Loading...

A draft law has been submitted to the State Duma for the protection of personal data subjects to be enhanced

Pepeliaev Group advises that, on 6 April 2022, a draft law [1] was submitted to the State Duma providing for amendments to be introduced to Federal Law No. 152-FZ “On personal data” (the “Draft Law”). The draft law intends to enhance the protection of Russian citizens’ rights to the sanctity of their private life.

The issue of the security of personal data from unauthorised access by the general public is highly topical. The personal data of Russian citizens has often become available to the general public recently. According to the Explanatory Note to the Draft Law, Internet services have become popular which sell personal data of Russian citizens from various databases. Part of such services are located in the foreign segment of the Internet which is not covered by the requirements of Russian legislation on personal data. According to the statistics of the Russian Federal Service for Supervision of Communications, Information Technology and the Mass Media (known in Russia by the abbreviation “Roskomnadzor”), over 2,500 personal data operators transfer the personal data of Russian citizens across the border to hostile countries.

It is also stressed in the Explanatory Note to the Draft Law that the existing tools are insufficient to ensure the protection of the rights of Russian citizens as personal data subjects.  

Introducing principle of extraterritoriality No. 152-FZ

It is proposed to extend the provisions of Law No. 152-FZ to actions involving the personal data of Russian citizens performed by foreign authorities, legal entities and individuals. Provision is made for the possibility that Russian authorised bodies may interfere with the processing of personal data of Russian citizens in the territories of other states.

Clarifying the requirements for consent to personal data processing

Currently, the consent of a subject to the processing of his/her personal data must be specific, well-informed and conscious (article 9(1) of 152-FZ). The draft law proposes that the regulation be updated with the requirement that consent to the processing of personal data should be substantive and unambiguous.

Introducing an operator’s obligation when personal data breaches occur

It is proposed to introduce the obligation of operators to ensure ongoing cooperation with the state-run system for detecting, preventing and eliminating the consequences of cyber-attacks on Russian information resources, including the notification of cyber-incidents which have led to the unlawful access to, and the exposure, propagation and transmission of, personal data.

In addition, the obligation of operators is introduced to notify Roskomnadzor of any instances of unlawful or accidental access to, and the exposure, propagation and transmission of personal data resulting in subjects’ rights being violated. Such notification should be sent within 24 hours from the incident taking place. The notification should specify information concerning the reasons why the incident happened, the expected damage to subjects’ rights, the persons who have made the unlawful or accidental access to personal data possible, and the measures taken to eliminate the consequences.
For recording purposes, Roskomnadzor will maintain a log of incidents involving the unlawful processing of personal data.

Regulation of the status of a person processing personal data further to an instruction of the operator

The status is regulated of a person processing personal data further to an instruction of the operator. For instance, the definition of such person is introduced as a state body, a municipal body, a legal entity or an individual processing personal data further to an instruction of the operator based on the data subject’s consent, unless otherwise provided for by Law No. 152-FZ.

The draft law specifies that the person processing personal data does not determine the purposes of the processing, the composition of the processed data, and the actions performed with such data.

The operator will be able to instruct the person processing personal data without the consent of the data subject, as follows from the current version of article 6(3) of 152-FZ. The instruction should set out a list of the personal data that is to be processed. The person processing personal data will be obliged to comply with the requirement to localise the databases in the territory of Russia and to follow its obligation to notify the operator of any incidents entailing the violation of data subjects’ rights.

Clarifying the procedure for transferring personal data across the border

The notion of a cross-border transfer of personal data is being updated. The draft law stipulates that, for such transfer, the fact is decisive that the recipient of the data is located in the territory of a foreign state and not such recipient’s legal form.

The draft law proposes that the obligation of operators be introduced to separately notify Roskomnadzor of the intention to perform a cross-border transfer of data. Such transfer may be prohibited or restricted by virtue of a decision of an authorised body in order to protect the fundamentals of the Russian constitutional system, morality, health, rights and lawful interests of citizens, to provide for the defence of the country and protect the economic and financial interests of Russia.

Restrictions with regard to processing biometric personal data

A prohibition is introduced on the processing of the biometric personal data of underage individuals (under 18 years old), except for instances envisaged by article 11(2) of 152-FZ (implementation of international readmission agreements, enforcement of law and court decisions, mandatory state dactyloscopy, as well as other cases provided for by Russian legislation).

The operator will be unable to refuse citizens’ requests for services when they refuse to provide biometric personal data and/or give consent to the processing of personal data if such consent is not mandatory. According to the Draft Law, the provision of biometric personal data cannot be mandatory unless otherwise implied by Law No. 152-FZ.

Significant reduction of the period for complying with Roskomnadzor’s requests

Currently, operators have the possibility to comply with the requests of Roskomnadzor or the data subject connected with the unlawful processing of personal data or obtaining information concerning the processing of personal data within 30 days after receiving such requests. It is proposed to cut the period for complying with such requests to up to 10 business days.

What to think about and what to do

Although the Draft Law has just been submitted to the State Duma, organisations engaged in the processing of personal data should already now take steps to align their activities with the upcoming amendments of personal data legislation. The timely identification and elimination of violations will help mitigate any legal risks, eventual additional expenses on eliminating the consequences, and avoid any reputational losses.

Help from your adviser

Pepeliaev Group's experts continuously monitor amendments of personal data legislation and pride themselves on a solid track record of comprehensive business support in issues regarding compliance with the legislation, the identification and assessment of legal risks, and the development of business oriented proposals to minimise the risks identified.

Pepeliaev Group provides the following types of services:

  • providing advice on compliance with the requirements of personal data legislation;

  • devising the necessary documents relating to the processing of personal data;

  • auditing the organisational and technical measures to protect personal data;

  • providing court representation in disputes relating to the processing of personal data; and

  • offering a digital service for simplifying the updating of the list of persons who have access to personal data.


[1] Draft Law No. 101234-8 “On amending the Federal Law ‘On personal data’ and other legislative acts of the Russian Federation regarding the protection of personal data subjects’ rights”.

Отправить статью

16.05.2022
Pepeliaev Group at the St. Petersburg Law Summit
Read more
13.05.2022
Julia Borozdna leaves Pepeliaev Group
Read more
29.04.2022
Vadim Zaripov has been awarded the first class medal “For the Protection of Rights and Freedoms of Citizens”
Read more