Data protection (privacy) laws in Russia

Last updated • 10 min readFrom Wikipedia, The Free Encyclopedia

Data protection (privacy) laws in Russia are a rapidly developing branch in Russian legislation that have mostly been enacted in the 2005 and 2006. [1] The Russian Federal Law on Personal Data (No. 152-FZ), implemented on July 27, 2006, constitutes the backbone of Russian privacy laws and requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access". [2] Amendment was signed on December 20, 2020 and came into effect on March 1, 2021. The amendment requires "personal data made publicly available" needs to receive consent from the data subject. [3] Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media is the government agency tasked with overseeing compliance. [4]

Contents

Applicable laws

Definitions

Basic rules contained in the applicable legislative acts

Consent of the individual is required for processing of his personal data. This rule doesn't apply where such processing is necessary for performance of the contract, to which an individual is a party.

One shall bear in mind that a personal data subject is entitled at any time to revoke his previously granted consent, which obliges the operator to stop processing of such personal data and destroy it within three business days (unless other period of time was agreed on by the operator and an individual) after the date of such revocation, and notify the personal data subject of the fact that his personal data has been destroyed.

More specifically, processing of personal data for the purpose of direct marketing may be performed subject to prior consent of personal data subjects. Lack of such consent is presumed unless the operator proves the contrary. Processing of personal data for the purposes indicated above must be immediately ceased at the demand of personal data subject.

At the time of obtaining of personal data the operator is obliged, subject to request of an individual, to communicate to the latter information relating to the operator and the process of prospective processing.

If personal data is obtained not directly from a personal data subject, the operator prior to processing such information must provide the individual with the following information:

Generally, it is prohibited to process in any way sensitive personal data of the individual, save for the cases where express written consent, containing all conditions provided for by the law, has been obtained from the individual prior to processing.

Generally, to transfer personal data outside the Russian Federation, the operator will have to make sure, prior to such transfer, that the rights of personal data subjects will enjoy adequate and sufficient protection in the country of destination.

Until 1 September 2015 the position of Federal Service on Telecommunications the governmental body responsible for personal data protection was that adequate and sufficient protection exists only in those foreign states which signed and ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Nevertheless, there are three major exceptions which permit transfer of personal data to the countries where lower or no standard of personal data protection applies, namely:

On 1 September 2015 a new "Article 18 (5)" came into effect more strictly limiting the export of data. [7]

The Russian legislation imposes strict limitations on using of the electronic means of communication for direct marketing. Namely, express consent should be obtained from the individual before marketing communications are sent to him by email or SMS. Lack of such prior consent is presumed unless the sender proves the contrary. The law provides for immediate cessation of sending marketing communications at the individual’s short notice. It should be also noted that in Russia it is expressly prohibited to send emails or SMS messages using autodial.

To send marketing communications by post, operator must obtain specific permission from the Federal Service on Telecommunications. Unfortunately the procedure of obtaining of such permission hasn’t been established yet.

Where personal data is processed it should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Personal data being processed shall enjoy confidential regime. It implies employment by the operator of sufficient technical and organisational means designed to prevent unauthorised access of any third parties to processed personal information. Procedures (including issuance of internal regulations or decrees) must be in place to regulate the process of access to such confidential information.

Personal data should be accurate and kept up to date where necessary. The operator is obliged to ensure accessibility of personal information for examination by personal data subjects at their request. In case such subjects find that this information is outdated or inadequate, the operator will be obliged to stop processing of such information until the required modifications are introduced.

Personal data should not be kept for longer than is necessary for the purposes for which they are processed, which requires its destruction after such purposes have been fulfilled or in case their fulfillment is not required any more.

Personal data must be processed in accordance with the rights of personal data subjects under applicable data protection legislation. An operator will be in breach of this principle if, amongst other things, he:

Procedures must be in place to ensure that computer systems are configured appropriately to allow accurate recording of the giving of consents in all relevant cases, described herein. Procedures must also be in place to ensure that any notices or requests are responded to and dealt with promptly.

Appropriate technical and organization measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Operators should consider appropriate measures to ensure data integrity (for electronic processing), including the installation of virus protection software and firewalls, adopting encryption for data transfers, using privacy enhancing technologies and making regular backups that are securely stored. For manual processing, consideration should be given to appropriate security measures, such as storage of paper records in lockable, fire-proof cabinets.

The relevant provisions require effective protection of personal data. Mandatory regulations on protection of such data are currently being developed by Federal Security Service (hereinafter, the “FSS”) to be issued within two months. For the moment, according to information received from FSS specialist during telephone consultation, FSS has a preliminary draft of the said regulations which may be modified as the final version of said regulations is to be issued within two months. The draft in its current version provides for protection of all personal data being transferred outside Russia in form of encryption. It is worth mentioning, that for the time being, it is practically possible to use only Russian encryption software and equipment for that purpose.

