A law has been published that establishes specific aspects of how publicly available personal data is to be processed
Pepeliaev Group advises that on 30 December 2020 a law[1] was published that amends the Federal Law “On personal data”[2] which regulates specific aspects of the processing and dissemination of personal data that is to be disclosed to an unspecified group of persons (rather than of publicly available personal data).
The primary amendments established by the new law will come into force on 1 March 2021.
According to the explanatory note to the draft law which has been adopted, the purpose of the new regulation is to eliminate the possibility of personal data (“PD”), particularly PD published on websites, being used without control, in other words, being used for purposes different from the purpose of the initial collection (publication) of such PD.
A new concept is introduced of “PD authorised for dissemination by the data subject” where dissemination means providing access to an unspecified group of persons.
The concept of “publicly available data” has been removed from almost all articles of the Law on PD. For example, “processing PD, access to which has been provided to an unspecified group of persons by the data subject or at the data subject’s request” (in other words, PD which the data subject has made publicly available) has been removed from the list of legal grounds for the processing of PD.
The Law on PD entrenches the need to obtain consent to the processing of PD authorised for dissemination separately from other consents. The requirements for the content of such consent will be established by the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (known by the Russian abbreviation Roskomnadzor) and it can be expected that they will be rather strict. For example, it follows from the explanatory note to the draft law that the consent “shall include a list of the operator’s internet resources where it is planned to post publicly available PD”.
Also, the Law establishes that in addition to obtaining consent to the processing of PD for further dissemination directly from the data subject, an operator will have an opportunity to obtain such consent using the information system of Roskomnadzor.
Importantly, a PD operator will be obliged to publish information about the conditions and restrictions described above within three days after the corresponding consent has been received from the data subject.
Several important mechanisms are established to protect PD being disseminated. For example, the burden of proof that PD has been processed and further disseminated lawfully has been imposed on each PD operator that has undertaken processing (including dissemination) of the PD. Such burden will be imposed on an operator when:
Finally, the procedure has been regulated for discontinuing the processing of PD authorised for dissemination. A personal data subject may send a demand that the transmission (dissemination, provision or access) be terminated for certain PD authorised for dissemination. The Law establishes the requirements for the content of such a request. Also, the data subject may file a demand to this effect with the court.
In its turn, the operator must terminate the transmission (dissemination, provision) of or access to PD authorised for dissemination within three business days from when such demand was received or within the timeframe set in the decision of the court which has come into effect (or within three business days from when the court decision comes into effect if no such timeframe was set).
The primary amendments established by the new law will come into force on 1 March 2021.
According to the explanatory note to the draft law which has been adopted, the purpose of the new regulation is to eliminate the possibility of personal data (“PD”), particularly PD published on websites, being used without control, in other words, being used for purposes different from the purpose of the initial collection (publication) of such PD.
A new concept is introduced of “PD authorised for dissemination by the data subject” where dissemination means providing access to an unspecified group of persons.
The concept of “publicly available data” has been removed from almost all articles of the Law on PD. For example, “processing PD, access to which has been provided to an unspecified group of persons by the data subject or at the data subject’s request” (in other words, PD which the data subject has made publicly available) has been removed from the list of legal grounds for the processing of PD.
 | However, the provision of the Law on PD which regulates the processing of PD in publicly available sources of PD (article 8 of the Law on PD) has not been changed. We believe that certain questions may arise during the administration of this Law with respect to the delineation of the mechanisms of using (including forming) publicly available sources of PD and PD authorised for dissemination. |
The Law on PD entrenches the need to obtain consent to the processing of PD authorised for dissemination separately from other consents. The requirements for the content of such consent will be established by the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (known by the Russian abbreviation Roskomnadzor) and it can be expected that they will be rather strict. For example, it follows from the explanatory note to the draft law that the consent “shall include a list of the operator’s internet resources where it is planned to post publicly available PD”.
Also, the Law establishes that in addition to obtaining consent to the processing of PD for further dissemination directly from the data subject, an operator will have an opportunity to obtain such consent using the information system of Roskomnadzor.
| In the future we expect that Roskomnadzor will publish information containing the complete list of requirements for the content of a consent to the processing of PD to be disseminated. It is also worth noting that Roskomnadzor is expected to provide information on the system through which it will be possible to obtain the required consents. Roskomnadzor is to establish the rules for using this information system including the procedure for how a data subject will communicate with an operator. |
Importantly, a PD operator will be obliged to publish information about the conditions and restrictions described above within three days after the corresponding consent has been received from the data subject.
Several important mechanisms are established to protect PD being disseminated. For example, the burden of proof that PD has been processed and further disseminated lawfully has been imposed on each PD operator that has undertaken processing (including dissemination) of the PD. Such burden will be imposed on an operator when:
- the operator has disseminated the PD to an unspecified group of persons without the required consent, or
- the PD has been disclosed to an unspecified group of persons as a result of a violation, crime or force majeure.
| The provision established by the new law concerning consent to the processing of PD authorised for dissemination is in many ways similar to the European regulation of the concept and mechanism of obtaining consent to the processing of PD. For example, the consent must be expressed directly and unambiguously, and it may not be “passive”. |
Finally, the procedure has been regulated for discontinuing the processing of PD authorised for dissemination. A personal data subject may send a demand that the transmission (dissemination, provision or access) be terminated for certain PD authorised for dissemination. The Law establishes the requirements for the content of such a request. Also, the data subject may file a demand to this effect with the court.
In its turn, the operator must terminate the transmission (dissemination, provision) of or access to PD authorised for dissemination within three business days from when such demand was received or within the timeframe set in the decision of the court which has come into effect (or within three business days from when the court decision comes into effect if no such timeframe was set).
What to think about and what to do
Companies need to be prepared to comply with the new requirements established by the law and to take them into account in their future work, including:- to take the appropriate measures to update the company’s internal documents regulating the procedures for processing PD and develop new or adjust the existing forms of consents to the processing of PD;
- if the company's operations are connected with the processing of PD being disseminated, to organise the operations of the company and of its employees in accordance with the new legislative requirements and, among other things, to revise the existing business processes, if necessary.
Help from your advisers
Pepeliaev Group’s experts have extensive experience of handling issues relating to compliance with personal data legislation including compliance with regulations concerning the processing of publicly available data. They are ready to provide comprehensive legal support and technical assistance in checking compliance with the requirements of personal data legislation, and in eliminating any violations identified. They also represent a company and its employees when administrative authorities exercise regulatory control and in disputes with such authorities.[1] Federal Law No. 519-FZ “On amending the Federal Law “On personal data” dated 30 December 2020.
[2] Federal Law No. 152-FZ “On personal data” dated 27 July 2006 (the “Law on PD”).
[2] Federal Law No. 152-FZ “On personal data” dated 27 July 2006 (the “Law on PD”).