Russia: Privacy and Data Protection-related Laws

Fundamental provisions of data protection law in Russia can be found in

  • the Russian Constitution 1993 (Articles 23 and 24).

  • the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention) (ratified by Russia in 2006).

The principles and requirements in the domain of data privacy and data protection are contained in

  • the Federal Law No. 149 FZ dated 27 July 2006 On Information, Informational Technologies and the Protection of Information (hereinafter - the “Information Protection Act”),

  • the Federal Law No. 152-FZ dated 27 July 2006 on Personal Data (hereinafter the “Personal Data Act”).

Most rules are found in specific legislation, particularly and various regulatory acts adopted to implement the Data Protection Laws, as well as other laws, including the establishing basic rules as to the information in general and its protection.

The Code on Administrative Offences of the Russian Federation (hereinafter, the “Administrative Code”) establishes liability for violation of the rules and requirements for data processing and protection. There are also the decrees of the President of the Russian Federation, the decisions of the Government of The Russian Federation and the orders of the Federal Service for the Supervision of Communications, Information Technology and Mass Media (hereinafter “Roscomnadzor”), and the Federal Security Service, which establish administrative regulations and requirements regarding data protection in Russia.

All data processing legal entities must notify and register at Roscomnadzor.

On 22 July 2014 notable amendments to the Personal Data Act were adopted and came into force on 1 September 2015. The amendments require all personal data operators to store and process any personal data of Russian individuals within databases located in Russia (subject to few exceptions). The penalty for violation of this requirement is ultimately the blocking of websites involving unlawful handling of Russian personal data. A Register of Infringers of Rights of Personal Data Subjects shall be established by the Roscomnadzor and from there and the Roscomnadzor may move to block websites.

As the amendments are newly passed and a track record of enforcement and legal interpretation has not been established, it is still unclear as to how this register and the website blocking would work in practice. According to clarifications of Russian regulators, storing and processing of personal data of Russian individuals outside of Russia can still be compliant with the law as long as primary (often interpreted as initial) storage and processing of data is done in Russia. It is still an open question whether keeping “mirror” databases in Russia and elsewhere would be deemed as compliant.

Article 12 of the Personal Data Protection Act regulates cross-border data flows. In the event of an international transfer of personal data, all data operators must ensure (before the transfer is made) that the rights and interests of the respective data subject are fully protected in an adequate manner in the corresponding foreign country. All countries that are signatories to the Strasbourg Convention are considered to be jurisdictions that provide “adequate protection” of the rights and interests of data subjects. International data transfer to any jurisdiction with the adequate protection level is not subject to any restriction, provided that the consent of the respective data subject has been received.

Typically, companies that are acting as data operators will check for the adequate protection level of data protection before transferring any personal data abroad. In addition, companies will obtain written consent from the respective data subjects or execute international data transfer agreements with the respective data subjects. Following these steps, companies will proceed with cross-border data transfers in accordance with their internal corporate rules or policies (as applicable).

If the data controller is a legal entity, it is required to appoint a data protection officer. Such an appointment is considered to be a personal data protection measure. The data protection officer oversees compliance by the data controller and its employees regarding the data protection issues, informs them of statutory requirements and organises the receiving and processing of communications from data subjects.

There are no legal restrictions as to whether the data protection officer should be a citizen or resident of the Russian Federation, however, it is advisable that the data protection officer is available in case there is an inspection or other communication from the authorities.


Previous Section Next Section

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus