The Russian President has signed a law to increase the protection of rights of personal data subjects and toughen the requirements for operators of personal data

Pepeliaev Group advises that on 14 July 2022 the Russian President signed the law providing for large-scale amendments to the Federal Law “On personal data” (the “Law”)[1].

The Law is aimed at increasing the protection of the privacy rights of the Russian nationals and toughening the requirements for operators when personal data is processed.

The amendments come into force on 1 September 2022 except for individual provisions that come into force on 1 March 2023.

The principle is introduced of the extra-territorial effect of the law on personal data

Previously Federal Law No. 152-FZ “On personal data” dated 27 July 2006 (“152-FZ”) did not contain provisions regulating its scope in terms of the territory and parties to which it applies. Neither did it contain provisions detailing its application to legal entities processing the personal data of Russian nationals. The Russian Ministry of Digital Development, Communications and the Mass Media specified that for specific provisions on the localisation of databases to apply in Russia[2], the activity of a foreign legal entity should be aimed at the territory of Russia. According to the position of the Russian Federal Service for Supervision of Communications, Information Technology, and the Mass Media (the “Federal Service”) that was asserted previously [3], the requirements of 152-FZ extend only to the representative offices of foreign legal entities that process personal data in Russia.

However, from 1 September 2022 152-FZ also applies to the processing of personal data of Russian nationals that is carried out by foreign legal entities or foreign individuals:

• based on a contract to which Russian nationals are a party, other agreements between foreign legal entities, foreign individuals and Russian nationals; or
• based on the consent of a Russian national.

Additional obligations are vested in persons processing personal data further to an instruction of the operator

Such persons will be obliged, in addition to the current requirement to comply with the principles of and rules for processing personal data, take measures to ensure the performance of the obligations for which 152-FZ provides.

In particular, the specified persons will now be obliged to further comply with the requirements for the localisation of databases in Russia and multiple measures for which article 18.1 of 125-FZ provides[4]. Moreover, during the validity term of the instruction of the operator or before such processing starts, the operator may request from such person documents and other information confirming compliance with the specified obligations. Additionally, the person processing the personal data further to an instruction is obliged to notify the operator of incidents resulting in a violation of subjects’ rights.

According to the general rule, if the operator instructs another party to process personal data, the operator is liable to the personal data subject for the actions of such person. Now foreign individuals or legal entities processing the personal data of Russian nationals further to an instruction of the operator will be liable to the personal data subjects along with the operator.

The requirements are clarified for the data subject’s consent to the processing of personal data

Currently, the consent of a personal data subject to the processing of his/her personal data must be specific, well-informed and conscious (article 9(1) of 152-FZ). The Law supplements the provision with requirements that such consent should be subjective and unambiguous.

The requirements are clarified to the contents of the operator’s internal regulations on the processing of personal data 

Article 18.1(1)(2) of 152-FZ provides that the operator is obliged to issue documents that determine the policy for processing personal data, internal regulations for processing personal data, and internal regulations setting out procedures aimed at preventing and identifying violations of Russian legislation and at eliminating the consequences of such violations.

According to the new rules, such documents should determine for each purpose of processing the categories and the list of personal data processed, the categories of personal data subjects, the methods of processing, the timeframes for processing and storing personal data, the procedure for destroying personal data when the purposes of the processing are attained or in the event of other lawful grounds.

The procedure is changed for transferring personal data across the border (from 1 March 2023)

152-FZ still classifies foreign states as those that ensure adequate protection of personal data subjects’ rights[6] and those that do not ensure such protection. However, notification- and permit-based regimes are introduced for  transferring personal data across the border.

An obligation is established for the operator to file a notification with the Federal Service of the intention to transfer personal data across the border. The Federal Service will examine this notification within 10 business days. The operator will be able to file such notification only after the notification of personal data processing is filed for which article 22 of 152-FZ provides.

The notification should specify:

• the operator’s name (full name) and address and the date and number of the notification set out in article 22 of 152-FZ;
• the name (full name) of the person responsible for the organisation of the processing of personal data, contact phone numbers, mailing addresses and email addresses;
• the legal ground and purpose of the cross-border transfer of personal data and subsequent processing of personal data;
• the categories and list of personal data to be transferred;
• the list of foreign states to which a cross-border transfer of personal data is planned;
• the date when the operator assesses whether the state authorities of foreign states, foreign individuals, and foreign legal entities are complying with the confidentiality of personal data and ensuring the safety of personal data when it is processed.

