The Draft Law introduces a number of important amendments to the data protection laws, and we would like to draw your attention to the most important of such amendments.
Cross-Border Data Transfer
One of the most important changes has been made to the procedure for the cross-border personal data transfers from the Russian Federation to other jurisdictions. The Draft Law effectively introduces a notification and permission model for such transfers.Current Regulation
Currently, the cross-border transfer of personal data is not restricted, but it does require certain conditions to be met.
In particular, depending on whether or not the country to which personal data is being transferred affords adequate protection, the data controller generally needs to obtain written consent from the data subject, and the content of such consent is strictly regulated by the Law “On Personal Data” (“Personal Data Law”).
Future Regulation
Once the Draft Law enters into force, the procedure for cross-border data transfers will become much more complicated.
Before starting the transfer, the data controller will be required to submit a notice to that effect to Roskomnadzor. Such notice should include a description of the data transfer process (data categories, jurisdiction, etc). Furthermore, before submitting such notice, the data controller should obtain information from the foreign persons or authorities to whom the cross-border data transfer is intended to be made, information on the legal regulation of personal data in the foreign jurisdiction to which the transfer is being made (if the transfer is being made to a country that does not provide adequate legal protection). The data controller should then store such information and make it available to Roskomnadzor if the latter requests it during the review of the notice. This means that the data controller should, together with such foreign persons or authorities, analyse foreign laws and describe the safeguards for the data protection in the notice.
Roskomnadzor will review the notice within 10 days, following which it may decide to suspend or prohibit the cross-border data transfer. The cross-border transfer of personal data may be prohibited or restricted in order to protect the constitutional order of the Russian Federation and the morals, health, rights and lawful interests of citizens, to ensure national defence and state security, to protect the economic and financial interests of the Russian Federation, and to provide diplomatic and international legal safeguards of the rights, freedoms and interests of Russian citizens and the sovereignty, security and territorial integrity of the Russian Federation and its other interests on the international arena. Such wording leaves wide discretion to government authorities in deciding whether or not to prohibit or restrict the transfer of personal data.
It should be noted, however, that if the cross-border transfer is made to a country which provides adequate legal protection, Roskomnadzor’s review of the notice does not limit the possibility of such transfer. If the cross-border transfer is intended to be made to a country which does not offer adequate legal protection, the data controller may not carry out such transfer until Roskomnadzor adopts a decision on the notice submitted.
Practical Implications
For the data controller, the new procedure means the following in practical terms:
- Before starting to use services abroad and working with a foreign counterparty, information should be requested on the location of data servers and available information on the existence of the personal data protection safeguards. If such servers are located in countries which do not offer adequate data protection (eg, in the United States), a description of the legal regulation in such country should be prepared together with the counterparties. We have analysed and drafted a number of model provisions containing an analysis of the laws of foreign states which can be used in preparing notices. It is also recommended to maintain a register or data map of cross-border transfers of personal data in order to manage timely notification.
- The contract with counterparties should contain an obligation to give notice of any data map change; relocating servers or switching to using data hosting services in another jurisdiction and changing data streams may mean that the data controller would need to give a new notice.
- If the data controller transferred data cross-border before the entry into force of this Draft Law, the data controller should give notice of the cross-border data transfer to Roskomnadzor by 1 March 2023.
Extraterritorial Effect of the Law
The Draft Law introduces the concept of the extraterritoriality of the Personal Data Law.Current Regulation
There are currently no specific rules (similar to those provided under the GDPR) in relation to the extraterritorial application of the Personal Data Law.
Future Regulation
The Draft Law provides that the Personal Data Law applies to processing Russian citizens’ personal data under contracts to which Russian citizens are parties, or other agreements between foreign legal entities, foreign individuals and Russian citizens, or on the basis of the Russian citizen’s consent to the processing of his or her personal data and to actions taken by foreign authorities, legal entities or individuals in relation to personal data of citizens of the Russian Federation, if such agreements or actions affect the data subject’s rights and freedoms.
Unlike the international examples of regulations imposing extraterritoriality (eg GDPR, DIFC Data LawFor example, GDPR prescribes a multi-stage process to decide whether the GDPR is applicable, depending on whether the data controller has an EU establishment, whether there is EU user targeting, etc), the provisions in the Draft Law are extremely abstract and do not contain any specific criteria as to when the Personal Data Law applies to data processing abroad. For example, any personal data processing may, in principle, affect the rights and freedoms of the data subject. Does it mean that any cross-border data transfer or any data gathered abroad will be subject to the Personal Data Law?
