Personal Data Law No. 152-FZ

Personal data can include any information that is enough to unambiguously identify an individual and receive any additional information about him. Any organization working with data of individuals must protect information systems and obtain documents confirming the compliance of these systems with the requirements of the law.

Definitions

• Personal Data means any information relating directly or indirectly to a specified or determined individual (personal data subject);
• Personal data operator - a state body, municipal body, legal entity or individual, independently or together with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data;
• Processing of personal data - any action (operation) or set of actions (operations) performed using automation means or without the use of such means with personal data, including collection, recording, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Why does Russia need this law

The reason for the adoption of the law on the protection of personal data was the need to eliminate barriers in the international to trade with countries. European Union The exchange of personal data, often necessary in the course of transactions, is possible only between States capable of ensuring the appropriate protection of the information transmitted and received. For comparison, in Norway France , similar laws were introduced at the end of the nineteenth century. In the fall of 2005, the State Duma ratified the Council Convention " Europe On the Protection of Persons in Connection with the Automatic Processing of Personal Data."

By law, each information system in which personal data is stored and processed must be assigned a class according to which this data will be protected. In addition, information systems can be typical or special, and the latter require mandatory licensing for operation. Special, for example, are considered systems containing information on the state of health and those on the basis of which decision-making is envisaged that give rise to legal consequences. In other words, if data from such information systems, or rather, their analysis and processing, can affect the life or health of a personal data subject. The class of special information systems is determined on the basis of a model of threats to the security of personal data in accordance with regulatory and methodological documents of regulators.

How the law was claimed and changed

Operators will be forced to report cyber attacks and data "leaks"

Personal data operators are going to be obliged to promptly report all cyber attacks and leaks of personal data of Russians to the authorized authorities. This became known on July 5, 2022. The corresponding bill is going to be considered at the plenary sessions of the State Duma in the spring session.

Deputies and senators have prepared a number of amendments to the law "On Personal Data," according to which operators will have to inform authorized authorities about information leaks and plans to transfer personal data abroad. The regulatory document refers to passport data, information about real estate, phone numbers and addresses of residence. Also, according to the introduced rules, information from the Unified State Register of Real Estate can be transferred to third parties only with the consent of the owner.

In addition, the bill prohibits operators from refusing to provide services to people who do not want to report their personal data if the disclosure of such information is not necessarily^[2] to^[3].

The Ministry of Digital Science of Russia proposed to depersonalize personal data only with the consent of the subject

On March 3, 2021, the Ministry of Digital Industry of Russia announced that a meeting was held in the department, during which amendments to the draft federal law "On Amendments to the Federal Law" On Personal Data, "which was developed by the ministry, were discussed and adopted by the State Duma in the first reading on February 16, 2021.

According to the amendments proposed by the Ministry of Digital Science of Russia, the depersonalization of personal data can be carried out only with the consent of the subject or in other cases provided for by the legislation of the Russian Federation in the field of personal data.

The amendments provide that business will be able to freely process impersonal data. At personal data protection the same time, to provide Russians, it is proposed to introduce a number of restrictions for operators who. processing data For example, the operator will not be able to use other information, actions and methods that will help determine the ownership of personal data to a specific subject. It will also be prohibited, in addition to impersonal data, to transfer information to third parties that will allow to identify a specific person. De-denigration of data will be banned, except in cases where it is necessary to protect the life or health of a person.

"The bill will increase the effectiveness of the system for protecting the rights of personal data subjects - our citizens, and will also enable businesses to use data obtained as a result of depersonalization. At the same time, the rights of Russians to safely process and preserve their personal data will be respected, "commented Dmitry Reutsky, Acting Director of the Information Security Department of the Russian Ministry of Digital Science.

In the near future, amendments to the bill will be submitted to the Government of the Russian Federation.

It is planned to limit the transfer of personal data to foreign servers

prepared in Ministry of Digital Development, Communications and Mass Media Russia May 2017 amendments to the Law "On Personal Data," which imply restricting the transfer of personal data to foreign servers of Russian companies.

