Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Russia’s Latest Data Privacy Amendment – Overview

Published August 25, 2022
Author

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

This post is also available in: Brazilian Portuguese

Russia's Federal Law No. 152-FZ was passed by its State Duma in 2006, making it one of the few data privacy regulations that were in effect before the General Data Protection Regulation (GDPR).

Since 2006, the law has undergone 25 amendments. These amendments were meant to introduce new concepts and definitions in light of the changing technologies and data privacy concerns, such as amendments related to the use of pseudonymized data, the legal basis for data processing, the use of publicly available data, the data localization requirement and changes to the enforcement powers of the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor). More recently, certain amendments to consent requirements and publicly disseminated data came into effect in March 2021.

The latest amendment of Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data (Amendment Law 266-FZ), was published on 20 July 2022 after it was passed by the State Duma on 6 July 2022. This Amendment Law is expected to enter into force on September 1, 2022. This article discusses the changes this recent amendment is bringing to the existing Russian Federal Law on Personal Data so that organizations can proactively prepare themselves for compliance before 1 September 2022.

Amendment Law 266-FZ brings significant changes to the Federal Law on Personal Data 152-FZ and the overall data privacy landscape within Russia. Here are the key areas that will be most affected as a result of the latest amendments:

Territorial Scope

The Federal Law on Personal Data applies to any legal entity, including any foreign entity with a legal presence in Russia that collects personal data in Russia. It also applies to entities that are not established in the Russian Federation if they purposefully direct their activities towards the Russian Federation and benefit from those activities.

As per the latest amendments, the Federal Law on Personal Data will now begin applying to the processing of all personal data of Russian citizens by foreign organizations and individuals that is carried out based on either of the following:

  • An agreement with the Russian citizen;
  • Explicit consent of the Russian citizen to the processing of their personal data.

Data Subject Rights Requests

This is one of the areas where a significant change has been made as a result of the amendments. While previously, organizations had up to 30 days to respond to any data subject rights requests made, that period has been reduced to 10 working days.

Performance of the contract is one of the legal bases for the processing of personal data. It means that data can be processed if the processing is necessary for the performance of a contract to which the data subject is a party to or beneficiary or guarantor.

As per the new amendments, additional requirements have been added to ensure the contracts are fair to the data subjects.

These requirements primarily ensure that any contracts with data subjects should not contain any provisions that:

  • Restrict the rights and freedoms of the data subject;
  • Allow the processing of a minor's personal data unless as provided under the law;
  • Consider inaction of the data subject as a condition for concluding the agreement.

Data Sharing With Third Parties/Processors

As per the existing law, organizations could entrust other organizations to process personal data on their behalf with the data subject's consent. All that was required was a legally binding agreement between the data operator and the processor and strict adherence to the processing instructions provided by the data controlling organization.

However, as per the new amendment, the data operator is required to provide instructions to the data processor, particularly on the following:

  • The list of personal data
  • A list of actions (operations) with their processing
  • The obligation to maintain the confidentiality of personal data

Third-party organizations or data processors that are processing data on the operator’s behalf will now be subject to additional requirements. These include the following obligations:

  • The obligation to ensure confidentiality and security of personal data during their processing as per the provisions of the Federal Law
  • The obligation to provide to the operator at its request documents and information confirming compliance with the operator’s instructions
  • The obligation to stop data processing if unlawful processing of data is detected

Breach Notifications

The existing Federal Law on Personal Data does not contain any breach notification requirements. However, they do have breach notification requirements now as per the recent amendments.

Following the latest amendment, organizations are required to engage with the “state system for detecting, preventing and eliminating the consequences of computer attacks on the information resources of the Russian Federation” regarding security incidents and inform it of computer security incidents that result in an unlawful provision, distribution or access of personal data.

More importantly, Amendment Law 266-FZ requires organizations to inform the Roskomnadzor in the case of illegal or accidental transfer (provision, distribution, access) of personal data that entails a violation of the rights of the data subject:

  • Within 24 hours with details of the incident, the alleged causes behind the breach, the alleged harm caused to the rights of data subjects, and mitigation measures;
  • Within 72 hours, details of the results of the organization's internal investigation into the breach and the personnel whose actions led to the breach.

The new amendments have brought an update to the definition of consent. While previously data subject’s consent was required to be specific, informed, and conscious, now the data subject’s consent must also be substantive and unambiguous in addition to being specific, informed, and conscious.

