The increasing number of violations of personal data protection law has led to stricter regulations in this area. Since these violations often occur due to a lack of awareness regarding the latest changes and сurrent cybersecurity regulations, we have assembled here relevant information to bring you up to date.
This guide is not meant as an in-depth analysis of every nuance of this subject, but it will give you sufficient understanding to avoid certain problems in the future and focus on more important issues. By reading our guide, you will be in a position to do your own research and ask your external counsel the right questions.
This guide will help you determine whether various provisions of Russian personal data protection law apply to your information security practices, but even if they don’t, given the often cross-border nature of information security laws, it is worth reading if only to make sure that these regulations are not applicable in your jurisdiction.
1. Legal Framework
1.1. Сurrent Level of Legislation
Russian personal data protection law is in line with international standards in this area. The Strasbourg Convention of 1981 (ratified by Russia in 2005) laid the foundation for Russian personal data protection legislation, which was adopted in 2006. Unlike developed foreign regimes, however, Russian data protection law is not as well-equipped to deal with constantly evolving technologies (e.g. big data, cloud computing, cookies, and online behavioral targeting). The regulator also often opts to remain silent on many such issues, leaving room for uncertainty.
At the same time, over the past five years privacy and personal data protection have been at the forefront of the regulator’s focus. In 2014, Russia adopted a rule that requires all data operators (both controllers and processors, although, unlike the GDPR, Russian law does not define such terms) that process personal data of Russian citizens to use databases physically located in Russia. This policy has had a major impact on international online services, making such service providers rethink their data flows. One notable enforcement action against a foreign online service involved the blocking of LinkedIn in Russia.
The year 2017 was marked by a significant increase in fines for non-compliance with personal data regulations, which entered into force on July 1, 2017.
As of 2019, genetic information and information about the state of one’s health is considered personal data. Also in 2019, Resolution No. 146 of the Russian Government dated February 13, 2019, established the rules for organizing and implementing state control and supervision over the processing of personal data, which were later changed by Resolution No. 1046 of the Russian Government dated June 29, 2021. The same year saw the adoption of regulations that made violating regulations on the localization of personal data of Russian citizens a separate offense and established liability for it.
In 2021, amendments regarding personal data allowed to be shared were introduced to the Personal Data Act which is discussed in detail in the corresponding section.
Throughout these developments, the regulator has actively monitored and enforced compliance with personal data protection laws. Since March 2021, the fines for violating personal data protection law have doubled, and the time limit for such investigations has been extended.
We recommend monitoring the list of Russian legal entities and individual entrepreneurs subject to audits over the course of the year (see https://rkn.gov.ru/plan-and-reports/). The regulator (Roskomnadzor) updates this list annually .
1.2. Expected Changes of Personal Data Protection Legislation
Several legislative initiatives regarding personal data protection legislation have been announced, such as:
- to create a state operator of big data; and
- to update regulations on processing biometric personal data.
These initiatives are still in the early stages of development and are unlikely to cause significant disruption for the business.
1.3. Legislation Governing the Collection, Storage, and Use of Personal Data
The main pieces of legislation governing the collection, storage, and use of personal data in Russia are:
- Personal Data Act (Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006); and
- Information Act (Federal Law No. 149-FZ “On Information, Information Technologies, and Information Protection” dated July 27, 2006).
Specific rules are spread across other laws, such as:
- The Labor Code of the Russian Federation, which governs the processing of employees’ personal data;
- The Air Code of the Russian Federation, which governs the transfer of passengers’ personal data;
- The Civil Code of the Russian Federation, which sets general civil law principles on privacy; and
- Federal Law No. 323-FZ “On the Fundamentals of Health Care for Citizens in the Russian Federation” dated November 21, 2011, which governs patients’ personal data.