A separate issue is the consequences of a breach of the Personal Data Law when data is processed abroad. On the one hand, imposing fines on foreign legal entities which do not have any assets in Russia is of little use. On the other hand, Roskomnadzor has the power to suspend or prohibit the processing of personal data.
Practical Implications
In view of the vague wording of the provisions on the extraterritorial application of the Personal Data Law, we are preparing a request to Roskomnadzor for clarifications regarding the extraterritorial application of the Personal Data Law.
Status of a “person processing on behalf of the data controller” (’data processor’)
The current version of the Draft Law does not include the term “processor” (although the earlier versions suggested introducing this term) and retains the previously used expression “person entrusted by the data controller to process personal data.” At the same time, the Draft Law clarifies the status of such entity.Current Regulation
The Personal Data Law currently provides that the data controller has the right to commission third parties to process personal data, although there is no definition of the term “person entrusted with the processing of personal data” in the Personal Data Law. As a consequence, considering that there is no term for “processor” (or its equivalent) in Russian laws, Roskomnadzor’s representatives have expressed the position that the person entrusted with the processing of personal data is also a data controller. The lack of a definition of the “processor” also gave rise to the problem of determining the status of the different entities involved in personal data processing.
Future Regulation
The Draft Law provides that the data controller’s instruction to process personal data may be given to third parties under an agreement, pursuant to a government or municipal contract, or pursuant to regulations of state or municipal authorities.
The Draft Law provides that the data controller’s instruction to process personal data, as set out in a relevant contract or other regulation, shall contain a list, the purposes of personal data processing, a list of permissible processing operations and the confidentiality obligation of such person. The new provisions also state that the person entrusted with the processing of personal data by the data controller shall be guided by the principles and rules of personal data processing set out in the Personal Data Law and fulfil other statutory duties imposed on such person.
In addition, the new provisions also require that the person entrusted with the processing provides documents and other information confirming the measures taken and the compliance with the requirements for the fulfilment of the data controller’s instruction, upon the request of the data controller during the period of the data controller’s instruction, including before processing personal data.
Furthermore, a foreign individual or legal entity processing personal data on the data controller’s instruction shall be liable for their acts directly to the data subject on an equal basis with the data controller.
Practical Implications
Therefore, documents establishing the relationship between data controllers and processors will require substantial adaptation to the new rules. In addition, this will increase the risks of foreign data processors processing personal data on behalf of Russian data controllers.
Customer Relations
The Draft Law introduces a number of new requirements to be taken into consideration when dealing with customers.Current Regulation
At present, the collection of customers’ personal data (including the prohibition of collection of excessive data) is governed by the general rules. Strictly speaking, within the spirit of data protection laws, it is still illegal to collect excessive personal data of customers because one of the data processing principles is that of data minimisation. According to this principle, personal data being processed should not be excessive in relation to the stated purposes of processingPersonal Data Law, article 5, part 5, and the consent to such processing should be given on a voluntary basis. It is therefore unlawful to require to provide any personal data that is not necessary for providing a service (and to refuse to provide such service if no consent is given). In practice, however, the principles of personal data processing are observed rather selectively. In particular, it is usually a condition for providing a service that a significant amount of personal data (telephone, email, etc) be provided.
Future Regulation
The Draft Law expressly states that it is unlawful to refuse to provide services if a customer refuses to provide excessive personal data. It is established that the data controller may not refuse to provide services if the data subject refuses to provide biometric personal data and/or to consent to personal data processing if, under federal laws, the customer’s consent is not required for personal data processing by the data controller.
Practical Implications
The personal data collected from customers should be audited and the relevant documents should be amended if the data collected is excessive. It should be borne in mind, however, that the new rule does not mean that the amount of data to be collected has to be drastically reduced immediately. Such data is needed for loyalty programmes, user behaviour analysis, product improvement, etc. The new rule only requires that a service may not be refused if no consent to provide personal data is given, but it is not unlawful to request such data, provided that the other processing principles (such as the data collected should be compatible with the processing purpose, the consent requirements should be fulfilled, and the data subject should be provided with the necessary information, etc) are respected.
A separate question is why the new requirement only applies to the provision of services and not to the sale of goods or performance of work.
Pre-installation of Russian “App Stores”
The Law on the Protection of Consumers’ Rights is amended to make pre-installation of a “one-stop app store” mandatory.Current Regulation
Currently, sellers, importers, or manufacturers are only requiredLaw on the Protection of Consumers’ Rights, article 4, part 4.1 to pre-install Russian apps included on the relevant government listResolution of the Government of the Russian Federation dated 31 July 2021 No. 2129-r on such technically sophisticated goods as smartphones and tablets, desktop and laptop computers, and TV sets which have a digital control unit permitting the management of the app store (ie Smart TV).
