TMT – Technology, Media & Telecommunications

From 1 June 2023, a pro­hib­i­tion on pro­cessing spe­cif­ic bio­met­ric per­son­al data out­side the Uni­fied Bio­met­ric Sys­tem (the “UBS”) will come in­to force. This will af­fect the abil­ity of com­mer­cial or­gan­isa­tions to pro­cess cer­tain types of bio­met­ric data.The UBS was cre­ated pur­su­ant to Fed­er­al Law No. 572* dated 29 Decem­ber 2022, which also reg­u­lates the pro­ced­ures of iden­ti­fic­a­tion and au­then­tic­a­tion of in­di­vidu­als by means of bio­met­ric per­son­al data (the “Law”).What is the Uni­fied Bio­met­ric Sys­tem?The UBS is a state in­form­a­tion sys­tem un­der which bio­met­ric per­son­al data of in­di­vidu­als is col­lec­ted and stored for sub­sequent iden­ti­fic­a­tion and au­then­tic­a­tion.The UBS cur­rently in­cludes the fol­low­ing types of bio­met­ric per­son­al data: (a) an im­age of a per­son; and (b) a re­cord of a per­son’s voice (“Bio­met­ric Data”). This list may be ex­ten­ded after 1 Septem­ber 2024.The Law stip­u­lates that Bio­met­ric Data for iden­ti­fic­a­tion pur­poses (i.e. es­tab­lish­ing a per­son’s iden­tity through their Bio­met­ric Data) and for au­then­tic­a­tion pur­poses (i.e. con­firm­ing that the per­son who provided Bio­met­ric Data is who they claim to be) can only be stored in the UBS.Iden­ti­fic­a­tion based on Bio­met­ric Data can only be car­ried out by the op­er­at­or of the UBS, JSC “Centre of Bio­met­ric Tech­no­lo­gies”.Au­then­tic­a­tion us­ing the data con­tained in the UBS can be car­ried out either by the op­er­at­or of the UBS or by spe­cially ac­cred­ited or­gan­isa­tions.Com­pan­ies are not al­lowed to in­de­pend­ently carry out iden­ti­fic­a­tion or au­then­tic­a­tion us­ing Bio­met­ric Data.What should com­pan­ies do?By 30 Septem­ber 2023, all or­gan­isa­tions that have been stor­ing Bio­met­ric Data used for iden­ti­fic­a­tion or au­then­tic­a­tion must trans­fer it to the UBS, hav­ing no­ti­fied the rel­ev­ant in­di­vidu­als 30 days be­fore the trans­fer. Af­ter­wards, the data must be de­leted.Com­pan­ies can sub­sequently au­then­tic­ate in­di­vidu­als based on Bio­met­ric Data only through the UBS or ac­cred­ited or­gan­isa­tions, but only in the event that the in­di­vidu­als in ques­tion have giv­en their vol­un­tary con­sent.For ex­ample, a vis­it­or ac­cess con­trol sys­tem that is based on auto­mated im­age read­ing or voice au­then­tic­a­tion can only be im­ple­men­ted through in­teg­ra­tion with the UBS or a tool used by an ac­cred­ited or­gan­isa­tion. Such au­then­tic­a­tion may not be per­formed in­de­pend­ently.If au­then­tic­ated through the UBS, the per­son’s iden­tity is deemed to be es­tab­lished, and com­pan­ies need not col­lect any ad­di­tion­al data to con­firm the in­di­vidu­al’s iden­tity.The UBS need not be used when:an au­thor­ised of­ficer manu­ally iden­ti­fies or au­then­tic­ates a per­son based on Bio­met­ric Data. For ex­ample, ac­cess con­trol by com­par­ing a photo with the vis­it­or who is present­ing it; an­doth­er bio­met­ric per­son­al data (i.e. not im­ages or voices) are used. Com­pan­ies may use oth­er bio­met­ric data (i.e. data char­ac­ter­ising bio­lo­gic­al and physiolo­gic­al fea­tures) without re­stric­tion provided they com­ply with the Per­son­al Data Law*.Li­ab­il­ityNo spe­cif­ic li­ab­il­ity for breach of the Law has been es­tab­lished to date; how­ever, a bill* has re­cently been sub­mit­ted to the State Duma which would es­tab­lish fines for of­fences in­volving the use of Bio­met­ric Data. The bill could be ad­op­ted dur­ing this spring ses­sion.It is pro­posed to amend part 2 of art­icle 13.11 of the Rus­si­an Code on Ad­min­is­trat­ive Of­fences to es­tab­lish the pen­al­ties for us­ing Bio­met­ric Data in vi­ol­a­tion of the re­quire­ments es­tab­lished by Rus­si­an le­gis­la­tion in the sphere of per­son­al data.For leg­al en­tit­ies, fines can range from RUB 300,000 to RUB 700,000 (from EUR 3,468 to EUR 8,091) (for re­peated vi­ol­a­tion from RUB 1m to RUB 1.5m (from EUR 11,559 to EUR 17,339)).Re­com­mend­a­tionsGiv­en the forth­com­ing entry in­to force of the Law’s pro­vi­sions pro­hib­it­ing the pro­cessing of Bio­met­ric Data out­side the UBS, we re­com­mend that com­pan­ies:check wheth­er they cur­rently use any pro­cesses to identi­fy and au­then­tic­ate in­di­vidu­als based on Bio­met­ric Data or plan to im­ple­ment any such sys­tems; an­deither ad­just the pro­cesses so as to ex­clude the ap­plic­a­tion of the Law or im­ple­ment iden­ti­fic­a­tion/au­then­tic­a­tion through the UBS in ex­ist­ing and planned busi­ness pro­cesses.* In Rus­si­an

SEAM­LESS Leg­al is pleased to an­nounce the ap­point­ment of Vladis­lav Eltovskiy as Head of Di­git­al Law.Vladis­lav, who has been spe­cial­ising in in­tel­lec­tu­al prop­erty pro­tec­tion and per­son­al data pro­jects...

SEAM­LESS Leg­al ex­perts have earned re­cog­ni­tion by the Pravo-300 in­di­vidu­al rank­ing re­leased on 21 Feb­ru­ary 2023. The most reput­able Rus­si­an na­tion­al rank­ing has awar­ded 12 SEAM­LESS Leg­al law­yers across...

On 20 Oc­to­ber 2022, SEAM­LESS Leg­al held its second an­nu­al Ad­vert­ising Law con­fer­ence in Mo­scow with par­ti­cip­a­tion of the rep­res­ent­at­ives of the Fed­er­al An­ti­mono­poly Ser­vice, as­so­ci­ations, ma­jor ad­vert­isers...

23 Au­gust 2022

On 1 Septem­ber 2022, amend­ments* to Fed­er­al Law No 38 “On Ad­vert­ising” dated 13 March 2006 (the “Law”) will come in­to force. The Law will be sup­ple­men­ted by art­icle 18.1 on on­line ad­vert­ising...

Yet an­oth­er pack­age of meas­ures aimed at ex­pand­ing and cla­ri­fy­ing the cri­ter­ia for tax in­cent­ives for IT com­pan­ies was in­tro­duced mid-Ju­ly un­der Fed­er­al Law No. 321-FZ (the “Law”). Over­view of...