PrivacyRules Country Overview: Privacy and Data...cybercrime, cyberterrorism? A: In addition to the above-cited legislation, privacy and data protection related provisions can be found

PrivacyRules Country

Overview:

Privacy and Data

Protection in RUSSIA

Expert presentation Sergey Medvedev is a Partner in Gorodissky

& Partners’ Moscow office, where he works

within the technology, media and

telecommunications (TMT) group. With more

than 10 years of relevant experience, he

advises clients on all aspects of Russian law

associated with IP and IT, internet and e-

commerce, licensing and outsourcing,

franchising and distribution, media and

advertising, customs and anti-counterfeiting.

On the side of data protection and privacy,

Mr Medvedev deals with data audits and due

diligence, data management and

documentation formalities, notification and

registration, data security and breach,

international data transfers and national

data processing, data enforcement and

litigation.

Expert name: Sergey Medvedev Expert title: Partner Firm: Gorodissky & Partners

Contact details Office: Gorodissky & Partners B. Spasskaya, 25, bldg. 3 Moscow 129090 Russia Email: [email protected] Phone number: +7 495 937 6116

Website

Headquarters: 3491 Forestoak Court

Cincinnati, Ohio 45208, United States of America Website: www.privacyrules.com

Email: [email protected] All rights reserved 2018/2019

Q: Are privacy and data protection recognised by the Constitution / Fundamental Rights Bill?

A: Yes, privacy and data protection are recognised by the national principal law – the Russian Constitution 1993 (as amended) (Articles 22, 23, 24 and 29). Also, Russia is a party to the European Convention for the Protection of Human Rights and Fundamental Freedoms 1950 (ECHR). Furthermore, Russia is a signatory to the Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (Strasbourg Convention).

Q: Is there primary legislation on privacy, data protection, cybersecurity, cybercrime, cyberterrorism?

A: In addition to the above-cited legislation, privacy and data protection related provisions can be found at:

• Russian Civil Code (Part I) 1994 (as amended) (Articles 152, 152.1 and 152.2);

• Russian Federal Law No. 149-FZ on Information, Information Technologies and Data Protection 2006 (as amended) (Data Protection Act);

• Russian Federal Law No. 152-FZ on Personal Data 2006 (as amended) (Personal Data Act).

Also, privacy and data protection specific provisions are mentioned in various sectoral laws, for example, the:

• Russian Labour Code 2001 (as amended) (Chapter 14);

• Russian Air Code 1997 (as amended) (Article 85.1);

• Russian Federal Law No. 323 on the Fundamentals of Protection of the Health of Citizens in the Russian Federation 2011 (as amended).

As to the concepts of cybersecurity, cybercrime and cyberterrorism, the related provisions can be found at:

• Russian Criminal Code No. 1996 (as amended);

• Russian Federal Law No. 35-FZ on Counter-Terrorism 2006 (as amended);




• Russian Federal Law No. 187-FZ on Security of Critical Information Infrastructure of the Russian Federation 2017.

Q: What are the fields of law closely related to privacy and data protection that are regulated in the Russian jurisdiction? (e.g. e-commerce, telecommunications, media, intellectual property, etc.).

A: Internet and e-commerce, telecommunications and media, information technology and intellectual property would be the main fields of law (sectors) regulated in the Russian jurisdiction and that are closely related to privacy and data protection. Employment and labour, private detective and security, pharmaceuticals and healthcare sectors are associated with privacy and data protection as well.

Q: What are the key definitions in the field of data protection (e.g. Personal Data, Sensitive Data, Data Processing, Data Controller, Data Subject, Pseudonymised Data, Anonymised Data, Processing or any other definition)?

A: The following key definitions and concepts in the field of data protection may be found at the Personal Data Act:

• ‘Personal Data’

Any information relating directly or indirectly to an identified or identifiable individual (the personal data subject)

• ‘Sensitive Personal Data’

Any information that relates to nationality, racial or ethnic origin, political opinions, religious or philosophical beliefs and the state of health or sex life.

• ‘Personal Data Processing’

Any action (operation) or a set of actions (operations) which is performed on personal data, whether or not by automated means, such as collection, recording, systematization, accumulation, storage, alteration (updating, modification), retrieval, use, transfer (dissemination, provision, accessing), anonymization, blocking, erasure or destruction.

• ‘Personal Data Operator”




Russian data protection legislation does not contain the concept of ‘data controller’. However, the Personal Data Act refers to the concept of ‘personal data operator’, which may be a state or municipal body, legal or physical person, that organizes and/or carries out (alone or jointly with the other persons) the processing of personal data and which also determines the purposes of personal data processing, content of personal data and actions (operations) related to personal data.

