Data protection (privacy) laws in Russia

Last updated April 25, 2022

Data protection (privacy) laws in Russia are a rapidly developing branch in Russian legislation that have mostly been enacted in the 2005 and 2006.^[1] The Russian Federal Law on Personal Data (No. 152-FZ), implemented on July 27, 2006, constitutes the backbone of Russian privacy laws and requires data operators to take "all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access".^[2] Amendment was signed on December 20, 2020 and came into effect on March 1, 2021. The amendment requires "personal data made publicly available" needs to receive consent from the data subject.^[3] Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media is the government agency tasked with overseeing compliance.^[4]

Applicable laws

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed and ratified by the Russian Federation on December 19, 2005;^[5]
the Law of the Russian Federation “On Personal Data” as of 27.07.2006 No. 152-FZ, regulating the processing of personal data by means of automation equipment. It is the operator who is required to comply with that Act;
the “Regulations on securing personal data being processed in personal data systems” enacted by the Russian Government Regulation as of 17.11.2007 No. 781. The Regulations contain mandatory security regulations to be complied with when processing and storing personal data;
the Federal law “On Advertisement” as of 13.03.2006 No. 38-FZ. This regulates marketing communications sent inter alia by electronic means including e-mail, SMS etc.;
the Russian Code on Administrative Infractions dated 30.12.2001 No.195-FZ. This regulates issues of responsibility for commission of administrative offences in connection with processing of personal data or distribution of marketing communications.

Definitions

personal data is any information related to identified or identifiable on the basis of such information individual (personal data subject), including last name, given name, patronymic, date, month, year and place of birth, address, family, social, property status, education, profession, income, other information;^[6]
sensitive personal data means personal data relating to:
- Race or ethnic origin
- Political opinions
- Religious beliefs
- Health condition
- Sexual life
processing is anything that can be done to or with personal data, including obtaining, organizing, accumulating, holding, adjusting (updating, modifying), using, disclosing (including transfer), impersonating, blocking or destroying such data;
operator is an entity which organizes and/or performs data processing, as well as determines the purposes and manner of data processing. In most cases both mother company and an entity which manages the relevant facility or service offered will be operators;
personal data system is a data system which includes personal data recorded in the data base as well as information technologies and technical equipment which make possible processing of such data.

Basic rules contained in the applicable legislative acts

Consent of the individual is required for processing of his personal data. This rule doesn't apply where such processing is necessary for performance of the contract, to which an individual is a party.

One shall bear in mind that a personal data subject is entitled at any time to revoke his previously granted consent, which obliges the operator to stop processing of such personal data and destroy it within three business days (unless other period of time was agreed on by the operator and an individual) after the date of such revocation, and notify the personal data subject of the fact that his personal data has been destroyed.

More specifically, processing of personal data for the purpose of direct marketing may be performed subject to prior consent of personal data subjects. Lack of such consent is presumed unless the operator proves the contrary. Processing of personal data for the purposes indicated above must be immediately ceased at the demand of personal data subject.

At the time of obtaining of personal data the operator is obliged, subject to request of an individual, to communicate to the latter information relating to the operator and the process of prospective processing.

If personal data is obtained not directly from a personal data subject, the operator prior to processing such information must provide the individual with the following information:

name and address of the operator or his representative;
purpose and legal grounds of personal data processing;
expected users of personal data; and
the rights of the individual in accordance with federal law “On Personal Data” dated 27.07.2006 No. 152-FZ.

Generally, it is prohibited to process in any way sensitive personal data of the individual, save for the cases where express written consent, containing all conditions provided for by the law, has been obtained from the individual prior to processing.

Generally, to transfer personal data outside the Russian Federation, the operator will have to make sure, prior to such transfer, that the rights of personal data subjects will enjoy adequate and sufficient protection in the country of destination.

Until 1 September 2015 the position of Federal Service on Telecommunications the governmental body responsible for personal data protection was that adequate and sufficient protection exists only in those foreign states which signed and ratified Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Nevertheless, there are three major exceptions which permit transfer of personal data to the countries where lower or no standard of personal data protection applies, namely:

When transfer is necessary for performance of a contract to which an individual is a party
When a personal data subject gave his prior written consent, containing all conditions provided for by the law, to such transfer
When transfer is necessary for performance by the Russian Federation of its obligations under international agreement on readmission

On 1 September 2015 a new "Article 18 (5)" came into effect more strictly limiting the export of data. ^[7]

The Russian legislation imposes strict limitations on using of the electronic means of communication for direct marketing. Namely, express consent should be obtained from the individual before marketing communications are sent to him by email or SMS. Lack of such prior consent is presumed unless the sender proves the contrary. The law provides for immediate cessation of sending marketing communications at the individual’s short notice. It should be also noted that in Russia it is expressly prohibited to send emails or SMS messages using autodial.