According to Izvestia, currently the restrictions relate to the transfer of data to foreign legal entities. Servers of Russian companies located abroad are not subject to this restriction.

The amendments prepared by the ministry imply the use of the wording "cross-border transfer of personal data - transfer of personal data to the territory of a foreign state."

Deputies toughened punishment for violations in the work with personal data

The State Duma adopted in early 2017 a law on increasing fines for violating the law on the collection, processing and storage of personal data.

For violations in working with personal data for legal entities, a fine of up to 10 thousand rubles is provided. However, according to the authors of the law, the current rule does not take into account the severity of the negative consequences of the offense, so the deputies proposed to toughen the punishment.

Now, for processing personal data in cases not provided for by the legislation of the Russian Federation, or processing data incompatible with the purposes of collecting such data, they will be punished with a warning or fine of 1 to 3 thousand rubles. for citizens, from 5 to 10 thousand rubles. for officials and from 30 to 50 thousand rubles. for legal entities.

Processing personal data without the consent of a citizen will lead to a fine in the amount of 3 to 5 thousand rubles. for citizens, from 10 to 20 thousand rubles. for officials and from 15 to 75 thousand rubles for legal entities. If the state or municipal operator does not comply with the requirements for depersonalization of these, officials will receive a fine from 3 to 6 thousand rubles.

The operator's refusal to provide a person with information about the processing of his personal data will result in a warning or fine from 1 to 2 thousand rubles for citizens, from 4 to 6 thousand rubles. for officials, from 10 to 15 thousand rubles. for individual entrepreneurs and from 20 to 40 thousand rubles. for legal entities.

The government believes that such amendments will effectively protect the rights and interests of citizens and will ensure the inevitability of punishment.

Changes in the law since September 1, 2015

Main article: Regulation of personal data in the Russian Federation (changes from September 1, 2015)

On September 1, 2015, a provision designated by FZ-242 law entered into force in Russia, which obliges personal data operators to process and store personal data of Russians using databases located on the territory of the Russian Federation. Due to the fact that certain terms and formulations used in this provision allow for different interpretations, the Ministry of Telecom and Mass Communications has prepared explanations for it. The list of explanations is available at the link.

2006-2010

In July 2006, federal law No. 152-FZ "On Personal Data" was adopted. The law came into force in January 2007.

In December 2009, the State Duma managed to adopt in three readings the postponement of bringing previously created ISPDs in line with the requirements of the Federal Law "On Personal Data" from January 1, 2010 to January 1, 2011.

The bill on the next postponement was adopted by the State Duma in the first reading on December 7, 2010. Initially, the bill proposed to postpone the entry into force of the law "On Personal Data" for another year - until January 1, 2012.

The federal law provides that personal data information systems (PSIS) created before January 1, 2011 must be brought into line with the requirements of the Federal Law "On Personal Data" no later than July 1, 2011. Thus, the entry into force of the requirements of the Law "On Personal Data" was postponed for another six months.

The federal law "On Amending Article 25 of the Federal Law" On Personal Data "was adopted by the State Duma on December 10 and approved by the Federation Council on December 15, 2010.

In December 2010, the president Russia Dmitry Medvedev signed a federal law "On Amending Article 25 of the Federal Law 'On Personal Data'."

Who do the requirements relate to?

Requirements for ensuring the security of personal data apply to almost everyone. Indeed, in addition to personnel and accounting, billing systems, call centers and automated pass bureau systems can be classified as personal data information systems. Even if the secretary simply recruits a list of employees with phones and birthdays on his computer - this information must be protected.

On the other hand, there is undoubtedly a real need to ensureadequate protection of personal data. Every day, both the value of information and the sophistication of the ways in which it can be unauthorized is increasing. And, if not the most valuable, then at least the most popular for attackers are. personal data According to the company's research InfoWatch in 2009, among all registered information leaks, personal data amounted to 89.8%.

As a result, according to Federal Law No. 242-FZ, when collecting personal data, including via the Internet, the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of Russian citizens using databases located on the territory of the Russian Federation.

