NEW VERSION OF THE LAW 'ON PERSONAL DATA' PROTECTS THE RIGHTS OF PERSONAL DATA OPERATORS
Pepeliaev Group advises that the Russian State Duma has passed in its third reading draft law No. 282499-5 On amending the Federal Law 'On personal data'. The legislative body is proposing a fundamentally new, more user-friendly [1], text of the law, which will clarify and simplify many provisions of the current legislation concerning personal data (“PD”).
As is indicated in the explanatory note to the draft, the main reason for enacting it is to create the conditions for the implementation of the aims stated in the Law On personal data (the "Law"), which have not been achieved in five years of practice in applying the Law.
The following proposed fundamental changes may be highlighted:
1) The very concept of personal data is adjusted
The legislative body is moving away from a specific list of PD and also, most importantly, is moving away from classifying information as PD because a data subject may be identified through it. Now PD will be defined as "any information which directly or indirectly relates to a defined individual". We therefore consider that, under the new text of the Law, PD may be defined as any personal information which relates to some person or another, which substantially extends the scope of PD and the range of operators processing it.
2) The range of obligations of PD operators in relation to PD processing is restricted
After the Law was adopted in 2006, more than 30 items of subordinate legislation were adopted by various authorities, establishing a large number of obligations for PD operators ("operators"), which were not provided for by the Law. These are difficult to implement and/or involve serious expenditure of time and money for operators.
The new version of the Law establishes that items of subordinate legislation on issues of PD processing may not impose on operators obligations which are not stipulated by the Law. In other words, at least according to the initial reading of the new version, the range of an operator's obligations are established and restricted so as to allow an operator to be sure that there are no important requirements that it has missed. If an inspection is conducted, the operator can report that it is complying with the Law's requirements.
3) A 'balance of interests' of operators and data subjects is established
The current version of the Law contains a clear bias in favour of data subjects. In particular, under the general rule, an operator may only process PD with the data subject's consent.
Currently the Law lacks clear criteria in relation to (i) when such consent is and is not required; (ii) when consent must be obtained in writing and when there is no requirement for it to be in writing. Also, in terms of the provisions of the Law which provide that the operator bears the burden of proof that consent was obtained in any dispute, the operator has a difficult choice: should it obtain consent 'at every step', which is extremely time- and labour-intensive as well as open to abuse on the part of operators' employees and business partners, or not obtain the consents (or obtain them in the wrong form) and risk sanctions for failing to comply with the Law.
In the new version of the Law, obtaining a data subject's consent is only one particular instance when the processing of PD is permitted. Other lawful grounds for processing by PD operators (without obtaining consent) are:
- the exercise and performance of functions, authority and obligations imposed on the operator by law;
- the processing of PD is necessary for the rights and lawful interests of the operator and third parties to be realised;
- PD is being processed and such PD is accessible by an unrestricted circle of persons to whom access has been given by or at the request of the data subject, etc.
Thus, taking into consideration that practically any processing of PD is associated with an operator's performance of its functions and authority provided for by legislation, and the exercise by operators or third parties (under contracts the operator has with them) of their rights and lawful interests which do not contravene legislation, there is a significantly narrowed number of instances in which consent is required.
At the same time, it is necessary to remember the specific requirements for processing which are stipulated in chapter 14 of the Russian Labour Code.
Moreover, even when a data subject's consent is required, it may be given not by the subject themselves, but by a person (for example, the head of the human resources department of their employer on the employee's behalf) to whom such data subject has issued a power of attorney for this purpose. The consent may actually be in any form that allows the fact to be confirmed that consent has been obtained (for instance, it may be a provision of a contract).
It should be noted that a person engaged to process PD on the operator's behalf has no obligation, under the new text of the Law, to receive a data subject's consent to such processing.
4) The procedure is clarified for the cross-border processing of PD
In particular, it is stated that signatory states to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data are treated as ensuring an adequate level of protection for the rights of data subjects. Also treated as so doing are other states in a list to be approved by the communications regulatory authority Roskomnadzor. Accordingly, no consent from a data subject is required for PD to be processed in states which ensure an adequate level of protection.
5) Has the deadline for bringing PD information systems into compliance become irrelevant - can operators rest easy?
The deadline established by the Law on PD for bringing PD information systems into compliance with its requirements is 1 July 2011.
The new version of the law does not provide for a new deadline. Does this mean that, after the amendments come into force, operators will immediately have to comply with the requirements of the law? It seems not.
