November
2017
Personal data protection in Russia: a brief overview
The protection of personal data is becoming one of today’s most pressing issues, resulting in modernization of national legislation on personal data. Federal Law No. 152-FZ dated July 27th, 2006 "On Personal Data" (as amended) (hereinafter The Law on Personal Data) defines the basics of personal data regulation in Russia. The General Data Protection Regulation (GDPR)[1] , which will take effect in May 2018, gives rise to more discussion than any other supranational act. The GDPR will be directly applicable to a number of Russian companies, since they collect data of European citizens.
1. Personal data and the definition of data operator
An analysis of the legal definition of personal data is required to determine the regulatory landscape. The Law on Personal Data defines personal data as any information referring directly or indirectly to a particular or identified individual (a data subject). Law enforcement practice, along with official recommendations issued by administrative bodies (Roskomnadzor[2], the Ministry of Communications), specifies this kind of broad legal definition of data. The crucial factor in treating information as personal data is the possibility of identifying the person. This means that information should be considered as personal data if it enables identifying a data subject.
A data operator[3] is an entity that carries out certain data processing activities. Data operators are held liable for violating data subjects’ rights in the form of considerable administrative fines, blocking of websites/applications, and the compulsory termination of all activities in Russia. According to the Law on Personal Data, an operator processes data and/or organizes such processing (either alone or jointly), and defines the data for processing purposes and the list of operations applied to that data. According to this definition, an entity is regarded as a data operator not only if it processes the data by itself, but also if it entrusts a third party with the processing activities, when the third party processes on behalf of the operator.
2. Basic data processing requirements
All activities that involve personal data constitute data processing, and require that specific preliminary actions be taken. For example, prior to data processing, operators must ensure they have lawful consent from the data subject to process their data, and notify Roskomnadzor in advance of the data processing.
The operator must obtain consent from a data subject before the processing. Consent is the key notion involved in lawful operations, besides exceptional cases. The most common cases are processing for the performance of a contract (in which the data subject is a party), public data processing, and processing to comply with legal requirements. The Law on Personal Data contains particular content requirements that a subject must grant consent for, without prescribing any specific form.
Consent from a data subject:
-
Is given in writing on paper, or in electronic form;
-
Must be specific, informed, and conscious;
-
Is freely given by a data subject on his/her own free will, and in his/her interest;
-
May be withdrawn by a data subject at any time.
The consent must contain the list of data categories and permissible operations, processing purposes, the validity period for which consent is granted, and any data on about third parties which may be entrusted by the operator to process the data. Moreover, the consent does not authorize further uncontrolled collection activities, or any other operations with data performed by a data operator or third party.
The Law on Personal Data also contains requirements governing the processing procedure to be observed in order to protect data subjects’ rights.
Data processing:
-
Must be performed on a legal and fair basis;
-
Must be limited by achieving specific, lawful processing purposes that are determined in advance;
-
Is performed with data for the purposes for which they are processed;
-
Data content, and the amount of data processed, must be in accordance with the purposes of processing.
Operators must notify Roskomnadzor prior to processing the data that is to be included in a special register of data controllers (published on the Roskomnadzor website), and to legalize further data processing. At the same time, the Law on Personal Data establishes a broad list of exceptions, so a number of data operators are not obliged to send any notification before processing. Among others, these exceptions include processing that is performed in accordance with the labor law, processing that has to do with signing a contract, and public data processing.
Operators are obliged to keep data confidential except of public and impersonal data categories. In practice the issue of confidentiality is rather actual today because of large-scale negative impacts of illegal data transfers from the operator to a third party and subsequent distribution of data.
A data operator may enter into a contract with a third party and transfer the personal data that needs to be processed. In such a contract, the parties must agree on a list of operations that can involve data, the processing purposes, confidentiality, and providing for data security. The Supreme Court of the Russian Federation, in its decision dated August 1st, 2016 in case No. 78-КГ17-45, pointed out that consent to transfer data from an operator to a third party is not compulsory when the operator exercises its right to assign contract claims, or the operator transfers data while performing the contract (in which the data subject is a party). Otherwise, this kind of unlawful data transfer from an operator to a third party (in this case data was transferred according to an agency agreement) constitutes a data breach.
The issue of data breaches should be analyzed in the framework of data transfers, and whether data breaches result in negative consequences for data subjects, data operators, or illegal users of data that is transferred. The personal data of 5 million Russian citizens was sold on the black market in September 2017[4]. Media reports that the data was mainly transferred from the databases of insurance companies. Insurance companies violated procedures for data processing and data transfers to third parties, not ensuring confidentiality, which became the reason for data breaches. Generally, insurance companies violate procedures for data processing and transferring, which can lead to these kinds of breaches. As a result of data breaches, companies may be fined by Roskomnadzor for each violation, and companies may lose customers and gain a bad reputation on the market.
