This article needs additional citations for verification. (March 2011) |
Data protection (privacy) laws in Russia are a rapidly developing branch in Russian legislation that have mostly been enacted in the 2005 and 2006.[1] The Russian Federal Law on Personal Data (No. 152-FZ), implemented on July 27, 2006, constitutes the backbone of Russian privacy laws and requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access".[2] Amendment was signed on December 20, 2020 and came into effect on March 1, 2021. The amendment requires "personal data made publicly available" needs to receive consent from the data subject.[3] Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media is the government agency tasked with overseeing compliance.[4]
Consent of the individual is required for processing of his personal data. This rule doesn't apply where such processing is necessary for performance of the contract, to which an individual is a party.
One shall bear in mind that a personal data subject is entitled at any time to revoke his previously granted consent, which obliges the operator to stop processing of such personal data and destroy it within three business days (unless other period of time was agreed on by the operator and an individual) after the date of such revocation, and notify the personal data subject of the fact that his personal data has been destroyed.
More specifically, processing of personal data for the purpose of direct marketing may be performed subject to prior consent of personal data subjects. Lack of such consent is presumed unless the operator proves the contrary. Processing of personal data for the purposes indicated above must be immediately ceased at the demand of personal data subject.
At the time of obtaining of personal data the operator is obliged, subject to request of an individual, to communicate to the latter information relating to the operator and the process of prospective processing.
If personal data is obtained not directly from a personal data subject, the operator prior to processing such information must provide the individual with the following information:
Generally, it is prohibited to process in any way sensitive personal data of the individual, save for the cases where express written consent, containing all conditions provided for by the law, has been obtained from the individual prior to processing.
Generally, to transfer personal data outside the Russian Federation, the operator will have to make sure, prior to such transfer, that the rights of personal data subjects will enjoy adequate and sufficient protection in the country of destination.
Until 1 September 2015 the position of Federal Service on Telecommunications the governmental body responsible for personal data protection was that adequate and sufficient protection exists only in those foreign states which signed and ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Nevertheless, there are three major exceptions which permit transfer of personal data to the countries where lower or no standard of personal data protection applies, namely:
On 1 September 2015 a new "Article 18 (5)" came into effect more strictly limiting the export of data. [7]
The Russian legislation imposes strict limitations on using of the electronic means of communication for direct marketing. Namely, express consent should be obtained from the individual before marketing communications are sent to him by email or SMS. Lack of such prior consent is presumed unless the sender proves the contrary. The law provides for immediate cessation of sending marketing communications at the individual’s short notice. It should be also noted that in Russia it is expressly prohibited to send emails or SMS messages using autodial.
To send marketing communications by post, operator must obtain specific permission from the Federal Service on Telecommunications. Unfortunately the procedure of obtaining of such permission hasn’t been established yet.
Where personal data is processed it should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data being processed shall enjoy confidential regime. It implies employment by the operator of sufficient technical and organisational means designed to prevent unauthorised access of any third parties to processed personal information. Procedures (including issuance of internal regulations or decrees) must be in place to regulate the process of access to such confidential information.
Personal data should be accurate and kept up to date where necessary. The operator is obliged to ensure accessibility of personal information for examination by personal data subjects at their request. In case such subjects find that this information is outdated or inadequate, the operator will be obliged to stop processing of such information until the required modifications are introduced.
Personal data should not be kept for longer than is necessary for the purposes for which they are processed, which requires its destruction after such purposes have been fulfilled or in case their fulfillment is not required any more.
Personal data must be processed in accordance with the rights of personal data subjects under applicable data protection legislation. An operator will be in breach of this principle if, amongst other things, he:
Procedures must be in place to ensure that computer systems are configured appropriately to allow accurate recording of the giving of consents in all relevant cases, described herein. Procedures must also be in place to ensure that any notices or requests are responded to and dealt with promptly.
Appropriate technical and organization measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Operators should consider appropriate measures to ensure data integrity (for electronic processing), including the installation of virus protection software and firewalls, adopting encryption for data transfers, using privacy enhancing technologies and making regular backups that are securely stored. For manual processing, consideration should be given to appropriate security measures, such as storage of paper records in lockable, fire-proof cabinets.
The relevant provisions require effective protection of personal data. Mandatory regulations on protection of such data are currently being developed by Federal Security Service (hereinafter, the “FSS”) to be issued within two months. For the moment, according to information received from FSS specialist during telephone consultation, FSS has a preliminary draft of the said regulations which may be modified as the final version of said regulations is to be issued within two months. The draft in its current version provides for protection of all personal data being transferred outside Russia in form of encryption. It is worth mentioning, that for the time being, it is practically possible to use only Russian encryption software and equipment for that purpose.
The legislation gives certain rights to personal data subjects in respect of personal data held about them. These include:
The legislation describes certain personal data categories:[8]
Operators to whom Russian legislation applies are required to send notification to the territorial body of Russian Federal Service on Supervision over Mass Communications, Telecommunications and Preservation of the Cultural Heritage (hereinafter, the “Federal Service on Telecommunications”) for each region of Russia where he possesses personal information processing facilities. For Moscow it will be Moscow Department of the above mentioned federal service. Such notification is necessary for inclusion of the operator into specific Register and shall be made by the operators who have been processing personal information prior to enactment of the Federal law “On Personal Data” dated 27.07.2006 and continue to process it after its enactment prior to January 1, 2008. Those operators who haven’t been engaged in processing of personal information using their own or third party’s equipment located in Russia prior to enactment of the said law must send the notification before they actually start processing personal data. It is important that the said notification contain information provided for by the applicable legislation.
Scope of application of Russian Data Protection legislation: Russian laws apply when the operator uses his own or third-party data processing equipment located in Russia. As well as in cases where the data has been already transferred outside Russia, but there has been a violation of personal data subject’s rights prior to or during such transfer. If the data is transferred outside Russia duly, it will be subsequently regulated by the laws of country of destination and implications of Russian law will not apply thereto.
In most cases, the Federal Service on Telecommunications only has jurisdiction in relation to data held or processed in Russia. Nevertheless, the legal implications of the Russian legislation on data protection will apply in respect of the data already transferred outside Russia in case the rights of individuals, whose personal data has been collected and processed using equipment located in Russia, have been violated prior to or during such transfer (e.g., an operator transferred personal data to a country where personal data don’t enjoy adequate protection without prior written consent of a data subject). In that case the Federal Service on Telecommunications may file lawsuits against operators to protect the rights of the personal data subjects and impose respective fines for violation of the data protection legislation.