations and persons which process, or promote the processing of, PD of individuals, referred to as "operators", to "ensure the recording, systematisation, accumulation, storage, modification and extraction of personal data of Russian citizens using data centres located in the territory of the Russian Federation during the course of gathering personal data, including via the Internet".

In other words, Russian citizens' PD gathered by operators must be stored by servers/data centres located in the Russian Federation.

More specifically, operators are only exempt from the above obligation, i.e. they are allowed to store Russian data in foreign data centres, if such processing is required:

  • to achieve the objectives which are contemplated by an international treaty of the Russian Federation or by a law, to carry out and perform the functions, powers and duties which are conferred upon an operator by the legislation of the Russian Federation;
  • to administer justice, to enforce a court ruling, a ruling by another authority or officer which are subject to enforcement in accordance with the legislation of the Russian Federation on enforcement proceedings;
  • to exercise the powers of federal executive authorities, authorities of federal non-budgetary funds, executive authorities of constituent entities of the Russian Federation, local government authorities, and the functions of organisations which are engaged in the provision of federal and municipal services, respectively;
  • to carry out the professional activities of a journalist and/or the legal activities of a mass medium or scientific, literary or other creative activities, provided that a PD owner's rights and legal interests are not infringed thereby.

Giving notice to the Federal Service for Supervision of Communications, Information Technology and Mass Media ("RKN")

The Law introduced an amendment to the Personal Data Law which imposes an obligation on operators to notify the RKN on the exact location of servers/data centres where Russian citizens' PD is or will be stored.

This is with the exception that a PD operator has the right to process data without giving notice to the RKN if inter alia employees' PD is processed, PD is deemed to be publicly accessible or PD includes only the first, middle and family names of PD owners. 

A failure to give notice to the RKN, specifying the database location, may be deemed to constitute a breach of the Personal Data Law and, for that matter, entail imposition of administrative sanctions. 

The above obligation applies to all types of Russian and foreign companies regardless of the areas of business they are involved in, e.g. tourism, transportation, e-commerce, banking, telecommunications, IT, etc., because the key factor is the gathering/processing of Russian citizens' PD.

Cross-border transfer of PD

The current Personal Data Law allows for cross-border transfers of PD provided that such data is transferred to (i) a country which is a signatory to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data CETS No. 108, or (ii) a country approved by the RKN (see Order No. 274 of the RKN dated 15 March 2013 which approved 19 countries), or (iii) another country, subject to an individual's consent to such cross-border transfer of his or her personal data.

Implementation of the above obligation might work in the following way if interpreted rationally. PD of Russian citizens can be stored both (i) in Russia as a mandatory requirement, and (ii) abroad, subject to duly obtaining a Russian citizen's consent to cross-border transfer and consent to the storage of his or her PD outside Russia. Therefore, PD will be duplicated in both Russian and foreign data centres.

Widespread discussions about physical and technological arrangements for PD storage in Russia are underway. Two key approaches are identified: (1) building domestic centres or (2) leasing space on servers located in Russia.

Findings

In view of the above and based on a conservative analysis of current legislative developments on information and PD issues, it is assumed that:

  1. the Law including its sanctions applies to foreign companies regardless of their presence in Russia;
  2. all companies affected must facilitate the storage of Russian citizens' PD in the territory of the Russian Federation via a proprietary or leased database;
  3. the companies processing Russian citizens' PD and not covered by the exceptions provided by law (see above), will have to give notice to the RKN on the processing of Russian citizens' PD, specifying the location of the database containing such data in the territory of the Russian Federation. 

New penalties

A data controller can face civil, administrative or criminal liability if there is a breach of Personal Data Law.

The amendments to the Code of Administrative Offence passed the third reading on 27 January 2017 and most likely will be approved by the President.

The amendments introduce 7 new offences of breach of data protection legislation and increase the penalties for breach of data protection law. In particular, the draft law provides for the maximum penalty in the amount of 75,000 rubles (approximately EUR 1,300) for lack of consent from personal data holder to process his/her personal data or if the consent contents do not comply with the requirements stipulated by law.

Disclaimer
The information on this page may have been provided by a contributor to ChinaGoAbroad, and ChinaGoAbroad makes no guarantees about the accuracy of any content. All content shall be used for informational purposes only. Contributors must obtain all necessary licenses and/or ownership rights from the relevant content owner(s) before submitting such content (including texts, pictures, photos and diagrams) to ChinaGoAbroad for publication. ChinaGoAbroad disclaims all liability arising from the publication of any content/information (such as texts, pictures, photos and diagrams that infringe on any copyright) received from contributors. Links may direct to third party sites out of the control of ChinaGoAbroad, and such links shall not be considered an endorsement by ChinaGoAbroad of any information contained on such third party sites. Please refer to our Disclaimer for more details.
Top