Liability for non-compliance

Fines for data breach in Russia

Main article: Fines for data leakage in Russia

2022

Russia introduced fines for coercion to transfer personal data

In Russia, fines were introduced for coercion to transfer personal data. This became known on May 29, 2022.

The law will protect buyers who do not want to share personal data when paying for goods and services.

The amended document was published on the official website of legal information.

Administrative liability threatens service sellers in case of refusal to conclude, execute, change or terminate the contract with the consumer in case of his refusal to provide personal data.

The law, which will enter into force on September 1, 2022, establishes a fine for officials in the amount of 5 to 10 thousand rubles, and for legal entities in the amount of 30 to 50 thousand rubles^[4].

Roskomnadzor proposed to toughen the punishment for the illegal use of personal data

Roskomnadzor proposed to toughen the punishment for the illegal use of personal data. This became known on May 26, 2022.

This bill provides for tougher liability up to criminal liability for persons involved in the sale of stolen personal data.

On May 26, a regular meeting of the Public Council under Roskomnadzor took place. The main issues of the meeting concerned the legislative regulation of bloggers with an audience of more than 100 thousand subscribers.

In his opening remarks, the head of Roskomnadzor, Andrei Lipov, briefly informed the members of the Public Council about the current work of the department. In particular, about information attacks on Russian users, which began from the very first hours of the start of a special military operation.

Andrei Tsyganov, Chairman of the Commission for the Protection of Children from Destructive and Dangerous Content as part of the Public Council under Roskomnadzor, made a number of proposals to promote value-oriented content in the Internet communities of^[5].

2019

The State Duma approved in the second reading a project on the storage of personal data

On November 19, 2019, the State Duma adopted in the second reading a bill that significantly increases the fine for refusing to store personal data of Russians on servers in the Russian Federation.

By the second reading, the authors of the initiative reduced the size of the minimum fines for the primary violation.

For officials, they first offered a fine of 200-500 thousand rubles, and it became from 100 thousand to 200 thousand rubles. For repeated violation, they planned to impose a fine from 500 thousand to 1 million rubles, and by the second reading it was from 500 thousand to 800 thousand rubles.

For legal entities offered a fine from 2 million to 6 million rubles, and now - from 1 million to 6 million rubles. The penalty for repeated violation, as in the original version, is offered from 6 million to 18 million rubles.

The head of the Ministry of Telecom and Mass Communications Konstantin Noskov called overstated fines for refusing to store personal data of Russians in Russia. He believes that the relevant draft law requires revision and additional discussion.

The sanctions provided for by the current version of the Code of Administrative Offenses for committing administrative misconduct in this area do not meet the principles of proportionality, do not provide the necessary preventive effect, create conditions for repeated and repeated violations, the explanatory note to the bill says. Previously, violators were fined 3,000 rubles. under Art. 19.7 of the Administrative Code for failure to provide information.

According to the authors of the bill, failure to comply with the obligation to localize databases with personal data poses a threat to the security of citizens, the functioning of critical information infrastructure, and impedes the effective fight against terrorism and extremism. This forces the adoption of sanctions that stimulate compliance with the law for such violations. ^[6]

Fines for refusing to store data will be raised 6,000 times in Russia

On September 10, 2019, it became known that the deputies of the State Duma in the first reading adopted a bill that tenfold increases fines for companies' refusal to store Russian data within the borders of Russia. If earlier they were threatened with forced payments in the amount of 3 thousand rubles, then the adopted document involves multimillion-dollar penalties.

The bill "On Amendments to the Code of Administrative Offenses of the Russian Federation" was submitted to the State Duma on June 13, 2019 by State Duma deputies from the United Russia party Victor Pinsky and Daniil Bessarabov. Together with them, 18 more deputies are listed as subjects of the law of legislative initiative. The explanatory note to the bill says that during its development, the authors were guided by the experience of other countries, but did not specify which ones. The date of consideration of the law in the second reading at the time of publication of the material was not set.

