Russia introduces law on anonymised datasets

Main changes in brief

On 8 August 2024, the President of the Russian Federation signed a law that creates a mechanism for the formation of anonymised datasets from 1 September 2025.

What will be created?

A state information system (“SIS”) is being created where anonymised personal data will be collected to form datasets and where anonymised personal data will be processed.

Objectives of the law

To ensure the exchange of anonymised data between business and the state; to train artificial intelligence models; to reduce the volume of processed personal data, to increase its security.

Who will be obliged to provide data?

Any personal data operators will be obliged to provide anonymised personal data at the request of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation (“Ministry”).

Who will have access to the SIS?

State and municipal bodies will gain access to the SIS for processing anonymised personal data immediately; businesses (complying with the established requirements) will gain access to datasets only one year after the relevant data has been submitted to the SIS.

In more detail

On 8 August 2024, the President of the Russian Federation signed Federal Law No. 233-FZ “On Amending the Federal Law On Personal Data and the Federal Law On Conducting an Experiment to Establish Special Regulation to Create the Necessary Conditions for the Development and Implementation of Artificial Intelligence Technologies in the Constituent Entity of the Russian Federation — the City of Federal Significance Moscow — and Amending Articles 6 and 10 of the Federal Law On Personal Data” (“Law”). It is expected that the implementation of the Law will contribute to reducing the turnover of processed personal data and improving its security.

Creation of a new information system

The Law provides for the creation of the SIS and defines the specifics of collecting and processing data in it.

• The Ministry will send a request to operators to provide anonymised personal data. The list of requested personal data shall be specified in such request
• The operator, after receiving the request of the Ministry, shall anonymise the requested personal data in accordance with the anonymisation procedure provided for by the Government. The Government shall develop the relevant rules in co-ordination with the Federal Security Service of Russia (known as “FSB”)
• The operator is obliged to send anonymised personal data to the SIS. The procedure for interaction between businesses and the Ministry and between businesses and the SIS will be additionally established by the Government.

Requirements for anonymised personal data

• The Ministry will form personal datasets from anonymised data, provided that the subsequent processing of such data does not make it possible to determine whether such data belongs to a specific person.
• It is not allowed to form datasets from special categories of sensitive data (health status, race and nationality, etc.).

Requirements for SIS users

Certain categories of domestic users will be able to use the SIS, such as state and municipal bodies and organisations subordinated to them, as well as citizens of the Russian Federation and Russian legal entities that meet the following requirements:

• they are included in the register of personal data operators;
• there is no record of unreliable information on the legal entity in the Unified State Register of Legal Entities and such legal entity is under the control of, inter alia, the Russian Federation (constituent entities, municipalities) and/or citizens of the Russian Federation who do not have foreign citizenship (for legal entities);
• there is no citizenship of a foreign state;
• there is no unexpunged criminal record or outstanding conviction, and the person has not been criminally prosecuted under certain articles of the Criminal Code of the Russian Federation (for so-called “computer crimes”).

Data processing in the SIS

• State, municipal bodies and subordinate organisations will have access to data in the SIS immediately
• Businesses will be able to access data in the SIS only after one year from the date of providing anonymised personal data and if they meet the abovementioned requirements
• Processing anonymised personal data is only allowed in the SIS itself; the recording, extraction or transfer of datasets from the SIS is not permitted
• Datasets may not be used if such use may harm the life or health of citizens, or violate other rights and legitimate interests, or values protected by law.

Separate legal regime for Moscow

According to the Law, Moscow will be able to use the regional information system when forming regional datasets within the framework of the already existing experiment related to the introduction of artificial intelligence technologies (regulated by the provisions of the Federal Law “On Conducting an Experiment to Establish Special Regulation in order to Create the Necessary Conditions for the Development and Introduction of Artificial Intelligence Technologies in the Constituent Entity of the Russian Federation — the City of Federal Significance Moscow — and Amendments to Articles 6 and 10 of the Federal Law On Personal Data”).

The Ministry will be able to request data for the SIS from the regional system as well. Since the regional information system may also contain biometric data, the Ministry will only be able to request data after anonymisation.