The Federal Service may request from the operator information for assessing the accuracy of the information specified in the notification, specifically:

• the measures that the state authorities of the foreign state, foreign individuals and foreign legal entities take to protect the personal data to be transferred and information about the conditions for terminating the processing;
• information about legal regulation in the area of personal data of a foreign state in whose jurisdiction the recipients of personal data are located (if the state does not ensure adequate protection of personal data subjects’ rights);
• information about the state bodies of a foreign state, foreign individuals and foreign legal entities (names, full names and contact phone numbers, mailing addresses and email addresses).

In addition, the Law has established that operators are obliged to receive the listed information before the relevant notification is filed with the Federal Service.

In general, the notification needs to be filed for the purpose of compliance with the following regimes of a cross-border transfer of personal data:

• the notification-based regime: applies when personal data is transferred to states that ensure adequate protection of the personal data subjects’ rights. After the notification is filed, the operator may transfer the personal data across the border to the territories of the states specified in the notification until the Federal Service decides to prohibit or limit the cross-border transfer of personal data;
• the permit-based regime: applies when personal data is transferred to states that do not ensure adequate protection of the personal data subjects’ rights. After the notification is filed, the operator may not, until the period terminates during which the Federal Service examines the notification, transfer personal data across the border to the territories of the specified states, except for cases when such transfer is required in order to protect the life, health and other vital interests of the personal data subject or other persons. Therefore, a cross-border transfer of personal data to the specified states will become possible without obtaining a written consent of the personal data subject or any other grounds set out in the current version of article 12(4) of 152-FZ, but provided that the permit of the Federal Service for such transfer is obtained.

The list of purposes is extended for which a cross-border transfer of personal data may be prohibited or limited. Previously, such list of purposes included: protecting the fundamentals of the Russian constitutional order, morality, health, rights and lawful interests of nationals, ensuring the defence of the country and safety of the state. From 1 March 2023 the following purposes are included in the list: protecting the economic and financial interests of Russia, ensuring diplomatic and international remedies for Russian nationals, ensuring the sovereignty, safety and territorial integrity of Russia and its other interests internationally.

If the Federal Service decides to prohibit or limit a cross-border transfer of personal data the operator is obliged to ensure that the state body of a foreign state, the foreign individual, or the foreign legal entity destroys personal data that was previously transferred to them.

Operators that are already transferring personal data across the border as at the effective date of the Law are obliged not later than 1 March 2023 to file with the Federal Service a notification of the cross-border transfer of personal data. For such operators no moratorium is introduced on the transfer of personal data to countries that do not ensure adequate protection of the rights of personal data subjects before a notification is filed with the Federal Service.

Operators are vested with obligations in the event of personal data breaches

Operators will be obliged to ensure cooperation with the State System for Detecting, Preventing and Liquidating the Effects of Computer Attacks[7], which includes advising of computer incidents resulting in an unlawful transfer (provision, distribution and access to) personal data.

If it has been determined that personal data was transferred (provided, distributed or accessed) unlawfully or accidentally the operator will be obliged:

• from the time when the operator, the Federal Service or another interested party identifies such incident, to notify the Federal Service within 24 hours of the incident that has occurred, the possible reasons and the damage caused to the personal data subjects’ rights, of the measures taken to eliminate the consequences and to provide information about the person authorised by the operator to cooperate with the Federal Service on such incident;
• within 72 hours from the time when the incident is identified, to inform the Federal Service of the results of the internal investigation of the incident and to provide information about the persons whose actions caused the incident identified (if any).

From 1 March 2023 the Federal Service will maintain a specialised register to record such incidents.

The period has been substantially reduced for fulfilling the Federal Service’s requests

Currently, operators may fulfil the requests of the Federal Service or of the data subjects relating to the processing of personal data within 30 days from the date when such requests are received.

The Law reduces the period for fulfilling such requests to up to 10 business days. This period may be extended, albeit by not more than 5 business days, if there is a well-grounded notification from the operator containing the reasons.