• ‘Person Acting Under The Instructions of Personal Data Operator’

Russian data protection legislation does not contain the concept of ‘data processor’. However, the Personal Data Act refers to a person that may be acting (processing personal data), subject to data subject’s consent, under the authorization of the personal data operator on the basis of the corresponding agreement (including, state contract) or by operation of the special state or municipal act.

• ‘Personal Data Anonymization’

Actions, as a result of which it is impossible to define the belonging of personal data to a particular personal data subject, without the use of additional information.

• ‘Information System of Personal Data’ A set of personal data contained in databases, and information technologies and technical means that ensure personal data processing.

Q: In particular, is there a distinction between identifiable, pseudonymised and anonymised data and if so, how are they regulated?

A: The data that cannot be attributed to a specific data subject without the use of additional information (i.e. ‘pseudonymised data’) requires special treatment and protection in the EU. Russian data protection legislation does not contain the concept of ‘pseudonymised data’ and such data is regarded as anonymized information (Article 3(9) of the Personal Data Act). Anonymization process works as an alternative to personal data destruction (Article 5(7) of the Personal Data Act). If certain information could be attributed to a physical person without the use of any additional details, such information constitutes ‘personal data’ (i.e. any information relating directly or indirectly to an identified or identifiable individual).




Q: Is there a national Data Protection Authority?

A: Yes, there is a national Data Protection Authority in Russia – Federal Service for Supervision of Communications, Information Technology and Mass Media (‘Roskomnadzor’). Roskomnadzor is the national regulator that controls the associated activities in the TMT-sector, including privacy and data protection, and is subordinated to the Russian Ministry of Communications. Roskomnadzor conducts random as well as scheduled checks, including online ones, for data protection compliance. Roskomnadzor may also initiate administrative proceedings and bring cases to local courts for violation of privacy legislation.

Q: Which national judicial authorities are competent on privacy and data protection related matters?

A: The following state judicial authorities are generally competent to consider privacy and data protection related matters in Russia:

• courts of general jurisdiction; • commercial courts (also known as ‘arbitrazh’ courts); • Supreme Court.

Q: Is there a one-stop-shop mechanism in place?

A: Roskomnadzor will be the only ‘lead supervisory authority’ for protection and enforcement of privacy related rights in Russia.

Q: What are the main enforcement measures?

A: In Russia, the main enforcement measures for non-compliance with data protection laws and breach of privacy related legislation are the following:

• civil liability (for example, moral damages);




• administrative liability (for example, administrative fines);

• criminal liability (for example, imprisonment);

• disciplinary liability (for data breaches committed by employees).

Q: What are the actual main sanctions?

A: Actually, the main sanctions for data privacy breaches are administrative sanctions, which have been recently categorized into the following types of violations, subject to the following administrative fines:

(i) Personal data processing in cases not provided by applicable laws, and personal data processing incompatible with the processing purposes (a warning can be issued instead of a fine): • individuals: RUR1,000 to RUR3,000; • individual entrepreneurs: RUR5,000 to RUR10,000; • company officers and government officials: RUR5,000 to RUR10,000; • companies: RUR30,000 to RUR50,000.

(ii) Personal data processing carried out without the data subject's written

consent in cases where such consent is necessary, or with a written consent that does not meet mandatory requirements: • individuals: RUR3,000 to RUR5,000; • individual entrepreneurs: RUR10,000 to RUR20,000; • company officers and government officials: RUR10,000 to RUR20,000; • companies: RUR15,000 to RUR75,000.

(iii) Failure to publish or provide access to a privacy policy or information on

requirements for personal data protection (a warning can be issued instead of a fine): • individuals: RUR700 to RUR1,500; • individual entrepreneurs: RUR5,000 to RUR10,000; • company officers and government officials: RUR3,000 to RUR6,000; • companies: RUR15,000 to RUR30,000.

(iv) Failure to provide an individual information on his/her personal data

processing (a warning can be issued instead of a fine): • individuals: RUR1,000 to RUR2,000; • individual entrepreneurs: RUR10,000 to RUR15,000; • company officers and government officials: RUR4,000 to RUR6,000; • companies: RUR20,000 to RUR40,000.




(v) Failure to satisfy (within the prescribed term) a request on personal data clarification, blocking or destruction (in cases where personal data is incomplete, outdated, imprecise, illegitimately received, or unnecessary forthe announced purpose of data processing) (a warning can be issued instead of a fine): • individuals: RUR1,000 to RUR2,000; • individual entrepreneurs: RUR10,000 to RUR20,000; • company officers and government officials: RUR4,000 to RUR10,000; • companies: RUR25,000 to RUR45,000.

