On 6 July 2022 State Duma adopted the new law (the “Law”) tightening data protection rules and in particular the rules contained in the Personal Data Law. If approved by the upper chamber of the parliament and signed by the president the Law is expected to become effective on 1 September 2022 (with certain rules becoming effective later on 1 March 2023).
Detailed highlights of the most important changes:
· Personal Data Law shall apply to foreigners
The Law makes it clear (this was a matter of various court and theoretical disputes in the past) that the Personal Data Law shall apply to processing of Russian citizens’ personal data by foreign legal entities or individuals based on the agreement with the Russian citizen(s) or other agreements between foreign legal entities, individuals and citizens of the Russian Federation or based on an individual consent of a Russian citizen.
· New mandatory provisions for data transfer agreements and an obligation for foreign processors to comply with the data localization rule
Data transfer agreements must now contain (new provisions are in italics):
- the obligation of the data recipient/processor to maintain the confidentiality regarding any personal data received; to comply with other rules and principles established by the Personal Data Law;
- a list of personal data to be transferred;
- a list of actions the data recipient is allowed to perform with the transferred data;
- the purposes of the processing;
- the obligation of the data recipient/processor to comply with the data localization rule (i.e. to ensure that the data received from the operator are recorded in the Russia-located database);
- the obligation of the data recipient/processor – during the term of the data transfer agreement or prior to entering into the agreement – to provide documents and other information to the operator confirming compliance (and relevant measures taken) with the Personal Data Law, including information necessary for the operator to ensure lawful cross-border transfer;
- requirements for the protection of personal data by the data recipient/processor, including mandatory use of software and hardware security measures.
· If personal data are transferred to a foreign legal entity/individual such foreign processor shall be directly liable for any data breach committed by such processor (in the past the processor could only be liable to the operator and not directly)
· Operators cannot refuse to provide services to individuals if they refuse to provide biometric personal data or grant consent, provided that such consent is not mandatory under the law
· Operators will have to notify any cross-border transfers of personal data before such transfers and in certain circumstances obtain a permission of the regulator for the transfer
Any cross-border transfers of personal data would have to be notified to the regulator before such transfers (the specific procedure is yet to be clarified by the bylaws). There will be a separate new form for such notification. The notification can be sent either on paper or electronically.
The notification must contain the following information:
- Name and address of the operator, date of the registration with the regulator (aka notification on the intention to process personal data);
- Name and contact details of the company’s data privacy officer;
- Legal basis and purpose of cross-border transfer and further data processing;
- Categories and the list of transferred personal data;
- Categories of data subjects;
- List of foreign countries which are the destinations of data transfer;
- Date of the assessment by the operator of the compliance by the data recipient with the requirements to confidentiality and data safety.
Prior to the notification the operator is obliged to obtain from the data recipient the following information:
- Information on the data protection measures taken by the data recipient and conditions for termination of data processing;
- Information on legal regulation in the sphere of data protection in the relevant state (provided that the data recipient is located in the state which is not on the list of states ensuring adequate protection to personal data – the list is compiled by the regulator);
- Information on the data recipient (name, contact details).
The regulator is allowed to check authenticity of the information contained in the notification and make requests to the operator.
IMPORTANT! The regulator is entitled to prohibit cross-border transfer of personal data. Such a decision can be taken for the purpose of protecting constitutional order, morality, health, rights and legitimate interests of citizens, ensuring state security and defense, protection of economic and financial interests of the Russian Federation, ensuring – by diplomatic and international law means – of protection of rights, freedoms and interests of the Russian citizens, sovereignty, security, territorial integrity and other interests of the Russian Federation. The decision to prohibit cross-border transfer shall be taken within 10 business days following the receipt of the notification.
Obtain permission: The operator is entitled to perform a cross-border transfer after sending the notification to the regulator, provided that the transfer is made to the state(s) which is(are) on the list of states ensuring adequate protection to personal data. If the country of destination is not on the list, then the operator shall wait for the decision of the regulator. In any case if the regulator prohibits the transfer (even to the states ensuring adequate protection) the operator needs to ensure that the data obtained by the data recipient are deleted.
· Data access requests shall now be fulfilled by data operators within 10 business days. The term can be extended for additional 5 days subject to a reasoned notification to the data subject.
· Requests from the regulator shall be fulfilled within 10 business days
· Data breach notification procedure introduced
The lawmakers finally introduced the long-expected data breach notification rules. Operators are now obliged to notify the regulator on any facts of illegal or incidental transfer (provision, distribution, access) of personal data which resulted in the breach of data subjects’ rights. Such facts can be either detected by data subjects, the regulator or the data operator. In the past data operators were not obliged to notify data breaches which were detected by them internally.
The notification on the incident shall be made within 24 hours and include information on (i) the potential reasons which caused the incident, (ii) the anticipated harm caused by the incident to data subjects, (iii) the measures taken to eliminate the consequences of the incident, and (iv) contact information of the person authorized to liaise with the regulator regarding the incident.
Within 72 hours after the incident the operator shall notify on the outcome of the internal investigation of the incident, as well as to provide information on persons (if any) whose actions were the cause of the incident.
Data operators will have to ensure coordination with the authorities (the relevant bylaws explaining the procedure are yet to be enacted) through the state system for detecting, preventing and liquidation of consequences of computer attacks to the information resources of the Russian Federation (aka GosSOPKA). It is, therefore, expected that breach notification will have to be sent through GosSOPKA system.
· Any changes in the information provided to the regulator in the registration will have to be updated not later than the 15th day of the month following the month when the changes happened
· It will be prohibited to provide personal data from the Public Register of Rights to Real Estate to third persons without a consent of the relevant data subject (owner of real estate)
As noted above the provision of the Law are yet to become effective. Furthermore, certain provisions would require clarification through various bylaws to be enacted by the authorities. The relevant practice is yet to be established and we expect the regulator to provide guidance on the amendments. We will keep monitoring this topic and will let you know of any developments in this respect.