To send marketing communications by post, operator must obtain specific permission from the Federal Service on Telecommunications. Unfortunately the procedure of obtaining of such permission hasn’t been established yet.

Where personal data is processed it should be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Personal data being processed shall enjoy confidential regime. It implies employment by the operator of sufficient technical and organisational means designed to prevent unauthorised access of any third parties to processed personal information. Procedures (including issuance of internal regulations or decrees) must be in place to regulate the process of access to such confidential information.

Personal data should be accurate and kept up to date where necessary. The operator is obliged to ensure accessibility of personal information for examination by personal data subjects at their request. In case such subjects find that this information is outdated or inadequate, the operator will be obliged to stop processing of such information until the required modifications are introduced.

Personal data should not be kept for longer than is necessary for the purposes for which they are processed, which requires its destruction after such purposes have been fulfilled or in case their fulfillment is not required any more.

Personal data must be processed in accordance with the rights of personal data subjects under applicable data protection legislation. An operator will be in breach of this principle if, amongst other things, he:

contravenes the rights of access provisions set out in the legislation;
fails to comply with a request to cease processing within the time limit specified by the law or agreed on by the parties.

Procedures must be in place to ensure that computer systems are configured appropriately to allow accurate recording of the giving of consents in all relevant cases, described herein. Procedures must also be in place to ensure that any notices or requests are responded to and dealt with promptly.

Appropriate technical and organization measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Operators should consider appropriate measures to ensure data integrity (for electronic processing), including the installation of virus protection software and firewalls, adopting encryption for data transfers, using privacy enhancing technologies and making regular backups that are securely stored. For manual processing, consideration should be given to appropriate security measures, such as storage of paper records in lockable, fire-proof cabinets.

The relevant provisions require effective protection of personal data. Mandatory regulations on protection of such data are currently being developed by Federal Security Service (hereinafter, the “FSS”) to be issued within two months. For the moment, according to information received from FSS specialist during telephone consultation, FSS has a preliminary draft of the said regulations which may be modified as the final version of said regulations is to be issued within two months. The draft in its current version provides for protection of all personal data being transferred outside Russia in form of encryption. It is worth mentioning, that for the time being, it is practically possible to use only Russian encryption software and equipment for that purpose.

Individual rights

The legislation gives certain rights to personal data subjects in respect of personal data held about them. These include:

a right of access to information relating to operator and to the processed personal data;
a right to demand cessation of processing, blocking or modifying of the personal data which have been illegally obtained, are inadequate or outdated; and
a right to demand immediate cessation of processing for the purposes of direct marketing.

Personal data categories

The legislation describes certain personal data categories:^[8]

Public - personal data obtained only from publicly available personal data sources created in accordance with art. 8 of The Russian Federal Law on Personal Data (No. 152-FZ)
Biometric - information that characterizes the physiological and biological characteristics of a person on the basis of which it's possible to establish his personality and which are used by the personal data operator to identify the subject of the personal data.
Special - personal data relating to race, ethnic origin, political opinions, religious beliefs, health condition, sexual life of personal data subjects.
Other - personal data that doesn't belong to any of the above categories (public, biometric, special).

Notification

Operators to whom Russian legislation applies are required to send notification to the territorial body of Russian Federal Service on Supervision over Mass Communications, Telecommunications and Preservation of the Cultural Heritage (hereinafter, the “Federal Service on Telecommunications”) for each region of Russia where he possesses personal information processing facilities. For Moscow it will be Moscow Department of the above mentioned federal service. Such notification is necessary for inclusion of the operator into specific Register and shall be made by the operators who have been processing personal information prior to enactment of the Federal law “On Personal Data” dated 27.07.2006 and continue to process it after its enactment prior to January 1, 2008. Those operators who haven’t been engaged in processing of personal information using their own or third party’s equipment located in Russia prior to enactment of the said law must send the notification before they actually start processing personal data. It is important that the said notification contain information provided for by the applicable legislation.

Jurisdiction

Scope of application of Russian Data Protection legislation: Russian laws apply when the operator uses his own or third-party data processing equipment located in Russia. As well as in cases where the data has been already transferred outside Russia, but there has been a violation of personal data subject’s rights prior to or during such transfer. If the data is transferred outside Russia duly, it will be subsequently regulated by the laws of country of destination and implications of Russian law will not apply thereto.

