Personal data: sweeping changes in regulation
On 1 September 2022, amendments* to Federal Law No. 152 on Personal Data (the “Personal Data Law”) and amendments* to Federal Law No. 2300-1 on the Protection of Consumer Rights (the “Consumer Protection Law”) will come into force.The adopted amendments significantly change the Personal Data Law: new obligations of data controllers have been introduced and existing ones amended, the scope of the Personal Data Law has been expanded, new procedures for approval and notification of state bodies on the processing of personal data have appeared.In its new version, the Consumer Protection Law prohibits refusal to conclude contracts with consumers if they refuse to provide personal data that is not related to the performance of such a contract.Below we provide an analysis of the main changes to the Personal Data Law and the Consumer Protection Law.Scope of the Personal Data LawBefore the amendments come into force, the extra-territorial principle of applying the Personal Data Law (i.e. the obligation for foreign companies to comply with it) formally relates only to personal data localisation requirements.Under the new provisions of the Personal Data Law, foreign legal entities and individuals are also required to comply fully with this law when processing personal data of Russian citizens on the basis of a contract or with the consent of such a citizen.We recommend that foreign companies whose activities are aimed at Russian citizens assess the applicability of the Personal Data Law to their activities and bring them into compliance with the Personal Data Law.Processing of personal data for the performance of a contractThe amendments impose certain restrictions on the processing of personal data based on the performance of a contract. Thus, the contract to be concluded may not contain provisions which:limit the rights and freedoms of the subject;establish cases in which the personal data of a minor is processed (unless otherwise provided for by law); orallow making the conclusion of the contract conditional on the inaction of the subject.The amendments are worded quite broadly, so we expect that the criteria for classifying a contractual provision as inadmissible will be shaped by law enforcement practice or the regulator’s clarifications.Nevertheless, at this stage, we recommend reviewing current contracts with individuals to ensure that they comply with the new provisions of the Personal Data Law.New duties and liability of “processors”Changes to the Personal Data Law have tightened the requirements for so-called “processors” (i.e. persons or entities who process personal data on behalf of a controller).Thus, in addition to the information previously required, the operator’s instructions must state the following duties of the processor:localising Russian citizens’ personal data in Russia when they are collected;taking the measures stipulated by Article 18.1 of the Personal Data Law (e.g. appointing a data protection officer, publishing a policy, taking measures to ensure the security of personal data);providing the controller with proof of compliance with these measures; andnotifying the controller of personal data leaks.We recommend checking current agreements with processors and adjusting them to reflect the amendments.In addition, the new version of the Personal Data Law establishes that foreign processors are liable to personal data subjects directly and not only through the controller.New rules on cross-border transfer of personal dataNew cross-border transfer rules will come into force on 1 March 2023.The new version of the Personal Data Law tightens up the rules for cross-border transfers and introduces a mandatory prior notification to the regulator of the intention to transfer personal data outside Russia.The controller must assess the recipient of personal data by obtaining, before submitting the notification, the following information about:the persons or entities to whom personal data will be transferred;the measures to protect the personal data transferred and the conditions under which its processing may be terminated; andthe legal regulation of personal data in the recipient country (if the country is not one that provides adequate protection of the rights of personal data subjects).The data controller must then notify Roskomnadzor of its intention to transfer personal data across borders and provide detailed information on the planned transfer, including the type and content of the data to be transferred, the categories of data subjects, countries where such data will be transferred, etc.Upon receipt of a notification, Roskomnadzor has the right to prohibit or restrict the transfer of personal data, inter alia, to protect the morals, health, rights and legitimate interests of individuals; protect the foundations of the constitutional order, security and defence of the state; or protect Russia’s economic interests.Roskomnadzor has ten working days from the date of receipt of the notification to make its decision. Pending a decision, the controller may carry out cross-border transfer of personal data to countries that are parties to the Council of Europe Convention No. 108 or included in Roskomnadzor’s special list.Personal data may only be transferred to other countries after the deadline for a decision by Roskomnadzor has expired and in the absence of a decision to ban such transfer. If cross-border transfer is banned or restricted, the controller must ensure that the data it has previously transferred is destroyed in the foreign country.Controllers that carried out cross-border transfers before 1 March 2023 and will continue to do so after that date are required to submit a notification to Roskomnadzor no later than 1 March 2023.Interaction with GosSOPKAThe new version of the Personal Data Law also requires the controller to ensure interaction with the State