Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Published on August 25, 2022 AUTHOR - Privacy Research Team
Russia's Federal Law No. 152-FZ was passed by its State Duma in 2006, making it one of the few data privacy regulations that were in effect before the General Data Protection Regulation (GDPR).
Since 2006, the law has undergone 25 amendments. These amendments were meant to introduce new concepts and definitions in light of the changing technologies and data privacy concerns, such as amendments related to the use of pseudonymized data, the legal basis for data processing, the use of publicly available data, the data localization requirement and changes to the enforcement powers of the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor). More recently, certain amendments to consent requirements and publicly disseminated data came into effect in March 2021.
The latest amendment of Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data (Amendment Law 266-FZ), was published on 20 July 2022 after it was passed by the State Duma on 6 July 2022. This Amendment Law is expected to enter into force on September 1, 2022. This article discusses the changes this recent amendment is bringing to the existing Russian Federal Law on Personal Data so that organizations can proactively prepare themselves for compliance before 1 September 2022.
Amendment Law 266-FZ brings significant changes to the Federal Law on Personal Data 152-FZ and the overall data privacy landscape within Russia. Here are the key areas that will be most affected as a result of the latest amendments:
The Federal Law on Personal Data applies to any legal entity, including any foreign entity with a legal presence in Russia that collects personal data in Russia. It also applies to entities that are not established in the Russian Federation if they purposefully direct their activities towards the Russian Federation and benefit from those activities.
As per the latest amendments, the Federal Law on Personal Data will now begin applying to the processing of all personal data of Russian citizens by foreign organizations and individuals that is carried out based on either of the following:
This is one of the areas where a significant change has been made as a result of the amendments. While previously, organizations had up to 30 days to respond to any data subject rights requests made, that period has been reduced to 10 working days.
Performance of the contract is one of the legal bases for the processing of personal data. It means that data can be processed if the processing is necessary for the performance of a contract to which the data subject is a party to or beneficiary or guarantor.
As per the new amendments, additional requirements have been added to ensure the contracts are fair to the data subjects.
These requirements primarily ensure that any contracts with data subjects should not contain any provisions that:
As per the existing law, organizations could entrust other organizations to process personal data on their behalf with the data subject's consent. All that was required was a legally binding agreement between the data operator and the processor and strict adherence to the processing instructions provided by the data controlling organization.
However, as per the new amendment, the data operator is required to provide instructions to the data processor, particularly on the following:
Third-party organizations or data processors that are processing data on the operator’s behalf will now be subject to additional requirements. These include the following obligations:
The existing Federal Law on Personal Data does not contain any breach notification requirements. However, they do have breach notification requirements now as per the recent amendments.
Following the latest amendment, organizations are required to engage with the “state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation” regarding security incidents and inform it of computer security incidents that result in an unlawful provision, distribution or access of personal data.
More importantly, Amendment Law 266-FZ requires organizations to inform the Roskomnadzor in the case of illegal or accidental transfer (provision, distribution, access) of personal data that entails a violation of the rights of the data subject:
The new amendments have brought an update to the definition of consent. While previously data subject’s consent was required to be specific, informed, and conscious, now the data subject’s consent must also be substantive and unambiguous in addition to being specific, informed, and conscious.
In consent-based data processing, the data subject has the right to withdraw consent at any time. In the case of a consent withdrawal request by the data subject, the data operator must cease the processing of the personal data or arrange for it to be terminated (if the processing is carried out by another person acting on behalf of the operator) and if the storage is no longer required for the purposes of processing data, destroy the data or ensure its destruction within a period of not exceeding thirty days from the date of receipt of the said revocation request.
As per the Amendment Law, data operators are now required to stop the data processing within a period of not exceeding ten working days instead of thirty days in the case of a consent withdrawal request. This period may be extended to five more working days provided the data operator gives a reasoned notice to the data subject stating its reasons for the delay.
As per the Federal Law on Personal Data, biometric data is any information that characterizes the physiological and biological characteristics of a person based on which it is possible to identify the data subject. Biometric personal data can only be processed with the data subject's written consent.
Although the existing law already emphasizes that consent needs to be conscious, the amendments clarify it further that the data subject should be able to access a particular service without being required to provide his/her biometric personal data i.e., the data operator must not refuse to provide a particular service to the data subject on the basis that the data subject refuses to provide his/her biometric personal data.
Cross-border data transfers are permitted to countries that are:
However, transfers to countries that do not fulfill the conditions mentioned above could be made in the following cases:
These data transfer mechanisms are available as they are. However, the new Amendments have introduced the following pre-transfer requirements for organizations. Organizations are now required to:
Cross-border data transfer may be prohibited or limited to protect the foundations of the constitutional order of the Russian Federation, morality, health, rights, and legitimate interests of citizens, ensure the country’s defense and state security, and protect the economic and financial interests of the Russian Federation, ensure diplomatic and international legal means to protect the rights, freedoms, and interests of citizens of the Russian Federation, the sovereignty, security, and territorial integrity of the Russian Federation.
The aforementioned changes brought by the new amendment present a challenge for organizations involved in processing data within Russia and organizations that purposefully direct their activities towards the Russian Federation and benefit from those activities since those are also subject to the law.
However, manual attempts to comply with such changes can be extremely laborious and inefficient. Naturally, automation is the way to ensure organizations can remain compliant with all the organization's data obligations in real-time by taking such changes into account.
Securiti is a market leader in providing enterprise solutions related to data compliance and governance. Owing to its state-of-the-art artificial intelligence and machine learning algorithms, it can ensure comprehensive data compliance for organizations of any scale.
Its plethora of privacy-centric products, such as data classification, DSR automation, notice management, cookie consent management, and breach management, among others, allow organizations to honor their data obligations effectively.
Request a demo today to learn more about how Securiti can help you achieve compliance in the face of Russia's new amendments to its data privacy law.