(vi) Failure to comply with security requirements while storing tangible media

containing personal data, and unauthorised access that results in illegitimate or accidental access to personal data or its destruction, modification, blocking, copying, submission or dissemination: • individuals: RUR700 to RUR2,000; • individual entrepreneurs: RUR10,000 to RUR20,000; • company officers and government officials: RUR4,000 to RUR10,000; • companies: RUR25,000 to RUR50,000.

(vii) Failure of a state or municipal authority to meet the obligation to

anonymise personal data or to comply with the anonymization methods or requirements (a warning can be issued instead of a fine): • RUR3,000 to RUR6,000.

In case of illegal personal data processing on a website, access to this website may be blocked in Russia under the effective court decision.

Q: Is there a supra-national applicable legal framework? If the answer is positive, is it binding and to what extent?

A: There is no supra-national legislation applicable to Russia for privacy and data protection area. The relevant national legislation and international treaties are cited above.

Q: Does any foreign authority have jurisdiction on privacy and data protection matters for citizens of Russia? If the answer is positive, do they have executive or advisory authority?




A: In Russia, the national authorities (e.g. Roskomnadzor) have exclusive jurisdiction on privacy and data protection matters for any personal data subjects, including the citizens of Russia.

Q: Are there e-discovery or disclosure duties pursuant to a request from a foreign Law Enforcement Agency?

A: Russian law, including the Data Protection Act and Personal Data Act, does not contain any provisions related to foreign e-discovery or disclosure proceedings. Therefore, Russian companies or individuals are not obliged to respond to the foreign law enforcement agencies, unless there are effective imperative provisions set forth by the corresponding international treaties on mutual legal support (assistance), or similar international agreements, to which Russia is a party. According to Article 4 (4) of the Personal Data Act, if the international treaty sets out the rules different from those stipulated by the national data protection legislation, the rules of the international treaty shall be applied respectively.

Q: Are privacy-by-design and privacy-by-default mandatory?

A: According to Article 19 (1) of the Personal Data Act the personal data operator must take the necessary legal, organisational and technical measures for the protection of personal data against any unauthorised/illegal or accidental access, destruction, modification, blocking, copying, provision, or distribution, as well as against any other unauthorised actions with regard to personal data. Such (necessary) measures are further clarified in the Personal Data Act as well as other local regulations. However, the concepts of ‘privacy by design’ and ‘privacy by default’ are not specifically regulated by the Russian legislation.

Q: Are data protection officers (DPOs) foreseen by law and if so, to what extent?

A: Yes, the concept of ‘data protection officer’ (also known as ‘person responsible for organization of personal data processing’) is foreseen by the Russian law.

Pursuant to Article 22.1 (1) of the Personal Data Act, the personal data operator must appoint a data protection officer (DPO). DPO must receive specific instructions from the personal data operator’s CEO and has to report directly to CEO.




Generally, the appointed DPO shall be obliged:

• to perform internal control over the compliance by the personal data operator (and its employees) of the personal data protection legislation, including the requirements on personal data protection;

• to notify the employees of the personal data operator about the relevant provisions of the personal data protection legislation, local rules or acts on the issues of personal data processing, requirements on personal data protection;

• to organize the receipt and processing of letters and requests of the personal data subjects (or their representatives) and perform necessary control over such receipt and processing.

The appointed DPO must be notified to Roskomnadzor (Article 22 (3.7.1) of the Personal Data Act).

Q: Are data protection impact assessments (DPIAs) mandatory and if so, to what extent?

A: DPIAs as such are not specifically regulated by the Russian law. However, personal data operators shall assess potential damages that may be caused to personal data subjects in the event of data privacy breaches. Such assessments are used to determine the exact types of actual threats to IT-systems containing personal data. The identification of the exact types of actual threats may have an impact on the specific personal data protection measures that shall be taken by the personal data operators.

Q: Is there any obligation to register databases and if so, to what extent?

A: No, there is no obligation to register databases containing personal data in Russia. However, the personal data operator must notify Roskomnadzor about the location of the database containing personal data of Russian citizens (Article 22 (3.10.1) of the Personal Data Act).

Q: Are definitions like controller, processor, regulator clearly defined and identifiable within the Russia regulatory framework?




A: No, such definitions like ‘controller’ and ‘processor’ are not present in the Russian law. However, there are equivalents to the same. Please see the above.

Q: Are there obligations to adopt reasonable technical, physical and organizational measures to protect the security of sensitive personal information and if so, to what extent?

