Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
In Summer 2022, Russia significantly amended its Personal Data Law (Federal Law on Personal Data No.152-?? dated 27 July 2006). The new rules and restrictions concern, among other things:
This article outlines the key amendments and provides guidance on how businesses can ensure their compliance.
Currently, the Personal Data Law applies within the borders of Russia. According to guidance from the Ministry of Digital Development, Communications and Mass Media, it also applies to international websites that contain content in Russian and meet other criteria which indicate that “the website owner seeks to expand its business over the Russian market”.
As of 1 September 2022, the Personal Data Law applies in cases where foreign legal entities and/or natural persons process Russian nationals' personal data on the basis of either agreements concluded with data subjects or their consent. This rule may be understood such that non-Russian data controllers will be obliged to comply with all provisions of the Personal Data Law, including the requirement to process data “with the use of databases located in the territory of the Russian Federation” (the so-called “data localisation requirement”). It is unclear how foreign controllers with no presence in Russia are expected to learn about the rules applicable to them and how the local privacy watchdog (Roscomnadzor) might verify their compliance.
The amendments to article 12 of the Personal Data Law provide that a data controller must notify Roscomnadzor prior to conducting cross-border transfers. The notice must describe, among other things:
Roscomnadzor has the power to prohibit the notified cross-border transfer within 10 business days of receipt of the notice.
If there is an adequacy decision in respect of the destination county, the data exporter may transfer personal data immediately upon notifying Roscomnadzor. There are adequacy decisions in respect of all parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (European Treaty Series No. 108) and several other countries shortlisted by Roscomnadzor (eg, Australia, Canada, Singapore and Japan). The data exporter may transfer personal data to the rest of the world after 10 business days from the date of notice unless Roscomnadzor prohibits such transfer after reviewing the notice.
If the exporter transferred data outside Russia before Roscomnadzor had prohibited such transfer, the exporter must ensure that the importer delete all data received prior to the prohibition. The amendments do not clarify what exactly the exporter and importer should do. From a practical point of view, they should agree on an appropriate data deletion procedure in their data processing or data transfer agreement.
Prior to performing a cross-border transfer, the data exporter must assess how the data importer will ensure the confidentiality and security of personal data. The new article 12(5) of the Personal Data Law states that the data importer must inform the data exporter about the personal data laws of the destination country (if there is no adequacy decision), and the importer's data security measures, company name and contact details. The data exporter must disclose such information upon request by Roscomnadzor. Roscomnadzor may potentially use this new rule to collect basic information about business relations between a Russian exporter and foreign importer of personal data.
The new cross-border rules take effect on 1 March 2023.
Article 6(3) of the Personal Data Law currently requires the following mandatory clauses to be added to data processing agreements:
The amendments supplement the list of mandatory clauses with the following:
As of 1 September 2022, data controllers are required to notify Roscomnadzor if they become aware of a data leak affecting data subjects' rights. The first notice – containing details about the incident, its alleged reasons, the potential harm to data subjects, elimination measures and the controller's contact person – must be submitted within 24 hours.
The second notice must contain an internal investigation report and information about persons (if any) whose actions led to the leak. This notice is to be filed within 72 hours of becoming aware of the data leak. This means that the controller must investigate the leak within this timeframe.
Among other things, the amendments require data controllers to:
The amendments do not strengthen the fines for breaching the Personal Data Law. It is expected that the Ministry of Digital Development, Communications and Mass Media will introduce a bill introducing turnover fines for data leaks. The level of the controller's compliance with the Personal Data Law may be considered as an extenuating or aggravating circumstance.
Controllers should audit their data processing activities and plan their compliance measures. The highest priority should be given to:
Controllers should revise their cross-border transfers and request information from data importers on their security measures and permission to disclose their contact details to Roscomnadzor by 1 March 2023. These steps will help to prepare cross-border transfer notices as soon as Roscomnadzor releases the notice form. The authorities are expected to provide further guidance on how to comply with the key legislative changes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.