Future Regulation
The Draft Law proposes expanding the list of mandatorily pre-installed apps to include not only those on the government list, but virtually any Russian app that is a “one-stop app store.” The term “one-stop app store” refers to the software for searching, browsing and purchasing computer apps used by the users of technically sophisticated goods.
It is provided that such pre-installed “one-stop app store” shall also contain apps included on the list compiled by the Ministry of Digital Technology, Communications and Mass Media of the Russian Federation.
Practical Implications
The obligation to pre-install a “one-stop app store” will be imposed on sellers, importers or manufacturers starting from 1 September 2022.
By now, several app store platforms have been launched (eg NashStore and RuStore) which may be viewed as a “one-stop app store”, but it is not clear from the current regulations which of these platforms will be mandatory for pre-installation. In this respect, it is also important to consider that the relevant regulations on the establishment and operation of the “one-stop-app store” adopted by federal government authorities may enter into force immediately upon publication.
Therefore, sellers, importers and manufacturers of relevant technically sophisticated equipment should take preparatory measures to ensure that such obligation to pre-install the app store can be fulfilled within a sufficiently short period of time after the relevant regulations are adopted by the Government or any other federal agency.
Immovable Property Register
Amendments will be made to the Federal Law “On State Registration of Immovable Property” regarding the openness of the Unified State Register of Immovable Property.Current Regulation
At present, the Unified State Register of Immovable Property remains predominantly open, including information on property owners.
Future Regulation
The Draft Law introduces a general rule whereby information contained in the register which constitutes personal data on the rightsholder and the person in whose favour restrictions on the right or encumbrances on immovable property are registered, is closed, ie is not available to third parties, except where the rightsholder has given his/her consent and the register has a record of such consent.
Practical Implications
The new procedure will create certain difficulties during the course of legal inspections of immovable properties.
Credit Institutions are not required to independently obtain information from the Unified State Register of Immovable Property
Amendments will be made to the Federal Law “On Banks and Banking” in connection with the restricted access regime introduced for information in the Unified State Register of Legal Entities, as described in more detail above.Current Regulation
Under the current regulations, credit institutions may not, when carrying out a banking transaction, request their client to provide information from the Unified State Register of Immovable Property which may help identify the client as the immovable property owner, and are required to obtain such information from the register independently.
Future Regulation
Credit institutions will no longer be obliged to independently request information from the Unified State Register of Immovable Property identifying the client as the rightsholder of certain immovable property if such information is needed for a banking transaction.
Practical Implications
The new procedure will create certain difficulties for non-cash payments in immovable property transactions where the transaction involves an individual.
Notices of Data Leaks
The Draft Law introduces an obligation to notify Roskomnadzor of personal data leaks.Current Regulation
At present, the law does not require notice to be given to Roskomnadzor, within a certain period of time, of an information security incident which may lead or has led to a breach of data subjects’ rights.
Future Regulation
The Draft Law provides that, in the event of unlawful or accidental access to, provision, dissemination, or transfer of personal data which result in a breach of data subjects’ rights, the data controller should give two notices to Roskomnadzor.
The first notice is to be sent by the data controller within 24 hours of the discovery of such incident by Roskomnadzor or the person concerned in order to notify Roskomnadzor of the reasons that led to the breach of data subjects’ rights, the harm caused to data subjects’ rights and the measures taken to remedy the consequences. In such notice, the data controller is also required to provide the details of the contact person authorised to interact with Roskomnadzor regarding the incident.
After that, the data controller should, within 72 hours of the discovery of the incident by Roskomnadzor or by the person concerned, send a second notice to Roskomnadzor which should include information on the results of the internal investigation into the incident and provide information on the persons whose actions caused such incident.
Practical Implications
In practice, in order to promptly gather information on an incident and notify Roskomnadzor, it is recommended that an information security incident response plan and a standard form notice to Roskomnadzor be adopted and implemented. However, in order to meet the new requirements of the Draft Law, it is also recommended that a procedure be developed for identifying the persons responsible for liaising with Roskomnadzor in relation to specific incidents.
The question remains open as to whether it is possible to apply for an extension of the notice period or to submit a revised notice at a later date, as the investigation into the causes of the incident may take a considerable amount of time. Many foreign legal systems allow such procedure. We have prepared a request to Roskomnadzor to clarify the notification procedure and assess the possibility of submitting a revised notice based on the results of an internal investigation.