A: Yes, there are obligations to adopt certain measures to protect the security of all categories of personal data, including any sensitive information.

More specifically, according to Article 19 (1) of the Personal Data Act, the personal data operator must take the necessary legal, organisational and technical measures for the protection of personal data against any unauthorised/illegal or accidental access, destruction, modification, blocking, copying, provision, or distribution, as well as against any other unauthorised actions with regard to personal data.

The security of personal data can be achieved inter alia by:

• identifying security threats in the course of processing of personal data in the relevant IT-systems;

• providing the appropriate level of protection of processing of personal data in the relevant IT-systems;

• applying different certified methods of protection of personal data (including encryption);

• evaluating the efficiency of security measures (prior to the implementation of any security measures);

• recording any computer media that contains personal data;

• revealing unauthorised access to personal data;

• retrieving personal data that has been modified or destroyed due to the unauthorised access;

• adopting rules governing the access to personal data being processed in the relevant IT-systems, the registration and recording of all actions related to personal data in the relevant IT systems, and

• controlling over the security measures with regard to personal data and the level of protection of the relevant IT systems.




Q: Are there security breach notification requirements and if so, to what extent?

A: In general, there is no legal requirement to report personal data breaches to personal data subjects, or to Roskomnadzor.

In the event of locating or detecting unauthorised processing of personal data, the personal data operator (or the relevant authorised person) must terminate the processing of personal data within three (3) business days.

If it is not possible to change the unauthorised processing of personal data into a lawful manner of processing, the personal data operator must destroy the personal data within ten (10) business days.

Following the termination of processing of personal data, or destruction of personal data, the personal data operator must notify the personal data subject (or its representative).

If the request for the termination or destruction has been made by Roskomnadzor, the notification must be sent to Roskomnadzor.

Q: Can authorities access large amounts of data and/or specific data without a court or prosecutor’s order?

A: In Russia, Federal Security Service (FSS) may access large amounts of data, or certain specific data, for public security purposes.

Q: Are there specific kinds of data covered by stronger provisions on legal protection (e.g. children data, etc.)?

A: Yes, there are some special categories of personal data that enjoy stronger protection in Russia. The processing of such ‘sensitive’ types of information, as racial estate, nationality, political opinions, religious or philosophical beliefs, state of a person's health or sex life, is allowed only in cases and under conditions set forth by the law. Biometric personal data (i.e. data that characterizes physiologic or biologic features of a person, which can help to identify a person) can only be processed on the basis of a written consent of the personal data subject, except for events




specifically prescribed by the law. Employee related data have specific regulation as well.

Q: Is there a specific regulation for the collection of data?

A: Yes, there is a specific regulation for the collection of personal data in Russia. More specifically, when collecting personal data, the personal data operator must provide the personal data subject (at his/her request) with certain required information, including but not limited to, the legal grounds and purposes of personal data processing, methods and duration of personal data processing, as well as the information on cross-border data transfer. If the provision of personal data is mandatory under the law, the personal data operator is required to explain to the personal data subject the legal consequences of refusing to provide personal data. In case where personal data is collected through the Internet, the personal data operator is obliged to ensure that the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data related to citizens of the Russian Federation is made with the use of databases located in the territory of the Russian Federation (Article 18(5) of the Personal Data Act).

Q: Is it possible to use personal data for electronic marketing purposes and if so, to what extent?

A: Yes, it is possible to use personal data for electronic marketing purposes in Russia. However, according to Article 15 of the Personal Data Act, the processing of personal data for the purposes of promotion of products or services on the market through direct contacts with potential customers via any means of communication is permitted only upon the receipt of the prior consent of the personal data subject. The mentioned processing of personal data is deemed to be made without the prior consent of the personal data subject if the personal data operator is not able to prove that such consent has been received.

Q: Is transfer of data outside the Russia jurisdiction regulated?

A: Yes, the transfer of personal data outside of the Russian jurisdiction is regulated under Article 12 of the Personal Data Act.




In the event of a cross-border data transfer the personal data operator must ensure (before the transfer is made) that the rights and interests of the respective data subject are fully protected in an ‘adequate manner’ in the corresponding foreign country.

Cross-border data transfer to countries that do not provide a level of ‘adequate protection’ is only permitted if:

• the written consent of the respective personal data subject has been received.

• it is allowed under an international treaty that Russia is a party to.

• it is allowed under applicable laws, if necessary for the purposes of:

• protecting the Russian constitutional system;

• protecting the national state defence and state security.

• securing the maintenance of the Russian transportation system, and protecting the interests of individuals, society and the state in the transportation sector from illegal intrusion.

• it is made for the performance of the contract to which the personal data subject is a party to.