System of Detection, Prevention and Elimination of Consequences of Computer Attacks on Information Resources (GosSOPKA). The aim is to inform GosSOPKA about computer incidents that have led to the unlawful transfer of personal data.The procedure for interaction has not been determined yet and will be established by the Federal Security Service of Russia in a separate regulation.Obligation to notify personal data leakageIn the event of a leakage (an unlawful or accidental transfer of personal data resulting in the violation of the subject’s rights), the controller must notify Roskomnadzor:within 24 hours of revealing such an incident about the incident and its details; andwithin 72 hours of the incident being discovered about the results of the internal investigation into said incident and provide information on the persons (if any) whose actions led to the incident.At present, the new version of the Personal Data Law does not contain exceptions to the obligation to notify a leak, but perhaps in the future criteria for minor leakages will be developed that will exempt any minor unlawful or accidental transfer of personal data from the need to be notified.At this stage, we recommend introducing rules for internal leak investigations, especially given the short timeframe for fulfilling notification obligations to Roskomnadzor.Processing of personal data under the Consumer Protection LawAfter 1 September 2022, companies will not be allowed to refuse to conclude, perform or terminate a contract if a consumer refuses to provide their personal data.As an exception, there are cases where the obligation to provide such data is prescribed by law or directly related to the performance of the contract with the consumer.In addition, consumers are given the right to request information on the specific reasons and legal grounds making it impossible to conclude, perform or terminate a contract without providing personal data.Consumers may also request the removal of provisions stipulating the conditions of processing personal data, and the company must, within ten days, make a reasoned decision and notify the consumer about it.The new rules will also apply to contracts that were concluded before 1 September 2022. Therefore, the changes will affect interaction with both new and current customers.If the inclusion of conditions detrimental to the consumer’s rights in the contract has caused losses, they must be compensated in full. In addition, inclusion of such conditions in a contract may result in an administrative fine of up to RUB 20,000 (EUR 350).We recommend that contracts with consumers should be reviewed with regard to the provisions on the processing of personal data, the scope of data to be collected and how to interact with consumers during the contracting and enquiry handling phases.Other changesIn addition to the above changes, the new version of the Personal Data Law also introduces a significant number of other changes. We summarise some of them below:From 1 March 2023, the data controller will be required to specify in the personal data processing policy for each processing purpose:the categories and content of processed data;the categories of subjects whose personal data is processed;the manner and terms of data processing and storage;a procedure for destroying personal data when the purpose of its processing has been achieved or when other legitimate grounds for doing so have arisen.The list of cases when a controller may process personal data without notifying Roskomnadzor of its intention to process personal data has been substantially reduced. In particular, the processing of personal data in accordance with labour law and for the performance of a contract is no longer an exception and will now require the submission of a notification.
Thus, virtually any personal data controller engaged in commercial activities is required to submit a notification to Roskomnadzor.
In addition, the list of information that must be contained in the notification has changed and a requirement to provide more detailed information on personal data processing was introduced.The amendments establish additional criteria for consent to be not only specific, informed and conscious, but also substantive and unambiguous.
Explanations of what is meant by substantive and unambiguous consent are not yet available.The provision of biometric personal data may not be compulsory, except in the cases laid down in the Personal Data Law. If the processing does not fall within the exceptions, the controller does not have the right to refuse to provide a service to a person who refuses to provide biometric data.The deadline for responding to a subject’s requests for access to information on personal data processing and its termination has been reduced to ten working days from the subject’s request (the deadline can be extended by another five working days).Thus, almost all aspects of personal data processing are affected to a greater or lesser extent by the changes.RecommendationsGiven the scale of the adopted changes, almost every Russian personal data controller needs to assess its current personal data processing procedures and, most likely, adjust them. In addition, foreign controllers may be in all likelihood subject to Russian personal data legislation and will be required to comply fully with it.In light of the changes adopted, we recommend that:foreign controllers check the current procedures for processing the data of Russian citizens and assess whether Russian legislation is applicable;Russian controllers audit current personal data processing procedures and make appropriate adjustments, including to personal data processing policies, cross-border transfer procedures, consents, contracts providing for data processing mandates, and other documents and processes.* In RussianCo-authored by Shermet Kurbanov, Paralegal in Intellectual Property.