The list has been reduced of the cases when the operator is entitled not to file a notification of the processing of personal data with the Federal Service

According to article 22 of 152-FZ, the operator, before the processing of personal data starts, is obliged to notify the Federal Service of its intention to process personal data, except for the cases listed in part 2 of the specified article. Until 1 September 2022 the operator is entitled not to file a notification if:

• the personal data is processed in accordance with the employment legislation;
• the operator receives the personal data in connection with entering into a contract to which the personal data subject is a party, provided that the personal data is not distributed and is not provided to third parties without the personal data subject’s consent, and provided that the operator uses the personal data solely for the purposes of performing such contract and of entering into contracts with the personal data subject;
• the personal data relates to the members of a social association or a religious organisation and is processed by the relevant social association or religious organisation for lawful purposes that are set out in their internal regulations provided that the personal data will not be distributed or disclosed to third parties without the written consent of personal data subjects;
• the personal data is processed which the personal data subject permits to be distributed provided that the operator complies with the prohibitions and conditions (article 10.1 of 152-FZ);
• the personal data includes only the full names of personal data subjects;
• personal data is processed which is required for one-time access of the personal data subject to a territory where the operator is located, or for other similar purposes;

After 1 September this list will be repealed. Operators will be entitled not to file a notification with the Federal Service only in the following cases:

• if the personal data is included in state personal data information systems created for the purpose of ensuring the security of the state and public order;
• if the operator performs activity relating to the processing of personal data exclusively without using automated tools;
• if the personal data is processed in the cases provided for by Russian legislation on transport safety with a view to ensuring the stable and safe operation of the transportation industry, or protecting the interests of an individual, the society and the state in the area of the transportation industry against acts of unlawful interference.

What to think about and what to do

Most of the amendments to 152-FZ come into force from 1 September 2022.

The provisions on the cross-border transfer of personal data come into force from 1 March 2023.

It will be prudent for companies to start taking measures now to bring their activity into line with the new requirements of the legislation on personal data.

In particular, companies should:

• conduct an audit of the processing of personal data for the purpose of amending internal regulations and filing with the Federal Service a notification of the processing of personal data;
• foreign companies processing personal data of Russian nationals should bring their activity relating to such processing into line with 152-FZ;
• request from persons processing personal data further to an instruction information regarding compliance with the requirements of 152-FZ and amend contracts that contain the instruction to process the personal data;
• conduct an audit of consents to the processing of the personal data of personal data subjects and, if needed, bring them into line with the requirements of 152-FZ;
• revise the processes of responding to requests of personal data subjects and the Federal Service for the purpose of reducing the timeframes for preparing the responses;
• companies transferring personal data across the border, as at the date when the Law comes into force, should determine the list of states to which a transfer is carried out and request the information for which the Law provides from foreign counterparties for a notification to be filed with the Federal Service before 1 March 2023.

The timely identification and elimination of violations will help to mitigate any legal risks and possible additional expenses on eliminating the consequences, as well as to avoid any reputational losses.

Help from your adviser

Pepeliaev Group's experts have a solid track record of comprehensive business support in issues of compliance with legislation, the identification and assessment of legal risks, and the development of business-oriented proposals to mitigate the risks identified.

The firm provides the following types of services:

• advising on compliance with personal data legislation;
• carrying out a complex audit of the processing of personal data to establish whether it corresponds to the legislative requirements;
• developing and/or amending internal regulations of companies that govern the processing of personal data, including the provisions on the procedure for cooperation with persons processing personal data further to the operator’s instruction;
• drawing up and/or amending consents of personal data subjects to the processing of personal data in accordance with the requirements of 152-FZ;
• developing internal regulations of companies and instructions for employees on how to respond to the applications and requests of personal data subjects and the Federal Service;
• preparing notifications set out in 152-FZ that are to be filed with the Federal Service;
• representing companies in dealings with state authorities and in courts in disputes relating to the processing of personal data.

[1] Federal Law No. 266-FZ dated 14 July 2022 “On amending the Federal Law “On personal data” and individual items of legislation of the Russian Federation, as well as repealing article 30(14) of the Federal Law “On banks and banking activity”.
[2] https://digital.gov.ru/ru/personaldata/
[3] Clarifications of the Federal Service with respect to frequently asked questions on the protection of the rights of personal data subjects.
[4] The article provides for measures to ensure the operator’s performance of the obligations set out in 152-FZ.
[5] Recommendations of the Federal Service on how to draw up a document determining the operator’s policy for the processing of personal data in accordance with the procedure set out in Federal Law No. 152-FZ “On personal data” dated 27 July 2006
[6] Such states include the states that are parties to the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data as well as other states ensuring adequate protection of the rights of personal data subjects that are included in the specialised list according to Order No. 274 of the Federal Service dated 15 March 2013.
[7] The State System for Detecting, Preventing and Liquidating the Effects of Computer Attacks on Russian Information Resources.