The new version of the Law brings into order the system of subordinate legislation which will be published in pursuance of the Law.
The new version establishes that the Russian Government will establish the level to which PD needs to be protected during processing in information systems depending on the level of threat to the security of such data. In doing so, the Government will, among other things, take into consideration: (i) the potential harm to a data subject; (ii) type of activity in the course of which PD is processed; (iii) the type of activity being carried out and within which the data is processed; (iv) the actual threat to safety. In addition, for each of the levels of protection, the Federal Security Service ("FSS") and Federal Service for Technical and Expert Supervision ("FSTES") will develop specific requirements in terms of organisational and technical measures to ensure the security of data when it is processed in information systems.
However, there is currently no relevant legal act of the Russian Government establishing levels of protection for PD. Accordingly, there are no relevant regulations from the FSS or FSTES.
In connection with the above, the logical conclusion is that since the new requirements for bringing PD information systems into compliance with the Law relate primarily to security issues, operators are unable to fulfil the relevant requirements until the relevant regulations are published.
At the same time, the best view is that the series of safety requirements for PD information systems which are not associated with the need for regulations to be published (including, for example, accounting for mechanised mediums carrying PD etc.) should be put in place as soon as the amendments to the law come into force.
6) When implementing the requirements of the Law, operators have autonomy in choosing legal and organisational measures not connected with ensuring the security of PD
The new version of the Law institutes a rule which provides for operators independently to define the set of measures that are necessary and sufficient to ensure the requirements of the Law and subordinate legislation. In addition, a sample non-exhaustive list is established with such measures, including (i) designating a responsible officer, (ii) publishing internal regulations and (iii) familiarising employees with them, exercising internal supervision, etc. The Russian Government will establish a compulsory list of measures only in relation to state and municipal authorities.
Along with the above amendments in the new version of the Law, a number of concepts are also clarified and introduces (including the concepts of processing PD, automated processing of PD, disseminating and supplying PD, etc.); the deadlines allowed for an operator to respond to requests from data subjects and supervisory authorities are increased; the list of information to be included in a notification to Roskomnadzor is increased; the procedure for transferring PD to third parties for processing is clarified and simplified, etc.
It is important to note that the new version of the Law provides for the amendments to be applied retroactively from 1 July 2011.
Regardless of the fact that the new version also contains a range of unclear provisions (including several definitions, technical requirements etc.), it still seems to us a significant step forward in the development of Russian personal data legislation.
Recommendations:
Regardless of the fact that the prospects of the amendments to the Law not being adopted are fairly small, we recommend that our clients wait for the new version of the Law to be passed by the Federation Council and signed by the Russian President. However, even at this stage, it would be prudent to take the following preliminary measures:
1) Re-examine the organisational and technical protective measures which many PD operators are currently taking to ensure that the PD systems they use are brought into compliance with the Law's requirements – those technical and organisational requirements may change. If your Company is not included in the audit schedule for this year, there is a minimal risk of inspectors coming to you in the near future and uncovering any non-compliance.
2) To think through the amendments that should be made to the current local regulations and the model employment and civil law contracts and other documents for the purposes of ensuring that they comply with the amendments; to assess the necessary expenditure in terms of the resources and finances necessary to implement the measures in question.
3) Begin searching for an internal or external candidate for the post of the responsible officer in the company for the processing of personal data (this may not be the general director).
4) To analyse the legal grounds on which your company processes PD and to classify these grounds according to the grounds for processing set out in the new version of the Law – this will assist in determining which data processing regime will apply (with or without consent, etc.).
Pepeliaev Group's professionals have extensive experience of advising on issues of compliance with personal data legislation (including on international projects). They can provide any necessary assistance to help operator companies to conduct their business in compliance with the requirements of the Law.
[1] In Russian, "convenient to use"
For further details, please contact:
in Moscow – Julia Borozdna, Head of Employment and Migration Practice, at (495) 967-00-07 or by e-mail; Andrey Slepov, Senior Associate, at (495) 967-00-07 or by e-mail; Elena Ovcharova, Head of the Administrative Defence of Business Group, at (495) 967-00-07 or by e-mail; Nataly Travkina, Lead Associate, at (495) 967-00-07 or by e-mail
in St Petersburg - Sergey Spasennov, Partner, Head of St. Petersburg office, at (812) 640-60-10 or by e-mail; Alexander Korkin, Associate, at (812) 640-60-10 or by e-mail