In consent-based data processing, the data subject has the right to withdraw consent at any time. In the case of a consent withdrawal request by the data subject, the data operator must cease the processing of the personal data or arrange for it to be terminated (if the processing is carried out by another person acting on behalf of the operator) and if the storage is no longer required for the purposes of processing data, destroy the data or ensure its destruction within a period of not exceeding thirty days from the date of receipt of the said revocation request.

As per the Amendment Law, data operators are now required to stop the data processing within a period of not exceeding ten working days instead of thirty days in the case of a consent withdrawal request. This period may be extended to five more working days provided the data operator gives a reasoned notice to the data subject stating its reasons for the delay.

As per the Federal Law on Personal Data, biometric data is any information that characterizes the physiological and biological characteristics of a person based on which it is possible to identify the data subject. Biometric personal data can only be processed with the data subject's written consent.

Although the existing law already emphasizes that consent needs to be conscious, the amendments clarify it further that the data subject should be able to access a particular service without being required to provide his/her biometric personal data i.e., the data operator must not refuse to provide a particular service to the data subject on the basis that the data subject refuses to provide his/her biometric personal data.

Cross Border Data Transfers

Cross-border data transfers are permitted to countries that are:

  • Parties to the Council of European Convention on the Protection of Individuals with regard to Automated Processing of Personal Data (Convention 108 or Strasbourg Convention);
  • Approved by the Roskomnadzor for providing adequate protection to data subject rights.

However, transfers to countries that do not fulfill the conditions mentioned above could be made in the following cases:

  • Data subject has consented to their data being transferred;
  • Data transfer is allowed per the international treaties signed by the Russian Federation;
  • Data transfer is deemed necessary to protect the constitutional order and national security of the Russian Federation;
  • Data transfer is allowed per the agreement signed by the data subject;
  • Data transfer is necessary to protect the life, health, or other vital interests of the data subject or other persons.

These data transfer mechanisms are available as they are. However, the new Amendments have introduced the following pre-transfer requirements for organizations. Organizations are now required to:

  • Conduct an assessment of the recipient country's data security infrastructure;
  • Notify Roskomnadzor of their intention of the data transfer before the transfer. The notification must include the legal basis, the purpose of the data transfer, categories and list of transferred personal data along with the data subjects, the list of foreign states where data transfer is planned as well as the date of the data operator’s assessment of compliance with the authorities of foreign states.
  • The notification obligation also exists for transferring data to countries that are approved by the regulatory authority as providing adequate data protection or countries that are parties to the Convention 108.
  • The data transfer to non-adequate countries is considered to be permitted if no restriction from the regulatory authority is received within a period of 10 working days. In the case of a restriction imposed by the regulatory authority, the operator would be required to cease the data transfer and ensure that all the transferred data has been deleted.
  • Before the notification to the Roskomnadzor, data operators are also required to obtain the following information from authorities of a foreign state, foreign individuals, and foreign legal entities:
    • Information about the measures taken by foreign authorities to whom data transfer is planned, measures to protect the transferred personal data and the conditions for terminating their processing
    • Information on the foreign legal regulation under which foreign authorities can access personal data
    • Information about foreign authorities to whom the data access is planned

Cross-border data transfer may be prohibited or limited to protect the foundations of the constitutional order of the Russian Federation, morality, health, rights, and legitimate interests of citizens, ensure the country’s defense and state security, and protect the economic and financial interests of the Russian Federation, ensure diplomatic and international legal means to protect the rights, freedoms, and interests of citizens of the Russian Federation, the sovereignty, security, and territorial integrity of the Russian Federation.

How Can Securiti Help

The aforementioned changes brought by the new amendment present a challenge for organizations involved in processing data within Russia and organizations that purposefully direct their activities towards the Russian Federation and benefit from those activities since those are also subject to the law.

However, manual attempts to comply with such changes can be extremely laborious and inefficient. Naturally, automation is the way to ensure organizations can remain compliant with all the organization's data obligations in real-time by taking such changes into account.

Securiti is a market leader in providing enterprise solutions related to data compliance and governance. Owing to its state-of-the-art artificial intelligence and machine learning algorithms, it can ensure comprehensive data compliance for organizations of any scale.

Its plethora of privacy-centric products, such as data classification, DSR automation, notice management, cookie consent management, and breach management, among others, allow organizations to honor their data obligations effectively.

Request a demo today to learn more about how Securiti can help you achieve compliance in the face of Russia's new amendments to its data privacy law.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
View More
Australia’s Privacy Act & Consent: Essential Guide for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Australia’s Privacy Act and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New