Russia’s 2021 Personal Data Law, Enhanced Privacy Law

Russia’s 2021 Personal Data Law, Enhanced Privacy Law

Russia’s Personal Data Law is a data privacy law that was recently amended in March of 2021. The Personal Data Law was amended to provide Russian citizens with enhanced data security rights. To illustrate this point further, the previous Personal Data Law did not require data operators (i.e. data controllers) to obtain the consent from data subjects prior to collecting their information, permitting “the data was made available to an unlimited number of persons (i.e., published) by the respective data subject or upon the data subject’s instruction”. In effect, this meant that once the personal data of a data subject was published, said data could then be shared with other parties without the consent of the data subject. As such, the amendment of the Personal Data Law in 2021 sought to modernize and improve the law.

What is the scope and applicability of Russia’s Personal Data Law?

Under the Personal Data Law, any organization, business entity, or individual that publishes personal data initially, as well as those that collect and further disseminate personal data within the public sphere, or share personal data that has been distributed on the basis of consent, including social media, blogs, or any other sources, must comply with the Personal data law at all times. What’s more, under the new amendments, making personal data publicly accessible and using it after the original publication is only permitted if the data subject in question consents to the further dissemination of their personal data.

Additionally, the law also introduced a new category of personal data, “personal data made publicly available”. Under the Personal Data Law, personal data made publicly available is defined to mean personal data to which an unlimited number of persons may have access based on a data subject’s specific consent for the dissemination of the data (“dissemination consent”). Through this enhanced definition and increased scope and application of the law, the consent-related issues that plagued the previous version of the Personal Data Law have effectively been remedied.

What are the requirements of data operators under the Personal Data Law?

Under Russia Personal Data Law, data operators must adhere to a variety of obligations in regards to the personal data they collect, access, and ultimately disseminate on behalf of data subjects. Some of these various obligations include:

What are the rights of data subjects under the Personal Data Law?

As the previous version of Russia’s Personal Data Law provided data subjects with a somewhat ambiguous level of protection in regards to their data privacy rights, a primary reason for the recent amendment to the law was to provide enhanced privacy protections to data subjects. As such, some of the rights that are afforded to data subjects under the amended Personal Data Law include:

In terms of punishments that can be levied against data controllers who violate the rights of data subjects, the amended Personal Data Law contains various sanctions and punishments that data controllers who are found to be in non-compliance are subject to. These punishments include monetary fines ranging from RUR 6 million ($82,483) to RUR 18 million ($247,320) for data controllers who are found to be in violation of the law, as well as fines ranging from RUR 100,000 ($1,374) to RUR 200,000 ($2748) for Data Protection Officers who fail to comply with the requirements of the law regarding data breaches. Additionally, the “Roskomnadzor has the right to apply for a court order blocking access to a website through which the relevant person processes personal data in violation of Russian data protection laws.

As Russia is one of the largest countries in the world and sits at the intersection of the continents of Europe and Asia, amendments to the country’s Personal Data Law were very much needed. As is the case with many countries around the world, Russia’s previous Personal Data Law contained provisions and requirements that were very much outdated by the standards of data protection that are needed to protect the privacy rights of data subjects in our current digital age. As such, the 2021 amendment to the Personal Data Law puts the regulation on par with other recently passed data laws around the world, such as the EU’s General Data Protection Regulation or GDPR.

Related Reads