Detailed personal data protection measures are set out in:
- Resolution No. 1119 of the Russian Government “On Approving Requirements for Personal Data Protection during Processing in Personal Data Information Systems” dated November 1, 2012;
- Order No. 21 of the Federal Service for Technical and Export Control “On Approving the Range and Content of Organizational and Technical Measures for Ensuring Security of Personal Data during Processing in Personal Data Information Systems” dated February 18, 2013;
- Resolution No. 512 of the Russian Government “On Approving Requirements for Physical Media of Biometric Personal Data and for Technologies Used for Storing Such Data Outside Personal Data Information Systems” dated July 6, 2008;
- Order 378 of the Federal Security Service “On Approving the Range and Content of Organizational and Technical Measures for Ensuring Security of Personal Data during Processing in Personal Data Information Systems Using Cryptographic Means of Data Protection Necessary to Implement Requirements Established by the Government of the Russian Federation for Personal Data Protection for Each Level of Security” dated July 10, 2014; and
- a number of other administrative and technical rules contained in the decrees and decisions of various other authorities.
1.4. Scope of the Law
Personal data protection legislation generally applies to all Russian legal entities, individuals, state and municipal bodies.
In certain cases, it also has extraterritorial reach. For instance, the requirement to process personal data relating to Russian citizens in databases physically located in Russia also applies to foreign companies (see section 7 for further details).
1.5. Categories of Personal Data
Under the Personal Data Act, “personal data” is defined to include “any information relating directly or indirectly to an identified or identifiable individual (personal data subject)”.
The law also defines certain categories of personal data that are subject to stricter rules:
- “Special categories of personal data” include information that relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, and the state of health or private life;
- “Biometric personal data” includes physiological and biological characteristics used to identify an individual; and
- Personal data permitted by personal data subjects to be shared, i.e.personal data that may be made public.
2. Powers of Roskomnadzor
The main body responsible for the enforcement of personal data protection legislation in Russia is the Federal Service for Supervision of Information Technologies and Communications (Roskomnadzor), under the Ministry of Communications and Mass Communication of the Russian Federation.
Roskomnadzor is authorized to:
- request information from individuals and legal entities as part of exercising its powers, and receive such information free of charge;
- examine information contained in the notification of personal data processing or engage other state bodies in such examination within the scope of their authority;
- instruct personal data operators to update, block or remove unreliable or unlawfully obtained personal data;
- restrict access to information that was not processed in compliance with the applicable legislation;
- take measures to suspend or discontinue unlawful processing of personal data;
- file lawsuits to protect the rights of personal data subjects, including the rights of the general public, and represent the interests of personal data subjects in court;
- transfer information on measures implemented by data operators to the Federal Security Service and the Federal Service for Technical and Export Control;
- file petitions with the authority that issued the license for an operator’s activities to suspend or cancel the license if it was issued on the condition that no personal data be transferred to third parties without the written consent of the personal data subject;
- file reports with prosecutor’s offices or other law enforcement bodies to initiate criminal proceedings;
- submit proposals to the Russian government on improving data protection regulations; and
- initiate administrative proceedings against persons responsible for non-compliance with the Personal Data Act.
- handles complaints of personal data subjects;
- maintains a register of personal data operators;
- implements measures at the request of certain government bodies;
- informs the general public of the state of affairs regarding personal data protection; and
- has certain other powers and obligations.\
3. Notification of Authorities before Processing Personal Data
A data operator must notify Roskomnadzor of its intention to process personal data before commencing with the processing, with certain exceptions provided for in Article 22(2) of the Personal Data Act. Such exceptions include the processing of the following personal data:
- data processed under labor legislation;
- data obtained by the operator due to entering into a contract with a personal data subject, provided that such data is not disseminated or transferred to third parties without the personal data subject’s consent and is used only to perform the contract and enter into further contracts with the personal data subject;
- data relating to members (participants) of a social association or religious organization and processed by the social association or religious organization in accordance with Russian law;
- data allowed by the personal data subject to be shared;
- data comprising only the last name, first name, and patronymic of the personal data subject;
- data necessary for one-time access of the personal data subject to the territory where the data operator is located, or for a similar purpose;
- data contained in databases classified as state automated information systems;
- data processed without the use of automation tools; and
- data processed in cases stipulated by Russian legislation on transportation security.