Interaction with GosSOPKA
With the entry into force of the Draft Law, data controllers will be required to ensure interaction with the State System of Detection, Prevention and Elimination of Consequences of Computer Attacks on Information Resources of the Russian Federation (“GosSOPKA”).Current Regulation
Under the Federal Law “On the Security of Critical Information Infrastructure” the owners of critical information infrastructure facilities, such as organisations of healthcare, energy, banking (systemically important credit institutions, payment system operators, systemically important financial market infrastructure organisations), fuel and energy complex, nuclear energy, defence, rocket and space, mining, metallurgical and chemical industries, as well as Russian legal entities and/or individual entrepreneurs that ensure interaction of the abovementioned systems or networks, must connect to GosSOPKA.
Future Regulation
The Draft Law establishes that data controllers are required to ensure continuous interaction with GosSOPKA, including the reporting of computer incidents resulting in unauthorised access, submission, distribution, and transfer of personal data, in the manner determined by the Federal Security Service of the Russian Federation.
Practical Implications
Firstly, it is necessary to wait for a by-law of the Federal Security Service of the Russian Federation, as it is likely that it will specify narrower categories of data controllers that are required to connect to GosSOPKA.
Secondly, if a particular data controller is required to ensure interaction with GosSOPKA, it is necessary to decide on the model of such interaction (it may be done, through an agreement with the FSS, through an FSS-licensed contractor, or using a hybrid option).
Time Limits for Responding to Requests and Enquiries
The Draft Law shortens many deadlines for responding to data subjects’ enquiries.Current Regulation
At present, the time limits in many instances are 30 days and some articles do not impose any time limits. Therefore, all policies and business processes of data controllers are geared precisely at meeting these time limits.
Future Regulation
Many deadlines have been reduced to 10 business days, in particular, the data controller should provide the data subject, within 10 business days, with access to their personal data and information on the processing of such dataPersonal Data Law, article 14, part 3. At the same time, the Draft Law provides that it is possible to extend all reduced time limits by five business days, provided that a written notice is sent to the data subject or the competent body, setting out the reasons for the extension.
Practical Implications
We recommend amending policies and internal regulations, changing the relevant business processes and developing a standard form notice of the extension of the time limits setting out the reasons for such extension.
Data Controller’s Personal Data Policy and Local Regulations
The Draft Law imposes enhanced requirements for the data controller’s data protection policy, and the relevant internal regulations.Current Regulation
Currently, data controllers are required to issue a document defining the data controller’s policy with respect to personal data processing, internal regulations on personal data protection, and internal regulations establishing procedures aimed at preventing and detecting breaches of laws of the Russian Federation and remedying the consequences of such breaches.
The Draft Law does not establish requirements for the specific content of such documents. There are only recommendations from Roskomnadzor for the preparation of a document defining the data controller’s policy with respect to the processing of personal data.
Future Regulation
The Draft Law requires that documents defining the policy of the data controller with respect to personal data processing, internal regulations on the processing of personal data define for each purpose of personal data processing the categories and list of personal data processed, the categories of data subjects whose personal data are processed, the methods and timing of processing and storage, and the procedure for destroying personal data when the purposes of their processing are reached or other legal grounds occur.
It also states that such documents and internal regulations may not contain provisions that limit the rights of data subjects or impose on data controllers any authorities or obligations not provided under the laws of the Russian Federation.
Practical Implications
Data controllers will have to revise their policies and local regulations to bring them into compliance with the new requirements.
Notice of Personal Data Processing
The Draft Law significantly broadens the scope of information to be included in the notice to be given to Roskomnadzor and removes a significant number of exceptions allowing data controllers not to give notices.Current Regulation
Data controllers are currently required to send a notice to Roskomnadzor when they begin processing personal data. In general, this obligation is not onerous as, in addition to a significant number of exceptions, the amount of information provided is not significant and data controllers usually include general information on the processing and standard wording describing the processing in the notice.
Future Regulation
The Draft Law removes most of the exemptions for giving notice. This, in turn, means that virtually all data controllers will be required to submit the relevant notices. In addition, the list of information to be included in the notice to Roskomnadzor has been significantly expanded. It should also be borne in mind that, under the new rules, notices of cross-border data transfers with the relevant details are required to be submitted separately from notices of this kind.
Furthermore, the data controller should specify, for each purpose of personal data processing, the personal data categories, the categories of data subjects whose personal data is being processed, the legal basis for processing personal data, the list of actions with personal data, and the methods of processing.
It is established that Roskomnadzor should also approve a new form of such notice.
Practical Implications
In the context of the widening of the scope of information that has to be included in the notice under the new requirements, it would be useful for data controllers to maintain a register of personal data processed and/or a data map in order to update the information in the register in a timely manner. For our part, we are preparing a number of standard form documents which may help with this.
We hope that the information contained in this alert is useful and we are ready to answer your questions and help you develop a data protection compliance strategy.
