Russia’s 2021 Personal Data Law, enhanced privacy law

Russia’s 2021 Personal Data Law, enhanced privacy law

Russia’s Personal Data Law is a data privacy law that was recently amended in March of 2021. The Personal Data Law was amended to provide Russian citizens with enhanced data security rights. To illustrate this point further, the previous Personal Data Law did not require data operators (i.e. data controllers) to obtain the consent from data subjects prior to collecting their information, permitting “the data was made available to an unlimited number of persons (i.e., published) by the respective data subject or upon the data subject’s instruction”. In effect, this meant that once the personal data of a data subject was published, said data could then be shared with other parties without the consent of the data subject. As such, the amendment of the Personal Data Law in 2021 sought to modernize and improve the law.

What is the scope and applicability of Russia Personal Data Law?

Under the Personal Data Law, any organization, business entity, or individual that publishes personal data initially, as well as those that collect and further disseminate personal data within the public sphere, or share personal data that has been distributed on the basis of consent, including social media, blogs, or any other sources, must comply with the Personal data law at all times. What’s more, under the new amendments, making personal data publicly accessible and using it after the original publication is only permitted if the data subject in question consents to the further dissemination of their personal data.

Additionally, the law also introduced a new category of personal data, “personal data made publicly available”. Under the Personal Data Law, personal data made publicly available is defined to mean personal data to which an unlimited number of persons may have access based on a data subject’s specific consent for dissemination of the data (“dissemination consent”). Through this enhanced definition and increased scope and application of the law, the consent related issues that plagued the previous version of the Personal Data Law have effectively been remedied.

What are the requirements of data operators under the Personal Data Law?

Under Russia Personal Data Law, data operators must adhere to a variety of obligations in regards to the personal data they collect, access, and ultimately disseminate on behalf of data subjects. Some of these various obligations include:

  • Data operators are prohibited from disseminating publicly available personal data concerning data subjects without said data subjects consent.
  • Data operators are obligated to publish information relating to applicable processing conditions and restrictions, via a platform that is available to both online and offline readers, within 3 days of receiving dissemination consent from data subjects.
  • Data operators are required to adhere to requirements related to the standard dissemination consent forms that must be provided to data subjects. In accordance with the law, the consent forms must detail the full name and contact details of the data subject, the full name and address, registration number, and TIN of the data operator, details concerning the website where the personal data of a given data subject will be disseminated or processed in another way, the intended purposes of data processing, the categories of personal data that are to be processed, the categories of personal data to which a data subject may set certain restrictions, as well as a list of such restrictions, and the conditions of personal data via the data operators website, corporate network, or other prohibition on the transfer of personal data, as well as the terms of consent.
  • Data operators are required to appoint a data protection officer or DPO for the purposes of protecting and safeguarding the personal data of data subjects.
  • Data operators are responsible for implementing a data protection policy. This data protection policy must be posted on the data operators website, and all employees of said data operators are also responsible for familiarizing themselves with this data protection policy, as well as confirm in writing that they have both read and understood the policy.
  • Data operators are required to notify both affected data subjects, as well as the Federal Service for Supervision of Communications, Information Technology, and Mass Media, also known as the Roskomnadzor, in the event that a data or security breach occurs.
  • Data operators are responsible for adhering to restrictions related to data transfers to third party countries, by ensuring that the foreign jurisdictions to which the personal data of Russian citizens is transferred provides adequate protection to protect the rights of data subjects.

What are the rights of data subject under the Personal Data Law?

As the previous version of Russia’s Personal Data Law provided data subjects with a somewhat ambiguous level of protection in regards to their data privacy rights, a primary reason for the recent amendment to the law was to provide enhanced privacy protections to data subjects. As such, some of the rights that are afforded to data subjects under the amended Personal Data Law include:

  • The right to access information– Data subjects have the right to access any personal information that a data operator holds in relation to them by the means of submitting a “subject access information” request in written form to said data operator.
  • The right to be forgotten– in certain circumstances, data subjects have the right to request that a data operator delete, block, or rectify their personal data. Moreover, data subjects also retain the right to object to decisions that are made in relation to their personal data solely on the basis of automatic processing.
  • The right to object to direct marketing and profiling- Data subjects have the right to object to the processing of their personal data for the purposes of direct marketing or profiling, unless data subjects consent to said processing.
  • The right to object to data processing– Data subjects have the right to object to
  • The right to restriction– Data subjects maintain the right to establish certain restrictions or conditions related to the processing of their personal data that is made publicly available, at their discretion.
  • The right to be compensated for harm– Data subjects have the right to be compensated when it is proven that their rights have been violated under the law.
  • The right to revoke consent– Data subjects have the right to revoke their consent in relation to the processing of their personal data at any time during the process.

In terms of punishments that can be levied against data controllers who violate the rights of data subjects, the amended Personal Data Law contains various sanctions and punishments that data controllers who are found to be in non-compliance are subject to. These punishment include monetary fines ranging from RUR 6 million ($82,483) to RUR 18 million ($247,320) for data controllers who are found to be in violation of the law, as well as fines ranging from RUR 100,000 ($1,374) to RUR 200,000 ($2748) for Data Protection Officers who fail to comply with the laws requirements regarding data breaches. Additionally, the “Roskomnadzor has the right to apply for a court order blocking access to a website through which the relevant person processes personal data in violation of Russian data protection laws.

As Russia is one of the largest countries in the world and sits at the intersection of the continents of Europe and Asia, amendments to the country’s Personal Data Law were very much needed. As is the case with many countries around the world, the previous Personal Data Law contained provisions and requirements that were very much outdated by the standards of data protection that is needed to protect the privacy rights of data subjects in our current digital age. As such, the 2021 amendment to the Personal Data Law puts the regulation on par with other recently passed data laws around the world, such as the EU’s General Data Protection Regulation or GDPR.