3.1. Notification Procedure
The notification procedure is as follows:
- You need to fill out the notification form. Templates and recommendations are available on the website of Roskomnadzor (https://16.rkn.gov.ru/directions/personal-data/formy-dokumentov/).
- The notification must be submitted in hard copy or in electronic form with the territorial office of Roskomnadzor at the data operator’s place of registration with the tax authority. No registration fee is required.
- Roskomnadzor will review the notification within 30 days and include it in the register of data operators.
The register of personal data operators is available on the website of Roskomnadzor (http://rkn.gov.ru/personal-data/register/)
The data operator must also notify the authorities within 10 business days of any changes in the submitted notification, as well as of the termination of data processing.
3.2. Data Protection Officer
A data operator that is a legal entity must appoint a person responsible for organizing personal data processing (i.e. data protection officer). The data protection officer’s duties include:
- internal monitoring of compliance by the operator and its employees with personal data protection legislation;
- communicating provisions of Russian data protection legislation and internal data protection regulations to the operator’s employees; and
- receiving and processing inquiries from personal data subjects, or supervising their receipt and processing by other employees.
The law sets no qualification requirements for data protection officers.
Information on the data protection officer must be included in notifications to Roskomnadzor.
4. Collection and Storage of Personal Data
4.1. Conditions and Retention of Personal Data Collection, Storage, and Processing
Any processing of personal data, including its collection and storage, requires the data subject’s consent, with certain exceptions set out in the Personal Data Act.
The Personal Data Act requires that the processing of personal data be limited to achieving specific, pre-defined, and lawful goals. These goals must be communicated to the personal data subject when collecting his or her personal data.
Personal data protection legislation does not define a specific period of time during which an organization may (or must) retain personal data records. However, the Personal Data Act prescribes that retention (i.e. storage) of personal data should last no longer than is required for processing that data, unless a specific term of storage is set out by law or by an agreement to which the data subject is a party, beneficiary, or guarantor.
4.2. The Right of Individuals to Access Their Personal Data
Individuals have the right to request a broad range of information about their personal data from organizations (for example, the purpose and methods of processing personal data). This right may be restricted if:
- the relevant personal data, including personal data obtained through special investigative techniques, counterintelligence and intelligence operations, is processed for the purposes of national defense, state security, or law enforcement;
- the personal data is processed by agencies that have: (a) detained the personal data subject on suspicion of committing an offense; (b) brought criminal charges against the personal data subject; or (c) applied restraining measures to the personal data subject before charging him/her;
- the personal data is processed in accordance with the legislation on combating money laundering or financing of terrorism;
- access to the subject’s personal data may infringe on the rights and legitimate interests of third parties; or
- the personal data is processed in accordance with transportation security legislation.
If the operator fails to provide the personal data subject with information relating to the processing of his/her personal data, it will result in an administrative fine:
- RUB 2,000-4,000 for individuals;
- RUB 20,000-30,000 for individual entrepreneurs;
- RUB 40,000-80,000 for legal entities.
The personal data subject may request information related to the processing of his/her personal data at any time, including:
- confirmation of the collection of the personal data;
- the legal basis and purpose of the processing of the personal data, as well as processing methods;
- the name and location of the data operator, as well as information on persons (other than the operator’s employees) that have access to the personal data;
- the scope and source of the data subject’s processed personal data, as well as the term of such processing, including storage;
- information on completed or planned international transfers of the personal data; and
- the name and address of the person processing the personal data, where applicable.
4.3. The Right of Individuals to Request the Deletion of Their Personal Data
Individuals may request the data operator to correct, block, or delete their personal data where such data is incomplete, outdated, inaccurate, unlawfully obtained, or unnecessary for the stated purpose of processing.