In most cases, the Federal Service on Telecommunications only has jurisdiction in relation to data held or processed in Russia. Nevertheless, the legal implications of the Russian legislation on data protection will apply in respect of the data already transferred outside Russia in case the rights of individuals, whose personal data has been collected and processed using equipment located in Russia, have been violated prior to or during such transfer (e.g., an operator transferred personal data to a country where personal data don’t enjoy adequate protection without prior written consent of a data subject). In that case the Federal Service on Telecommunications may file lawsuits against operators to protect the rights of the personal data subjects and impose respective fines for violation of the data protection legislation.

Related Research Articles

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law, located at 15 U.S.C. §§ 6501–6506.

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, is a European Union directive which regulates the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive is an important component of EU privacy and human rights law.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 150 national constitutions mention the right to privacy.

Medical privacy or health privacy is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

The Data Protection Act 1998 was a Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handing sensitive information.

Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others.

Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Workplace privacy is related with various ways of accessing, controlling, and monitoring employees' information in a working environment. Employees typically must relinquish some of their privacy while in the workplace, but how much they must do can be a contentious issue. The debate rages on as to whether it is moral, ethical and legal for employers to monitor the actions of their employees. Employers believe that monitoring is necessary both to discourage illicit activity and to limit liability. With this problem of monitoring employees, many are experiencing a negative effect on emotional and physical stress including fatigue, lowered employee morale and lack of motivation within the workplace. Employers might choose to monitor employee activities using surveillance cameras, or may wish to record employees activities while using company-owned computers or telephones. Courts are finding that disputes between workplace privacy and freedom are being complicated with the advancement of technology as traditional rules that govern areas of privacy law are debatable and becoming less important.

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

Do Not Track legislation protects users’ right to choose whether or not they want to be tracked by third-party websites. It is often called the online version of "Do Not Call". The legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. In 2019, Senator Josh Hawley introduced legislation called the Do Not Track Act, which is currently pending.

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR's primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.

The Data Protection Act, 2012 is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

The Organic Law 15/1999 of December 13 on Protection of Personal Data was Spanish organic law that guaranteed and protected the processing of personal data, public liberties, and fundamental human rights, and especially of personal and family honor and privacy. It was approved by the General Court on December 13, 1999. This law was developed based on Article 18 of the Spanish Constitution of 1978, the familiar and personal right to privacy, and the secrecy of communications.

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

References

↑ Arievich, Pavel (1 June 2012). "Data protection in Russian Federation: Overview". Practical Law Company.
↑ "English Translation of the Russian Federal Law on Personal Data Protection". International Association of Privacy Professionals.{{cite web}}: CS1 maint: url-status (link)
↑ "New regulations for processing publicly available personal data". International Law Office. 2021-01-29. Retrieved 2021-04-09.
↑ Sotto, Lisa J. (August 2008). "Russia Launches a Data Protection Website" (PDF). Hunton & Williams.
↑ See. the Federal law "On Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" as of 19.12.2005 N 160-FZ
↑ Law of the Russian Federation “On Personal Data” as of 27.07.2006 No. 152-FZ, Article 3
↑ Karpukhin, Alexander E.; Sivkova, Daria A. (November 2017). "How to comply with the Russian requirements on localisation of personal data". Financier Worldwide.
↑ Bessonov, Evgeny (2017). "Personal data categories with IT infrastructure example in compliance with Federal Law No.152". Cloud4Y.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[pavel-1] Arievich, Pavel (1 June 2012). "Data protection in Russian Federation: Overview". Practical Law Company.

[2] "English Translation of the Russian Federal Law on Personal Data Protection". International Association of Privacy Professionals.{{cite web}}: CS1 maint: url-status (link)

[3] "New regulations for processing publicly available personal data". International Law Office. 2021-01-29. Retrieved 2021-04-09.

[4] Sotto, Lisa J. (August 2008). "Russia Launches a Data Protection Website" (PDF). Hunton & Williams.

[5] See. the Federal law "On Ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" as of 19.12.2005 N 160-FZ

[6] Law of the Russian Federation “On Personal Data” as of 27.07.2006 No. 152-FZ, Article 3

[7] Karpukhin, Alexander E.; Sivkova, Daria A. (November 2017). "How to comply with the Russian requirements on localisation of personal data". Financier Worldwide.

[8] Bessonov, Evgeny (2017). "Personal data categories with IT infrastructure example in compliance with Federal Law No.152". Cloud4Y.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]