The issue of unauthorized data processing arises not only if the data relates to particular data subjects, but also to processing big data for users affiliated with one company by another company without any authorization. One of the popular Russian social media, VKontakte, brought a lawsuit to the Moscow Arbitration Court against the company Double (under the brand Double Data) and the National Bureau of Credit Histories in January 2017. The companies were sued on the grounds of the unauthorized gathering of publicly available information related to VKontakte users for the purposes of assessing their creditworthiness, and selling this information to banks afterwards. Double Data extracted from VKontakte information on users’ names, the places they study and work, their friends on their pages, their dates of birth and places of residence, photos, and information on the types of devices they use to enter social media. All of these actions were performed without any permission being given by VKontakte, or the users themselves, to gather and use such commercial information from the network. Under the VKontakte terms and conditions of use, all users give consent to having their public data processed by VKontakte as a data operator, but not to data processing performed by third parties. Double Data and VKontakte entered into a settlement agreement that obligated Double Data not to use big data from VKontakte without getting permission, and along with this VKontakte would not file any claims in the matter against Double Data. So the case was regarding the dispute between Vkontakte and Double Data was partially resolved[5].
3. Data localization
On the September 1st, 2015, amendments to the Law on Personal Data concerning data localization came into force. A number of companies are still under the threat of compulsory termination of all their activities in Russia since they do not comply with data localization regulations. According to these amendments, data operators must provide for the recording, systemization, accumulation, storage, correction (updating and changing), and extraction of personal data of Russian citizens on web servers in databases located in Russia.
Some foreign companies have affiliates or representative offices in Russia but process data Russian citizens abroad because of certain global internal corporate processes. First, such companies should comply with the Russian data storage laws. However, official recommendations issued by Roskomnadzor establish that data storage laws also impose obligations foreign companies without any affiliates or representative offices in Russia, since they collect personal data about Russian citizens while operating in Russia. For non-compliance with data storage laws, companies may be included in a special register of companies that are offenders; this is a special form of liability detailed below.
The case against LinkedIn (a business-focused social media network) is a landmark case for the issue of data localization. Russian authorities blocked LinkedIn a year ago for not complying with regulations on data localization. The court found the network guilty of violating Russian data storage laws, and later the court ruling was upheld[6]. Apart from this violation, the court identified breaches connected with not only collecting data on user, but with, data processing and transferring data without users’ consent.
Today, the fact that Facebook and Twitter are transferring databases to Russia is under much public debate, as Roskomnadzor announced earlier that inspections would be conducted in 2018. Twitter sent an official letter to Roskomnadzor stating that it would transfer databases to Russia by the middle of 2018. Facebook did not make any official statements concerning data localization in the near future.
4. Administrative liability and blocking websites
Starting on July 1st, 2017, administrative fines, which are the most common penalty for data infringements, increased considerably.
Article 13.11 in the Code of Administrative Offenses establishes that the following constitute data breaches:
-
Data processing in instances not provided for under the applicable laws (or incompatible with the purposes of processing);
-
Data processing without written consent, when the consent is necessary for processing;
-
The failure to publish a privacy policy;
-
The failure to satisfy a request to update, block, or destroy personal data;
-
The failure to meet requirements of providing data security (data processing with automated means);
-
The failure of a state or municipal body, as a data controller, to dehumanize personal data.
If Roskomnadzor investigates such data breaches, it is empowered to impose an administrative fine up to 75 000 rubles for each violation[7].
Roskomnadzor may also initiate blocking websites for particular breaches. For example, in the case of non-compliance with the data storage law, Roskomnadzor enters the company into a special register of companies that have violated the regulations on data localization by a court decision. After that, service providers, based on the register and Roskomnadzor, demand that the website be blocked in Russia.
***
Recommendations on compliance with personal data laws:
-
Establish and/or audit underlying documentation and policies concerning data processing, and get the lawful consent of data subjects to process their data. Authorities are paying increased attention to internal documents and policies regulating privacy-related matters;
-
Check the legality of all data transfers to third parties and their subsequent activities concerning data processing;
-
Be guided by Roskomnadzor’s official recommendations on data processing.
[1] The General Data Protection Regulation (GDPR) No. 2016/679 dated 27th, April 2016. See more about the GDPR at: https://www.vegaslex.ru/analytics/publications/the_eu_regulation_on_personal_data_risks_and_recommendations_for_russian_business/ (in Russian)
[2] The Federal Service for Supervision of Communications, Information Technology and Mass Media (the Russian data protection authority)
[3] Operator – any state agency, municipal authority, legal entity, or individual that independently, or in cooperation with other entities, organizes and/or processes personal data as well as determines the purposes and scope of personal data processing.
[4] See more at: https://lenta.ru/news/2017/09/28/mfisoft/ (in Russian)
[5] The ruling delivered by the Moscow Arbitration Court dated August 15th, 2017 in case No. А40-18827/17-110-180
[6] The ruling delivered by the Moscow City Court dated November 10th, 2016 in case No. 33-38783/16
[7] See more about the liability for violating the Law on Personal Data at: https://www.vegaslex.ru/analytics/publications/responsibility_for_violation_of_requirements_of_the_federal_law_on_personal_data/ (in Russian)