The latest amendments to the Personal Data Act grant personal data subjects the right to request any data operator to remove their personal data from public access (personal data permitted by the personal data subject to be shared) without the need to prove the fact of unlawful processing of the personal data. This means that it is no longer required for the data to be incomplete, outdated, inaccurate, or unlawfully obtained to be removed from public access. All it takes is for the personal data subject to be the rightful owner of that data. .
4.4. Requirements for Consent
Personal data may not be processed without the express consent of the personal data subject, with the exception of situations explicitly stipulated in the Personal Data Act.
Processing biometric and special categories of personal data or transferring data to the territory of a state that does not provide adequate protection of personal data requires written consent. This condition is also satisfied when consent is signed with an electronic signature.
However, when it comes to obtaining consent to the processing of biometric and special personal data or when transferring data to a state that does not provide adequate protection of personal data, especially with the use of electronic signatures, it is best to consider each specific case separately.
As of March 2021, consent to the processing of personal data permitted by the personal data subject to be shared must be formalized separately from other forms of consent of the personal data subject. The operator is obliged to provide the personal data subject with the opportunity to determine the list of personal data for each category of personal data specified in the consent to sharing. A person’s silence or inaction may not be considered consent.
4.5. Processing of Personal Data without Consent
No consent of the personal data subject is required in cases where the personal data processing is:
- necessary to (a) achieve objectives stipulated by law or an international agreement to which Russia is a party; and (b) exercise and discharge functions, powers and responsibilities imposed on the data operator by law;
- carried out in connection with a person’s engagement in constitutional, civil, administrative, or criminal proceedings, or proceedings in arbitrazh (commercial) courts;
- necessary to execute a court decision, or a decision of another authority or official, subject to execution in accordance with enforcement legislation;
- required to execute the powers of state authorities;
- necessary for the performance of an agreement to which the personal data subject is a beneficiary or guarantor;
- necessary to protect the life, health, or other vital interests of the personal data subject if it is impossible to obtain consent otherwise;
- necessary to exercise the rights and legitimate interests of the data operator or third parties, or to achieve important social objectives, provided that this does not infringe on the rights and freedoms of the personal data subject;
- necessary for the conduct of the professional activities of journalists or other legitimate media activities, or of scientific, literary or other creative activities, provided that this does not infringe on the rights and legitimate interests of the personal data subject;
- carried out for statistical or other research purposes, except for the purposes set out in the Personal Data Act, subject to mandatory anonymization of personal data;
- carried out with respect to personal data made publicly available by the personal data subject;
- subject to publication or mandatory disclosure in accordance with federal law.
This does not fully apply to special personal data, biometric data, and personal data permitted by the personal data subject to be shared.
5. Data Security and Breach Notification
5.1. Breach Notification
There is no obligation to notify individuals (i.e. personal data subjects) and Roskomnadzor in the event of a breach.
5.2. Electronic Marketing
Unsolicited electronic marketing (spam) is not allowed without the recipient’s authorization. This rule is repeated in various forms in several laws, including the Personal Data Act, the Advertising Act (Federal Law No. 38-FZ “On Advertising” dated March 13, 2006), and the Communication Act (Federal Law No. 126-FZ “On Communication” dated July 7, 2003).
If an email contains any personal data, consent of the corresponding personal data subject must be obtained. The recipient of such emails should be able to unsubscribe from receiving marketing emails at any time.
6. Data Transfer and Third Parties
6.1. Cross-Border Data Transfer
In general, cross-border transfer of personal data to jurisdictions that provide “adequate protection” of data subjects’ rights is not subject to any additional restrictions, provided that the transfer is carried out in accordance with other provisions of the Personal Data Act.
Before any cross-border transfer of personal data, data operators must ensure that the foreign state to which the data is transferred guarantees adequate protection of data subjects’ rights. All signatory countries to the Strasbourg Convention of 1981 are automatically assumed to satisfy this condition. A list of countries with adequate protection has been adopted and periodically updated by Roskomnadzor (Order No. 274 of the Federal Service for Supervision of Information Technologies and Communications dated March 15, 2013).
