A draft law has been submitted to the State Duma for the protection of personal data subjects to be enhanced
Pepeliaev Group advises that, on 6 April 2022, a draft law [1] was submitted to the State Duma providing for amendments to be introduced to Federal Law No. 152-FZ “On personal data” (the “Draft Law”). The draft law intends to enhance the protection of Russian citizens’ rights to the sanctity of their private life.
The issue of the security of personal data from unauthorised access by the general public is highly topical. The personal data of Russian citizens has often become available to the general public recently. According to the Explanatory Note to the Draft Law, Internet services have become popular which sell personal data of Russian citizens from various databases. Part of such services are located in the foreign segment of the Internet which is not covered by the requirements of Russian legislation on personal data. According to the statistics of the Russian Federal Service for Supervision of Communications, Information Technology and the Mass Media (known in Russia by the abbreviation “Roskomnadzor”), over 2,500 personal data operators transfer the personal data of Russian citizens across the border to hostile countries.
It is also stressed in the Explanatory Note to the Draft Law that the existing tools are insufficient to ensure the protection of the rights of Russian citizens as personal data subjects.
Introducing principle of extraterritoriality No. 152-FZ
It is proposed to extend the provisions of Law No. 152-FZ to actions involving the personal data of Russian citizens performed by foreign authorities, legal entities and individuals. Provision is made for the possibility that Russian authorised bodies may interfere with the processing of personal data of Russian citizens in the territories of other states.
Clarifying the requirements for consent to personal data processing
Currently, the consent of a subject to the processing of his/her personal data must be specific, well-informed and conscious (article 9(1) of 152-FZ). The draft law proposes that the regulation be updated with the requirement that consent to the processing of personal data should be substantive and unambiguous.
Introducing an operator’s obligation when personal data breaches occur
It is proposed to introduce the obligation of operators to ensure ongoing cooperation with the state-run system for detecting, preventing and eliminating the consequences of cyber-attacks on Russian information resources, including the notification of cyber-incidents which have led to the unlawful access to, and the exposure, propagation and transmission of, personal data.
Regulation of the status of a person processing personal data further to an instruction of the operator
The status is regulated of a person processing personal data further to an instruction of the operator. For instance, the definition of such person is introduced as a state body, a municipal body, a legal entity or an individual processing personal data further to an instruction of the operator based on the data subject’s consent, unless otherwise provided for by Law No. 152-FZ.
The draft law specifies that the person processing personal data does not determine the purposes of the processing, the composition of the processed data, and the actions performed with such data.
Clarifying the procedure for transferring personal data across the border
The notion of a cross-border transfer of personal data is being updated. The draft law stipulates that, for such transfer, the fact is decisive that the recipient of the data is located in the territory of a foreign state and not such recipient’s legal form.
Restrictions with regard to processing biometric personal data
A prohibition is introduced on the processing of the biometric personal data of underage individuals (under 18 years old), except for instances envisaged by article 11(2) of 152-FZ (implementation of international readmission agreements, enforcement of law and court decisions, mandatory state dactyloscopy, as well as other cases provided for by Russian legislation).
Significant reduction of the period for complying with Roskomnadzor’s requests
Currently, operators have the possibility to comply with the requests of Roskomnadzor or the data subject connected with the unlawful processing of personal data or obtaining information concerning the processing of personal data within 30 days after receiving such requests. It is proposed to cut the period for complying with such requests to up to 10 business days.
What to think about and what to do
Although the Draft Law has just been submitted to the State Duma, organisations engaged in the processing of personal data should already now take steps to align their activities with the upcoming amendments of personal data legislation. The timely identification and elimination of violations will help mitigate any legal risks, eventual additional expenses on eliminating the consequences, and avoid any reputational losses.
Help from your adviser
Pepeliaev Group's experts continuously monitor amendments of personal data legislation and pride themselves on a solid track record of comprehensive business support in issues regarding compliance with the legislation, the identification and assessment of legal risks, and the development of business oriented proposals to minimise the risks identified.
Pepeliaev Group provides the following types of services:
-
providing advice on compliance with the requirements of personal data legislation;
-
devising the necessary documents relating to the processing of personal data;
-
auditing the organisational and technical measures to protect personal data;
-
providing court representation in disputes relating to the processing of personal data; and
-
offering a digital service for simplifying the updating of the list of persons who have access to personal data.
[1] Draft Law No. 101234-8 “On amending the Federal Law ‘On personal data’ and other legislative acts of the Russian Federation regarding the protection of personal data subjects’ rights”.