October 2, 2017
Overall, Russian data protection law is in line with international standards in this area. In fact, the Strasbourg Convention 1981 (ratified by Russia in 2005) laid the foundation for the Russian personal data protection legislation, which was adopted in 2006. In contrast to developed foreign regimes, however, Russian data protection law is less adapted to constantly evolving technologies (eg, big data, cloud computing, cookies and online behavioural targeting). The regulator also often opts to remain silent on many such issues, leaving room for uncertainty.
At the same time, over the past few years privacy and personal data protection have been at the forefront of the regulator’s focus. In 2014 Russia adopted a rule that requires all data operators (both controllers and processors) that process the personal data of Russian citizens to use databases physically located in Russia. This policy had a major impact on international online services, making such service providers rethink their data flows. One notable enforcement action against a foreign online service involved the blocking of LinkedIn in Russia.
The year 2017 was further marked by the significant increase in fines for non-compliance with personal data regulations, which entered into force on July 1 2017.
Amid these developments, the regulator has actively monitored and enforced compliance with personal data laws. Companies are advised to review forward-looking lists of legal entities subject to audits published by the regulator on an annual basis (see https://rkn.gov.ru/plan-and-reports/).
Several legislative initiatives affecting the personal data legislation have been announced, including with regard to:
These initiatives are in the early stages of development and are unlikely to cause significant disruption for the business community.
The main pieces of legislation governing the collection, storage and use of personal data in Russia are the Personal Data Act (Federal Law 152-FZ, July 27 2006) and the Information Act (Federal Law 149-FZ, July 27 2006).
Specific rules are spread across other laws, such as:
Detailed data protection measures are set out in Russian Government Decision 1119 (November 1 2012) and Federal Service for Technical and Export Control Order 21 (February 18 2013), with a number of other administrative and technical rules contained in decrees and decisions of various other authorities.
The personal data legislation generally applies to all Russian legal entities, individuals, state and municipal bodies. It also has an extraterritorial reach in certain cases. For instance, the requirement to process personal data relating to Russian citizens in databases physically located within the territory of Russia also applies to foreign companies.
Under the Personal Data Act, ‘personal data’ is defined to include “any information relating directly or indirectly to an identified or identifiable individual (personal data subject)”. The law also defines two particular categories of personal data that are subject to stricter rules:
A data operator must notify Roskomnadzor (the principal authority overseeing compliance with data protection legislation in Russia) of its intention to process personal data before commencing with the processing, with certain exceptions provided for in Article 22(2) of the Personal Data Act. Such exceptions include the processing of the following personal data:
The notification must be submitted in hard copy or electronic form and reviewed by Roskomnadzor within 30 days. No registration fee applies.
The data operator must also notify the authority of any changes in the submitted notification, as well as of the termination of data processing within 10 days.
The register of personal data operators is publicly available on the website of Roskomnadzor (http://rkn.gov.ru/personal-data/register/).
A data operator which is a legal entity must appoint a person responsible for the organisation of personal data processing (ie, a data protection officer). Duties of the data protection officer include:
The law sets no qualification requirements for data protection officers. Information on the data protection officer must be included in notifications to Roskomnadzor (see above).
Failure to appoint a data protection officer may result in an administrative fine.
The main body responsible for the enforcement of data protection legislation in Russia is Roskomnadzor, under the Ministry of Communications and Mass Media.
Roskomnadzor is empowered to:
Roskomnadzor is also charged with:
Any processing of personal data, including collection and storage, is subject to the data subject’s consent, with certain exceptions set out in the Personal Data Act.
The personal data legislation does not define a specific term during which an organisation may (or must) retain personal data records. However, the Personal Data Act prescribes that retention (ie, storage) of personal data must last no longer than is required for the purposes of processing the personal data, unless a specific term of storage or retention is set out by the law or by an agreement to which the data subject is a party, beneficiary or guarantor.
Individuals have the right to request a broad range of information about their personal data from organisations. This right may be restricted if:
Yes, individuals have the right to request the data operator to correct, block or delete their personal data where such data is incomplete, outdated, incorrect, unlawfully obtained or unnecessary for the stated purposes of processing.
Consent is required before processing personal data, with the exception of situations explicitly stipulated in the Personal Data Act (see below).
No consent of the personal data subject is required in cases where the personal data processing is:
There are no specific requirements on what information must be provided to individuals when their personal data is collected. However, the Personal Data Acts requires that the processing of personal data be limited to achieving specific, pre-defined and lawful goals. Therefore, such goals should be communicated to the personal data subject when his or her personal data is collected. Moreover, the personal data subject may always request information related to the processing of his or her personal data, including:
Unlike the cybersecurity laws, the Personal Data Act requires data operators to implement extensive legal, organisational and technical measures to ensure the security of personal data and its protection against unauthorised access, modification, replication or other unlawful acts. Such measures include (but are not limited to):
Detailed rules in respect of personal data security are set out in Russian Government Decision 1119 (November 1 2012) and Federal Service for Technical and Export Control Order 21 (February 18 2013).
No, there is no obligation to notify individuals (ie, personal data subjects) if their personal data is compromised.