Information on cross-border transfers of personal data must be reported as part of the data processing notification procedure.
Cross-border transfers of personal data to jurisdictions that do not provide adequate protection may be carried out in the following cases (and are therefore subject to the following restrictions):
- the personal data subject must consent to it in writing;
- the transfer is allowed under international treaties to which Russia is a party;
- the transfer is allowed under federal laws on protecting the constitutional order or national defense and security, as well as the security of the transportation system;
- the transfer is carried out in the course of performing a contract to which the personal data subject is a party; or
- the transfer is required to protect the life, health, or other vital interests of the data subject or others, and obtaining written consent is not possible.
Cross-border transfers of personal data, even to countries with adequate protection, may be prohibited or restricted if it is necessary for the protection of the constitutional order, morals, health, rights, and legitimate interests of citizens, or for the purposes of national defense and security.
6.2. Third Parties
With the data subject’s consent, a data operator may commission a third party to process personal data on the basis of a contract. The third party must abide by the principles and provisions of the Personal Data Act. The contract under which the third party will process the personal data must:
- specify permissible actions (operations) involving the personal data;
- stipulate the purpose of the processing;
- impose confidentiality and security obligations on the third party; and
- contain requirements for the protection of the processed personal data.
Even where personal data is processed by a third party, the initial data operator is still obliged to notify Roskomnadzor of the personal data processing.
7.1. Data Localization Requirements
When collecting personal data of Russian citizens, including through the Internet, data operators are obliged to record, systematize, accumulate, store, update, change and retrieve such data in databases located within the territory of Russia, except in cases indicated in subsections 2, 3, 4, and 8 of Article 6(1) of the Personal Data Act.
7.2. Targeting Approach
The Ministry of Digital Development, Communications and Mass Media of the Russian Federation sets criteria for determining whether a data operator operates in Russia. If these criteria apply to the data operator, it must abide by the localization requirements of Russian legislation.
The following factors determine whether a website operates in Russia:
- Usage of geographic domain names associated with Russia or its regions (.ru, .su, .рф, .москва, .moscow, etc.); and
- The website’s interface is in Russian (excluding plugins for automatic translations, etc.).
Since the Russian language is also widely used in countries other than Russia, at least one of the following elements is also required to determine whether a website operates in Russia:
- Availability of pricing in Russian rubles;
- The possibility of executing a contract concluded on the website within Russia (delivery of goods, provision of services, or use of digital content in Russia);
- Usage of Russian-language advertisements referring to the relevant website; or
- Other circumstances clearly indicating the website owner’s intent to include the Russian market in his business strategy (customer support service in Russian, the option of calling a telephone number from Russia (a federal toll-free number (8-800...) or a telephone number with a Russian city code), or willingness to sign a contract with a domestic telecom operator and pay for its services).
8. Penalties and Compensation
The range of actions subject to penalties for non-compliance with data protection regulations was recently expanded. Most penalties involve fines. As of August 1, 2021, the maximum fine amount is RUB 18,000,000 (approximately EUR 211,800).
Individuals that incur losses as a result of a data breach or non-compliance with data protection regulations by the data operator are entitled to compensation. They may file a lawsuit to collect pecuniary and non-pecuniary damages. Non-pecuniary damages are not tied to pecuniary damages.
1. Cybersecurity Legislation
1.1. Cybersecurity Acts
The only notable exception is information security regulations that govern the activities of financial organizations. In particular, the Central Bank of Russia has introduced a set of standards covering various aspects of cybersecurity in Russia’s payment system (although these standards are not binding, they have been embraced by most players in Russia’s financial market). Furthermore, Russian banks must observe certain regulations that imply, among other things, the duty to report cyber incidents that threaten the security of data related to payment transactions.
The legislature is nonetheless making efforts to adopt a more holistic approach towards cybersecurity regulations. For example, Federal Law 187-FZ “On Security of the Critical Information Infrastructure of the Russian Federation” dated July 26, 2017, which entered into force in 2018, sets basic cybersecurity standards for the critical informational infrastructure.
