Russia's Federal Law No. 152-FZ was passed by its State Duma in 2006, making it one of the few data privacy regulations that were in effect before the General Data Protection Regulation (GDPR).
Since 2006, the law has undergone 25 amendments. These amendments were meant to introduce new concepts and definitions in light of the changing technologies and data privacy concerns, such as amendments related to the use of pseudonymized data, the legal basis for data processing, the use of publicly available data, the data localization requirement and changes to the enforcement powers of the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor). More recently, certain amendments to consent requirements and publicly disseminated data came into effect in March 2021.
The latest amendment of Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data (Amendment Law 266-FZ), was published on 20 July 2022 after it was passed by the State Duma on 6 July 2022. This Amendment Law is expected to enter into force on September 1, 2022. This article discusses the changes this recent amendment is bringing to the existing Russian Federal Law on Personal Data so that organizations can proactively prepare themselves for compliance before 1 September 2022.
Amendment Law 266-FZ brings significant changes to the Federal Law on Personal Data 152-FZ and the overall data privacy landscape within Russia. Here are the key areas that will be most affected as a result of the latest amendments:
Territorial Scope
The Federal Law on Personal Data applies to any legal entity, including any foreign entity with a legal presence in Russia that collects personal data in Russia. It also applies to entities that are not established in the Russian Federation if they purposefully direct their activities towards the Russian Federation and benefit from those activities.
As per the latest amendments, the Federal Law on Personal Data will now begin applying to the processing of all personal data of Russian citizens by foreign organizations and individuals that is carried out based on either of the following:
- An agreement with the Russian citizen;
- Explicit consent of the Russian citizen to the processing of their personal data.
Data Subject Rights Requests
This is one of the areas where a significant change has been made as a result of the amendments. While previously, organizations had up to 30 days to respond to any data subject rights requests made, that period has been reduced to 10 working days.
Legal Basis of Data Processing
Performance of the contract is one of the legal bases for the processing of personal data. It means that data can be processed if the processing is necessary for the performance of a contract to which the data subject is a party to or beneficiary or guarantor.
As per the new amendments, additional requirements have been added to ensure the contracts are fair to the data subjects.
These requirements primarily ensure that any contracts with data subjects should not contain any provisions that:
- Restrict the rights and freedoms of the data subject;
- Allow the processing of a minor's personal data unless as provided under the law;
- Consider inaction of the data subject as a condition for concluding the agreement.
Data Sharing With Third Parties/Processors
As per the existing law, organizations could entrust other organizations to process personal data on their behalf with the data subject's consent. All that was required was a legally binding agreement between the data operator and the processor and strict adherence to the processing instructions provided by the data controlling organization.
However, as per the new amendment, the data operator is required to provide instructions to the data processor, particularly on the following:
- The list of personal data
- A list of actions (operations) with their processing
- The obligation to maintain the confidentiality of personal data
Third-party organizations or data processors that are processing data on the operator’s behalf will now be subject to additional requirements. These include the following obligations:
- The obligation to ensure confidentiality and security of personal data during their processing as per the provisions of the Federal Law
- The obligation to provide to the operator at its request documents and information confirming compliance with the operator’s instructions
- The obligation to stop data processing if unlawful processing of data is detected
Breach Notifications
The existing Federal Law on Personal Data does not contain any breach notification requirements. However, they do have breach notification requirements now as per the recent amendments.
Following the latest amendment, organizations are required to engage with the “state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation” regarding security incidents and inform it of computer security incidents that result in an unlawful provision, distribution or access of personal data.
More importantly, Amendment Law 266-FZ requires organizations to inform the Roskomnadzor in the case of illegal or accidental transfer (provision, distribution, access) of personal data that entails a violation of the rights of the data subject:
- Within 24 hours with details of the incident, the alleged causes behind the breach, the alleged harm caused to the rights of data subjects, and mitigation measures;
- Within 72 hours, details of the results of the organization's internal investigation into the breach and the personnel whose actions led to the breach.
Consent & Consent Withdrawal Request
The new amendments have brought an update to the definition of consent. While previously data subject’s consent was required to be specific, informed, and conscious, now the data subject’s consent must also be substantive and unambiguous in addition to being specific, informed, and conscious.
