|
||
Pepeliaev Group advises that on 14 July 2022 the Russian President signed the law providing for large-scale amendments to the Federal Law “On personal data” (the “Law”)[1].
The Law is aimed at increasing the protection of the privacy rights of the Russian nationals and toughening the requirements for operators when personal data is processed.
The amendments come into force on 1 September 2022 except for individual provisions that come into force on 1 March 2023.
Previously Federal Law No. 152-FZ “On personal data” dated 27 July 2006 (“152-FZ”) did not contain provisions regulating its scope in terms of the territory and parties to which it applies. Neither did it contain provisions detailing its application to legal entities processing the personal data of Russian nationals. The Russian Ministry of Digital Development, Communications and the Mass Media specified that for specific provisions on the localisation of databases to apply in Russia[2], the activity of a foreign legal entity should be aimed at the territory of Russia. According to the position of the Russian Federal Service for Supervision of Communications, Information Technology, and the Mass Media (the “Federal Service”) that was asserted previously [3], the requirements of 152-FZ extend only to the representative offices of foreign legal entities that process personal data in Russia.
However, from 1 September 2022 152-FZ also applies to the processing of personal data of Russian nationals that is carried out by foreign legal entities or foreign individuals:
Such persons will be obliged, in addition to the current requirement to comply with the principles of and rules for processing personal data, take measures to ensure the performance of the obligations for which 152-FZ provides.
In particular, the specified persons will now be obliged to further comply with the requirements for the localisation of databases in Russia and multiple measures for which article 18.1 of 125-FZ provides[4]. Moreover, during the validity term of the instruction of the operator or before such processing starts, the operator may request from such person documents and other information confirming compliance with the specified obligations. Additionally, the person processing the personal data further to an instruction is obliged to notify the operator of incidents resulting in a violation of subjects’ rights.
According to the general rule, if the operator instructs another party to process personal data, the operator is liable to the personal data subject for the actions of such person. Now foreign individuals or legal entities processing the personal data of Russian nationals further to an instruction of the operator will be liable to the personal data subjects along with the operator.
Currently, the consent of a personal data subject to the processing of his/her personal data must be specific, well-informed and conscious (article 9(1) of 152-FZ). The Law supplements the provision with requirements that such consent should be subjective and unambiguous.
Article 18.1(1)(2) of 152-FZ provides that the operator is obliged to issue documents that determine the policy for processing personal data, internal regulations for processing personal data, and internal regulations setting out procedures aimed at preventing and identifying violations of Russian legislation and at eliminating the consequences of such violations.
According to the new rules, such documents should determine for each purpose of processing the categories and the list of personal data processed, the categories of personal data subjects, the methods of processing, the timeframes for processing and storing personal data, the procedure for destroying personal data when the purposes of the processing are attained or in the event of other lawful grounds.
Therefore, in 152-FZ, the previous recommendations of the Federal Service[5] are actually reinforced with respect to the contents of the operator’s policy for the processing of personal data.
152-FZ still classifies foreign states as those that ensure adequate protection of personal data subjects’ rights[6] and those that do not ensure such protection. However, notification- and permit-based regimes are introduced for transferring personal data across the border.
An obligation is established for the operator to file a notification with the Federal Service of the intention to transfer personal data across the border. The Federal Service will examine this notification within 10 business days. The operator will be able to file such notification only after the notification of personal data processing is filed for which article 22 of 152-FZ provides.
The notification should specify:
The Federal Service may request from the operator information for assessing the accuracy of the information specified in the notification, specifically:
In addition, the Law has established that operators are obliged to receive the listed information before the relevant notification is filed with the Federal Service.
In general, the notification needs to be filed for the purpose of compliance with the following regimes of a cross-border transfer of personal data:
The list of purposes is extended for which a cross-border transfer of personal data may be prohibited or limited. Previously, such list of purposes included: protecting the fundamentals of the Russian constitutional order, morality, health, rights and lawful interests of nationals, ensuring the defence of the country and safety of the state. From 1 March 2023 the following purposes are included in the list: protecting the economic and financial interests of Russia, ensuring diplomatic and international remedies for Russian nationals, ensuring the sovereignty, safety and territorial integrity of Russia and its other interests internationally.
If the Federal Service decides to prohibit or limit a cross-border transfer of personal data the operator is obliged to ensure that the state body of a foreign state, the foreign individual, or the foreign legal entity destroys personal data that was previously transferred to them.
Operators that are already transferring personal data across the border as at the effective date of the Law are obliged not later than 1 March 2023 to file with the Federal Service a notification of the cross-border transfer of personal data. For such operators no moratorium is introduced on the transfer of personal data to countries that do not ensure adequate protection of the rights of personal data subjects before a notification is filed with the Federal Service.
Operators will be obliged to ensure cooperation with the State System for Detecting, Preventing and Liquidating the Effects of Computer Attacks[7], which includes advising of computer incidents resulting in an unlawful transfer (provision, distribution and access to) personal data.
If it has been determined that personal data was transferred (provided, distributed or accessed) unlawfully or accidentally the operator will be obliged:
From 1 March 2023 the Federal Service will maintain a specialised register to record such incidents.
The period has been substantially reduced for fulfilling the Federal Service’s requests
Currently, operators may fulfil the requests of the Federal Service or of the data subjects relating to the processing of personal data within 30 days from the date when such requests are received.
The Law reduces the period for fulfilling such requests to up to 10 business days. This period may be extended, albeit by not more than 5 business days, if there is a well-grounded notification from the operator containing the reasons.
According to article 22 of 152-FZ, the operator, before the processing of personal data starts, is obliged to notify the Federal Service of its intention to process personal data, except for the cases listed in part 2 of the specified article. Until 1 September 2022 the operator is entitled not to file a notification if:
After 1 September this list will be repealed. Operators will be entitled not to file a notification with the Federal Service only in the following cases:
Most of the amendments to 152-FZ come into force from 1 September 2022.
The provisions on the cross-border transfer of personal data come into force from 1 March 2023.
It will be prudent for companies to start taking measures now to bring their activity into line with the new requirements of the legislation on personal data.
In particular, companies should:
The timely identification and elimination of violations will help to mitigate any legal risks and possible additional expenses on eliminating the consequences, as well as to avoid any reputational losses.
Pepeliaev Group's experts have a solid track record of comprehensive business support in issues of compliance with legislation, the identification and assessment of legal risks, and the development of business-oriented proposals to mitigate the risks identified.
The firm provides the following types of services:
[1] Federal Law No. 266-FZ dated 14 July 2022 “On amending the Federal Law “On personal data” and individual items of legislation of the Russian Federation, as well as repealing article 30(14) of the Federal Law “On banks and banking activity”.
[2] https://digital.gov.ru/ru/personaldata/
[3] Clarifications of the Federal Service with respect to frequently asked questions on the protection of the rights of personal data subjects.
[4] The article provides for measures to ensure the operator’s performance of the obligations set out in 152-FZ.
[5] Recommendations of the Federal Service on how to draw up a document determining the operator’s policy for the processing of personal data in accordance with the procedure set out in Federal Law No. 152-FZ “On personal data” dated 27 July 2006
[6] Such states include the states that are parties to the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data as well as other states ensuring adequate protection of the rights of personal data subjects that are included in the specialised list according to Order No. 274 of the Federal Service dated 15 March 2013.
[7] The State System for Detecting, Preventing and Liquidating the Effects of Computer Attacks on Russian Information Resources.
The Federal Service will be able to send requests and instructions to any foreign companies that process the personal data of Russian nationals if one of the above conditions is met, regardless of whether such companies have a representative office in Russia.