Individual rights

The legislation gives certain rights to personal data subjects in respect of personal data held about them. These include:

Personal data categories

The legislation describes certain personal data categories: [8]

Notification

Operators to whom Russian legislation applies are required to send notification to the territorial body of Russian Federal Service on Supervision over Mass Communications, Telecommunications and Preservation of the Cultural Heritage (hereinafter, the “Federal Service on Telecommunications”) for each region of Russia where he possesses personal information processing facilities. For Moscow it will be Moscow Department of the above mentioned federal service. Such notification is necessary for inclusion of the operator into specific Register and shall be made by the operators who have been processing personal information prior to enactment of the Federal law “On Personal Data” dated 27.07.2006 and continue to process it after its enactment prior to January 1, 2008. Those operators who haven’t been engaged in processing of personal information using their own or third party’s equipment located in Russia prior to enactment of the said law must send the notification before they actually start processing personal data. It is important that the said notification contain information provided for by the applicable legislation.

Jurisdiction

Scope of application of Russian Data Protection legislation: Russian laws apply when the operator uses his own or third-party data processing equipment located in Russia. As well as in cases where the data has been already transferred outside Russia, but there has been a violation of personal data subject’s rights prior to or during such transfer. If the data is transferred outside Russia duly, it will be subsequently regulated by the laws of country of destination and implications of Russian law will not apply thereto.

In most cases, the Federal Service on Telecommunications only has jurisdiction in relation to data held or processed in Russia. Nevertheless, the legal implications of the Russian legislation on data protection will apply in respect of the data already transferred outside Russia in case the rights of individuals, whose personal data has been collected and processed using equipment located in Russia, have been violated prior to or during such transfer (e.g., an operator transferred personal data to a country where personal data don’t enjoy adequate protection without prior written consent of a data subject). In that case the Federal Service on Telecommunications may file lawsuits against operators to protect the rights of the personal data subjects and impose respective fines for violation of the data protection legislation.

See also

Related Research Articles

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 185 national constitutions mention the right to privacy. On 10 December 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR); while the right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

<i>Personal Information Protection and Electronic Documents Act</i> 2000 Canadian law

The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. In accordance with section 29 of PIPEDA, Part I of the Act must be reviewed by Parliament every five years. The first Parliamentary review occurred in 2007.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

Telephone call recording laws are legislation enacted in many jurisdictions, such as countries, states, provinces, that regulate the practice of telephone call recording. Call recording or monitoring is permitted or restricted with various levels of privacy protection, law enforcement requirements, anti-fraud measures, or individual party consent.

ePrivacy Directive

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Workplace privacy is related with various ways of accessing, controlling, and monitoring employees' information in a working environment. Employees typically must relinquish some of their privacy while in the workplace, but how much they must do can be a contentious issue. The debate rages on as to whether it is moral, ethical and legal for employers to monitor the actions of their employees. Employers believe that monitoring is necessary both to discourage illicit activity and to limit liability. With this problem of monitoring employees, many are experiencing a negative effect on emotional and physical stress including fatigue, lowered employee morale and lack of motivation within the workplace. Employers might choose to monitor employee activities using surveillance cameras, or may wish to record employees activities while using company-owned computers or telephones. Courts are finding that disputes between workplace privacy and freedom are being complicated with the advancement of technology as traditional rules that govern areas of privacy law are debatable and becoming less important.

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">Data Protection Act, 2012</span> Legislation by the Parliament of Ghana

The Data Protection Act, 2012 is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

The Ley Federal de Protección de Datos Personales en Posesión de los Particulares, is a law of Mexico, approved by the Mexican Congress on April 27, 2010. The law aims to regulate the right to informational self-determination. The law was published on July 5, 2010, in the Official Gazette and entered into force on July 6, 2010. Its provisions apply to all natural or legal persons who carry out the processing of personal data in the applicable exercise of their activities. Companies such as banks, insurance companies, hospitals, schools, telecommunications companies, religious organizations, and professionals such as lawyers, doctors, and others, are required to comply with the provisions of this law.

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

The gathering of personally identifiable information (PII) refers to the collection of public and private personal data that can be used to identify individuals for various purposes, both legal and illegal. PII gathering is often seen as a privacy threat by data owners, while entities such as technology companies, governments, and organizations utilize this data to analyze consumer behavior, political preferences, and personal interests.

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

References

  1. Arievich, Pavel (1 June 2012). "Data protection in Russian Federation: Overview". Practical Law Company.
  2. "English Translation of the Russian Federal Law on Personal Data Protection". International Association of Privacy Professionals.
  3. "New regulations for processing publicly available personal data". International Law Office. 2021-01-29. Retrieved 2021-04-09.
  4. Sotto, Lisa J. (August 2008). "Russia Launches a Data Protection Website" (PDF). Hunton & Williams.
  5. See. the Federal law "On Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" as of 19.12.2005 N 160-FZ
  6. Law of the Russian Federation “On Personal Data” as of 27.07.2006 No. 152-FZ, Article 3
  7. Karpukhin, Alexander E.; Sivkova, Daria A. (November 2017). "How to comply with the Russian requirements on localisation of personal data". Financier Worldwide.
  8. Bessonov, Evgeny (2017). "Personal data categories with IT infrastructure example in compliance with Federal Law No.152". Cloud4Y.