Russia is also a signatory to international treaties in the area of cybersecurity, such as the Treaty on Cooperation of CIS Member States in Combating Crime in the Computer Information Sphere. It’s worth mentioning that Russia has not signed the Budapest Convention on Cybercrime, a Europe-wide treaty setting standards regarding cybercrime, which require states to ensure, among other things, the prosecution of cyber offenses committed by legal persons.
Some legislative initiatives proposed to introduce liability for mobile network operators that allow calls from hidden or spoofed telephone numbers. There have also been proposals to freeze bank accounts reported for fraudulent activities, as well as to introduce a system for exchanging information between banks and mobile network operators, including information on SIM card replacements (SIM swap fraud, where the bad actor gets the mobile network operator to issue a new SIM card in order to get access to the victim’s internet banking account tied to that SIM card, is a common fraudulent scheme in Russia).
2. Criminalized Activities
The following activities are criminalized under the Criminal Code:
- unauthorized access to computer information (Article 272);
- development, use and dissemination of malware (Article 273);
- breach of rules on the storage, processing, or transfer of protected computer information or network systems and end-user equipment that causes major damage (Article 274);
- unlawful impact on the critical information infrastructure of the Russian Federation (information systems, information and telecommunication networks, automated control systems of Russian state bodies, research, health care, transportation, communications, energy, banking, defense and other such entities, as well as entities that service them (Article 274.1)
- fraud in the use of payment cards (Article 159.3); and
- computer fraud (Article 159.6).
The following activities are subject to administrative liability under the Administrative Offenses Code:
- use of uncertified communication facilities and uncertified means of cryptography in the transmission of messages over the Internet, where certification is required by law (Article 13.6); and
- interference with the working of websites (Article 13.18).
3. Authorities Responsible for Enforcing Cybersecurity Regulations
Several authorities have complementary powers to enforce cybersecurity regulations and investigate cybercrimes, including the police (i.e. the Ministry of Internal Affairs through its specialised department, Division K), the Federal Service for Technical and Export Control, the Federal Security Service, the Office of the Prosecutor General, and Roskomnadzor. Industry regulators (e.g. the Central Bank of Russia) also have powers to supervise information security compliance within their respective spheres of governance.
4. Cybersecurity Best Practices and Reporting
4.1. Insurance for Cybersecurity Breaches
Companies may obtain insurance coverage against cyber risks. With the proliferation of cyberattacks, it is becoming increasingly common for companies to seek such insurance.
4.2. Reports and Records of Cybercrime Threats, Attacks, and Breaches
Companies are not obliged to keep records of cybercrime threats, attacks, and breaches, except for those records that must be maintained due to industry-specific regulations.
There is no general obligation to report cybercrimes. However, companies in certain industries are required to report them. For example, as noted above, Russian banks have to report certain cybersecurity incidents to the Central Bank of Russia. Furthermore, owners of fuel and energy infrastructure must report cybersecurity incidents to the Federal Security Service and some other agencies.
Сompanies are not required to report cybercrime threats, attacks, and breaches publicly.
5. Criminal Sanctions and Penalties
Potential criminal penalties for cybercrimes include fines of up to RUB 1,000,000 (approximately EUR 11,700), community service (i.e. “corrective work”), compulsory labor, disqualification from holding certain positions, and imprisonment of up to ten years.
For example, the following criminal penalties may be imposed on an individual for a breach of the rules on the storage, processing, and transfer of protected computer information or network systems and end-user equipment that causes major damage (Article 274 of the Criminal Code):
- a fine of up to RUB 500,000 or 18 monthly salaries or other income of the convicted person;
- community service for 6 to 12 months; or
- compulsory labor, non-custodial measures, or imprisonment of up to 2 years.
Further, non-compliance with cybersecurity regulations by a legal entity may result in administrative fines or cancellation of licenses issued on the condition of cybersecurity compliance.