No, there is no obligation to notify Roskomnadzor (the regulator) in the event of a breach.
Unsolicited electronic marketing (spam) is not allowed without the recipient’s authorisation. This rule is repeated in varying forms in several laws, including the Personal Data Act, the Advertising Act (Federal Law 38-FZ (March 13 2006)) and the Communication Act (Federal Law 126-FZ (July 7 2003)).
In general, the cross-border transfer of personal data to jurisdictions which provide “adequate protection” of data subjects’ rights is not subject to any additional restrictions, provided that the transfer is carried out in accordance with other provisions of the Personal Data Act.
Before any cross-border transfer of personal data, data operators must ensure that the foreign state to which the data is transferred maintains adequate protection of data subjects’ rights. All of the signatory countries to the Strasbourg Convention 1981 are automatically considered to maintain adequate protection. A further list of countries with adequate protection has been adopted by Roskomnadzor (the relevant regulator).
Information on cross-border transfers of data must be reported as part of the data processing notification procedures.
Cross-border transfers of personal data to jurisdictions that do not provide adequate protection may be carried out in the following cases (and thus subject to the following constraints):
Cross-border transfers of personal data – even to countries with adequate protection – may be prohibited or restricted if necessary to protect the constitutional order, morality, health, rights and legitimate interests of citizens, or for national defence and security.
With the data subject’s consent, a data owner may commission a third party to process personal data pursuant to a contract. The third party must abide by the principles and provisions of the Personal Data Act. The corresponding contract under which the third party will process the personal data must:
Even where personal data is processed by a third party, the initial data operator (owner) is still obliged to notify Roskomnadzor (the relevant regulator) of the personal data processing.
The range of punishable actions subject to penalties was recently expanded. Fines are the principal type of penalty. As of July 1 2017, the maximum fine is Rb70,000 (approximately €1,000).
Individuals are entitled to file suit for compensation of damages and recovery of moral harm. Moral harm is actionable regardless of compensation of damages.
No special legislation has yet been introduced to address cybercrime and cybersecurity in Russia. Instead, cybercrimes are penalised under the Criminal Code, while rules relating to cybersecurity are spread across numerous laws.
Unlike the personal data protection law, the cybersecurity regulations in Russia are neither well developed nor codified in a single statute. The only notable exception are the information security rules that govern the activities of financial organisations. In particular, the Central Bank of Russia has introduced a set of standards covering various aspects of cybersecurity within the Russian payment system (although these standards are not binding, they are applied by most members of the local financial market). Further, Russian banks must observe some mandatory regulations that imply, among other things, reporting of cyber incidents that threaten security of data related to payment transactions.
The legislature is nonetheless making efforts to adopt a more holistic approach towards cybersecurity regulations. For instance, in July 2017 the president of the Russian Federation signed into law a new act intended to set basic cybersecurity standards for critical informational infrastructure. The act will enter into force on August 1 2018.
Russia is also a signatory to international treaties in the area of cybersecurity, such as the Treaty on Cooperation of Commonwealth of Independent States Member States in Combating Crime in the Computer Information Sphere. Notably, Russia has not signed the Budapest Convention on Cybercrime, a Europe-wide treaty setting standards regarding cybercrime, which requires states (among other things) to ensure that legal persons can be held criminally liable for a cyber offence.
The following activities are criminalised in Russia under the Criminal Code:
The following activities are subject to administrative liability in Russia under the Code of Administrative Offences:
Several authorities have complementary powers to enforce cybersecurity rules and investigate cybercrimes, including the police (ie, the Ministry of Internal Affairs through its specialised department, Division K), the Federal Service for Technical and Export Control, the Federal Security Services, the Prosecutor’s Office and Roskomnadzor. Industry regulators (eg, the Central Bank of Russia) also have powers to supervise information security compliance within respective spheres of governance.
Yes, companies may obtain insurance coverage against cyber risks. With the proliferation of cyberattacks, it is becoming increasingly common for companies to seek insurance.
No, except for those records that must be maintained due to industry specific regulations (see below).
There is no general obligation to report cybercrimes. However, companies in certain industries may be subject to reporting obligations. For example, as noted above, Russian banks must report certain cybersecurity incidents to the Central Bank of Russia. Further, owners of fuel and energy infrastructure must also report cybersecurity incidents to the Federal Security Service and some other agencies.
In June 2017 Russian legislators proposed a new initiative making it mandatory for all companies dealing with personal data to submit a data breach notification immediately after discovering such an incident are revealed. Therefore, general reporting obligations may be introduced in the near future.
Potential criminal penalties for cybercrimes include fines of up to Rb500,000 (approximately €7,150), community service (ie, ‘corrective work’), compulsory labour, disqualification from holding certain positions and imprisonment of up to seven years.
The following criminal penalties may be imposed on an individual for breach of the rules applicable to the storage, processing and transfer of protected computer information or network systems and end-user equipment, which causes major damage (Article 274 of the Criminal Code):
Further, non-compliance by a legal entity with cybersecurity regulations may result in administrative fines or cancellation of certain licences, where such licences were issued on the condition of cybersecurity compliance.