• it is required to protect the personal data subject's life, health or other vital interests and it is impossible to obtain his/her prior consent in writing.

Q: Can individuals access their data and request their correction or deletion?

A: Yes, in Russia, individuals do have the right to access their personal data and request correction or deletion of the same in case where it is:

• incomplete.

• out-of-date.

• inaccurate.

• unlawfully obtained.

• not necessary for the declared purposes of processing.

Individuals can also protect and enforce their rights in a way set out by the law.




Q: How can individuals exercise their privacy rights?

A: In general, individuals have the following privacy rights, which they can exercise in the following way, in Russia:

Access to personal data

An individual has the right to access to his/her personal data being processed by the personal data operator. The individual (or his/her representative) may send a request to the personal data operator by submitting a passport (or similar document) and describing the respective relationship between him/her and the personal data operator. Such a request may be sent out as an electronic document and contain an e-signature. Upon receipt of such request the personal data operator must confirm the fact of personal data processing and provide to personal data subject all the necessary information, including:

1. its name and location (address), 2. the purposes and methods of processing of personal data, 3. the recipients of personal data, 4. the persons who have access to personal data, 5. the term of processing and retention of personal data, and 6. all other information required by the law.

If the required information has not been provided in full by the personal data operator, the personal data subject reserves the additional right to have another access to its personal data. However, in certain cases, the data subject’s right to access may be limited, as emphasized by the law.

Correction and deletion

Personal data subject may request the personal data operator to correct or adjust his/her personal data in case it is incomplete or inaccurate. Also, the personal data subject may request the personal data operator to block the personal data, unless it is not prohibited by the law. Further, the personal data subject may request the personal data operator to delete his/her personal data if such data is incomplete, out-of-date, inaccurate, illegitimate or unnecessary for the declared purposes of processing.

Objection to processing

Personal data subject may raise an objection to processing of his/her personal data by the personal data operator. Except where the processing of personal data cannot be terminated or would result in violation of the law (e.g. labour law), the personal data operator must discontinue the processing of personal data. Otherwise, the




personal data subject will be able to protect and enforce his/her rights by all possible legal means.

Objection to marketing

Processing of personal data for the purposes of marketing (i.e. by way of direct communications with a respective customer) is allowed only under the preliminary consent of the personal data subject. The burden of proof that the personal data subject’s consent has been received vests with the personal data operator. If so requested by the personal data subject, the personal data operator must immediately discontinue the processing of his/her personal data.

Complaint to actions or omissions of operator

If the personal data subject believes that the personal data operator is processing his/her personal data in violation of the personal data protection legislation, or otherwise infringe upon his or her rights and freedoms, the personal data subject has the right to file a complaint with Roskomnadzor, or bring a civil action with the competent court. The personal data subject may seek various legal remedies in court, including the reimbursement of moral damages.

Q: Are there associations entitled to advocate privacy and data protection rights?

A: No, there are no notable associations entitled to advocate privacy and data protection rights in Russia. Personal data subjects will normally advocate and protect their data privacy rights through the agency of Roskomnadzor, or other law enforcement agencies (e.g. Prosecutor’s Office).

Q: Is access to data regulated according to specific and detailed legal acts stating legal requirements to exercise the right to access, e.g. timeframe, identity and categories of legitimate applicant, templates for various forms of request, obligations of the requested entity etc.?

A: The right to access personal data is specifically regulated according to Article 14 of the Personal Data Act. Please see the above.




Miscellaneous: Any other information particularly important in the Russia jurisdiction [ if necessary, please explain why this additional information is provided and which is its relevance ].

A: Recently there have been a lot of discussions around the concept of ‘big data’ in Russia. Although this particular notion is not regulated by the Data Protection Act or Personal Data Act for the moment, the big data market has already been created and many companies are actively providing various analytics services in this specific area.

Importantly, the Russian Parliament is currently reading the Draft Dill No. 424632-7 devoted to certain digital economy aspects (Draft Bill), which has been earlier submitted for consideration, in which the question of legalization of collection and processing of big data is expressly raised, among other issues. More specifically, the Bill Draft offers to invent a special type of services agreement (‘data services agreement’) and change the definition of a database, which is currently fixed in the law, in order to legitimize the business related to big data analytics. If the Bill Draft turns eventually into the law, many concerns towards the concept of ‘big data’ and the necessity of its legal regulation will be blurred out, that will help to promote the Russian digital and data market as a whole in this jurisdiction.

Documents

PrivacyRules Country Overview: Privacy and Data...cybercrime, cyberterrorism? A: In addition to the above-cited legislation, privacy and data protection related provisions can be found