The regulation of personal data protection continues to attract attention at the subordinate legislation level in Russia. Procedures for keeping the “Register of Offenders” and conducting compliance checks in the field of personal data processing are currently being devised. This development, however, fails to address the most pressing issues that the business community is facing in connection with the requirement to localise databases in Russia (please click here to view our previous Alert on the Data Localisation Law). Still, it reinforces the authorities’ intention to go ahead, as planned, with establishing tight control in the field of personal data processing.
Given the above, and in light of the forthcoming greater liability to be imposed on personal data operators for failure to comply with personal data laws (please click here to view our previous Alert on this issue), we recommend that operators conduct internal reviews as to their compliance with Russian personal data laws in view of the planned changes, the most important of which are outlined below.
The Ministry of Communications and Mass Media prepared two draft decrees of the Russian Government (the text of the Decree on the “Register of Offenders” can be viewed in Russian here and that of the Decree on compliance checks here). Both drafts regulate, above all, procedural aspects of interaction with (and within) the Federal Service for Supervision over Communications, Information Technology and Mass Media (“Roskomnadzor”). They are scheduled to come into force on 1 September 2015, i.e. concurrently with the Data Localisation Law that we reported on previously.
Decree on the “Register of Offenders”
The first draft Decree sets out the procedure for keeping the “Register of Offenders”, namely what information will be contained in the Register, the procedure for the inclusion of an operator on (and for striking it off) the Register, as well as the criteria for outsourcing the maintenance of the Register to a third party organisation. The public discussion phase for this draft Decree has been completed. It could therefore be adopted by the Russian Government in its present state at any time. Alternatively, it may first be amended in light of these discussions.
Decree on compliance checks
The second draft Decree establishes the procedure for checks conducted by Roskomnadzor in order to control and monitor compliance with the personal data laws. This draft Decree is still at public discussion stage.
To give effect to Roskomnadzor’s control and compliance monitoring functions, it will be vested with the right to issue mandatory requests to suspend or stop personal data processing, as well as to clarify, block or delete any personal data that is inaccurate or was obtained in breach of the law.
The following forms of control and compliance monitoring over operators’ activities will be available to Roskomnadzor:
- inspections, which can be either documentary or on-site, as well as scheduled or unscheduled;
- analysis and assessment of compliance with Russian legal requirements; and
- systematic monitoring.
Unscheduled inspections may be triggered as a result of, in particular:
- a request of the President or the Government of the Russian Federation;
- information reported by public authorities or mass media about proven facts of violations;
- a public prosecutor’s recommendation to conduct an unscheduled inspection; or
- any discrepancy between the information contained in a personal data processing notice and the actual activities of the operator.
The last-mentioned ground reflects the requirement to give proper notice of the commencement of processing of personal data, which should describe as accurately as possible the manner in which personal data is actually being processed.
Scheduled inspections will be carried out in accordance with a plan approved by Roskomnadzor. The grounds for including an entity in the plan of inspections will be, amongst others:
- any information reported by public authorities or mass media on possible violations;
- the processing of the personal data of a significant number of subjects (the word “significant” is not clarified in the draft Decree);
- the processing of biometric and special categories of personal data; or
- failure to give any required notice to Roskomnadzor.
Systematic monitoring is to be conducted on the basis of:
- a request of the President, the Russian Government, the Head of Roskomnadzor or public authorities;
- requests of legal entities or individuals; or
- media publications regarding personal data related violations.