In consent-based data processing, the data subject has the right to withdraw consent at any time. In the case of a consent withdrawal request by the data subject, the data operator must cease the processing of the personal data or arrange for it to be terminated (if the processing is carried out by another person acting on behalf of the operator) and if the storage is no longer required for the purposes of processing data, destroy the data or ensure its destruction within a period of not exceeding thirty days from the date of receipt of the said revocation request.
As per the Amendment Law, data operators are now required to stop the data processing within a period of not exceeding ten working days instead of thirty days in the case of a consent withdrawal request. This period may be extended to five more working days provided the data operator gives a reasoned notice to the data subject stating its reasons for the delay.
Consent for biometric personal data
As per the Federal Law on Personal Data, biometric data is any information that characterizes the physiological and biological characteristics of a person based on which it is possible to identify the data subject. Biometric personal data can only be processed with the data subject's written consent.
Although the existing law already emphasizes that consent needs to be conscious, the amendments clarify it further that the data subject should be able to access a particular service without being required to provide his/her biometric personal data i.e., the data operator must not refuse to provide a particular service to the data subject on the basis that the data subject refuses to provide his/her biometric personal data.
Cross Border Data Transfers
Cross-border data transfers are permitted to countries that are:
- Parties to the Council of European Convention on the Protection of Individuals with regard to Automated Processing of Personal Data (Convention 108 or Strasbourg Convention);
- Approved by the Roskomnadzor for providing adequate protection to data subject rights.
However, transfers to countries that do not fulfill the conditions mentioned above could be made in the following cases:
- Data subject has consented to their data being transferred;
- Data transfer is allowed per the international treaties signed by the Russian Federation;
- Data transfer is deemed necessary to protect the constitutional order and national security of the Russian Federation;
- Data transfer is allowed per the agreement signed by the data subject;
- Data transfer is necessary to protect the life, health, or other vital interests of the data subject or other persons.
These data transfer mechanisms are available as they are. However, the new Amendments have introduced the following pre-transfer requirements for organizations. Organizations are now required to:
- Conduct an assessment of the recipient country's data security infrastructure;
- Notify Roskomnadzor of their intention of the data transfer before the transfer. The notification must include the legal basis, the purpose of the data transfer, categories and list of transferred personal data along with the data subjects, the list of foreign states where data transfer is planned as well as the date of the data operator’s assessment of compliance with the authorities of foreign states.
- The notification obligation also exists for transferring data to countries that are approved by the regulatory authority as providing adequate data protection or countries that are parties to the Convention 108.
- The data transfer to non-adequate countries is considered to be permitted if no restriction from the regulatory authority is received within a period of 10 working days. In the case of a restriction imposed by the regulatory authority, the operator would be required to cease the data transfer and ensure that all the transferred data has been deleted.
- Before the notification to the Roskomnadzor, data operators are also required to obtain the following information from authorities of a foreign state, foreign individuals, and foreign legal entities:
- Information about the measures taken by foreign authorities to whom data transfer is planned, measures to protect the transferred personal data and the conditions for terminating their processing
- Information on the foreign legal regulation under which foreign authorities can access personal data
- Information about foreign authorities to whom the data access is planned
Cross-border data transfer may be prohibited or limited to protect the foundations of the constitutional order of the Russian Federation, morality, health, rights, and legitimate interests of citizens, ensure the country’s defense and state security, and protect the economic and financial interests of the Russian Federation, ensure diplomatic and international legal means to protect the rights, freedoms, and interests of citizens of the Russian Federation, the sovereignty, security, and territorial integrity of the Russian Federation.
How Can Securiti Help
The aforementioned changes brought by the new amendment present a challenge for organizations involved in processing data within Russia and organizations that purposefully direct their activities towards the Russian Federation and benefit from those activities since those are also subject to the law.
However, manual attempts to comply with such changes can be extremely laborious and inefficient. Naturally, automation is the way to ensure organizations can remain compliant with all the organization's data obligations in real-time by taking such changes into account.
Securiti is a market leader in providing enterprise solutions related to data compliance and governance. Owing to its state-of-the-art artificial intelligence and machine learning algorithms, it can ensure comprehensive data compliance for organizations of any scale.
Its plethora of privacy-centric products, such as data classification, DSR automation, notice management, cookie consent management, and breach management, among others, allow organizations to honor their data obligations effectively.
Request a demo today to learn more about how Securiti can help you achieve compliance in the face of Russia's new amendments to its data privacy law.