On 1 March 2023, amendments* to the Personal Data Law dated 27 July 2006 will come into force, affecting the cross-border transfer of personal data.
In January 2023, the Russian government adopted decrees No. 6* and No. 24*, setting out rules for making decisions to prohibit or restrict the cross-border transfer of personal data. These rules will also enter into force on 1 March 2023.
While the new rules do not expressly target “unfriendly” states, they could be applied to restrict personal data transfers to them if the conditions set out below are met.
Requirements applicable to cross-border transfers
As we reported earlier, the revised Personal Data Law tightens the rules for cross-border transfers. Before transferring personal data, companies will now have to:
- carry out an assessment of the recipient of the personal data located outside Russia;
- submit a notification to Roskomnadzor of their intention to transfer personal data outside Russia.
Once notified, Roskomnadzor has the right to prohibit or restrict the transfer of personal data.
The new government decrees introduce the procedure and criteria based on which such bans or restrictions can be imposed.
Bans and restrictions to protect the morals, health, rights and legitimate interests of individuals
Upon considering a notification, Roskomnadzor may decide to prohibit the transfer of personal data in the following cases:
- the recipient of the personal data does not implement data protection measures or does not specify conditions for discontinuing their processing;
- the recipient of the personal data is an organisation whose activities are banned under a court decision or that is deemed “undesirable” in Russia;
- the transfer of personal data abroad and their further processing are incompatible with the purposes for which the personal data has been collected; or
- there are no legal grounds to transfer the personal data abroad.
Restrictions may be applied on cross-border transfers if the content and volume of the personal data and/or the categories of data subjects are inconsistent with the purposes of the transfer. In such cases, Roskomnadzor indicates in its decision the personal data and categories of data subjects in relation to which cross-border transfers are allowed.
Bans and restrictions at the initiative of other state authorities
The decision to prohibit or restrict the cross-border transfer of personal data can also be taken on the basis of a submission by Russian state authorities, such as the Federal Security Service, the Ministry of Defence and the Ministry of Foreign Affairs.
Such submissions must contain, among other things, the following information:
- the country in relation to which the decision is taken;
- a description of the reasons why the cross-border transfer should be prohibited or restricted;
- an opinion on the content of the decision that is proposed for adoption; and
- information on the data controllers that are proposed to be prohibited or restricted from carrying out the cross-border transfer.
Roskomnadzor will decide whether to prohibit or restrict the cross-border transfer of personal data based on such submissions.
If the underlying reasons for the decision cease to be in effect, Roskomnadzor may lift the ban or restriction on the cross-border transfer based on another submission by the relevant authority or a request from the controller whose data transfer was banned.
Given the entry into force of the requirements on the cross-border transfer of personal data, as well as the rules on prohibitions and restrictions, we recommend that personal data controllers:
- check their existing personal data cross-border transfer processes;
- carry out an assessment of personal data recipients (including the legal regulation of personal data in the recipients’ country) and submit the relevant notification to Roskomnadzor;
- monitor the introduction of bans and restrictions on the cross-border transfer of personal data.
* In Russian