The bill adopted in the first reading provides for an increase in fines for companies that refuse to store data of Russian users in data centers located in Russia, up to 18 million rubles. The document considers two types of punishment - for the first and subsequent violations. For the first violation of the law, individuals are fined from 30 thousand to 50 thousand rubles, and officials - from 200 thousand to 500 thousand rubles. legal entities will be punished in the amount of 2 million to 6 million rubles. The authors of the bill propose to punish the repeated offense with a fine in the amount of 50 thousand to 100 thousand rubles. (individuals), from 500 thousand to 1 million rubles. (officials) or from 6 million to 18 million rubles. (legal entity).

"This is comparable to the costs associated with the fulfillment of the requirements established by law," the explanatory note to the bill says. Actual fine in the amount of 3 thousand rubles. the authors of the document consider "insignificant for large Internet organizations, clearly disproportionate to the nature of the offense and unable to induce compliance with Russian legislation."

The law on the localization of personal data of Russians in the data center within the borders of Russia, the amendments to which contain the bill, was signed by Russian President Vladimir Putin on December 31, 2014. The document entered into force on September 1, 2019.

First of all, the law is directed against large foreign corporations - some of them were fined 3 thousand rubles for four years of the law. These include Facebook and, Twitter which Roskomnadzor in December 2018 sent requirements for the provision of information on the localization data of Russian users in Russia. In January 2019, he opened a case against them, and in April 2019, both companies received a fine for the indicated amount. In both cases, the decision was made by the World Court of the Tagansky District, Moscow although Twitter in April 2017 announced its readiness to transfer personal data the Russians to, Russia noted in. CNews

In some cases, companies may face not only large fines, but also blocking their web resources in. Russian segment of the Internet This happened to a large one - social network LinkedIn the blocking order was issued by the same Tagansky court of Moscow, and Roskomnadzor filed a corresponding lawsuit for non-compliance with the requirements for the localization of personal data of Russian citizens.

At the same time, Apple does not face fines: Apple Rus, a subsidiary of American Apple, is included in the register of Roskomnadzor personal data operators, as evidenced by information on the agency's website. According to CNews, Apple Rus LLC was entered into the register on December 29, 2018, and the application for inclusion was submitted four days earlier - December 25, 2018. Responsibility for the processing of personal data of Russians is assigned to an employee of Apple's subsidiary Alexander Kotilevsky.

The bill adopted in the first reading also proposes to increase fines for search engines for repeated violation of the current restrictions in their work, which include, among other things, redirecting users to prohibited sites. For citizens, the fine will be from 30 to 100 thousand rubles, for officials - from 100 to 500 thousand rubles, for legal entities - from 1.5 to 5 million rubles.^[7]

A bill on fines for violations of PD storage has been submitted to the State Duma

On Thursday, June 13, 2019, a bill was submitted to the State Duma, which provides for fines for violations of the storage of personal data (PD) of citizens of the Russian Federation up to 18 million rubles. In accordance with the bill, Art. 13.11 of the Code of Administrative Offenses of the Russian Federation, it is proposed to supplement and establish fines in the amount of:

• from 30 to 50 thousand rubles for individuals;
• from 200 to 500 thousand rubles for officials;
• 2 to 6 million for legal entities.

Administrative penalties are provided for the operator's failure to comply with the obligation to ensure the recording, systematization, accumulation, storage, clarification (updates, changes), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation. With a repeated offense, fines increase:

• from 50 to 100 thousand rubles for individuals;
• from 500 thousand rubles to 1 million rubles for officials;
• from 6 to 18 million rubles for legal entities.

The idea of ​ ​ this bill arose after the claims of Roskomnadzor to the social networks Twitter and Facebook. The companies refused to provide information about the location of the databases of Russian users, for which they could be fined only under Article 19.7 of the Administrative Code of the Russian Federation (failure to provide or untimely submission of information provided for by law) in the amount of 3 thousand rubles. Since a separate article is not provided for violation of such requirements, the only punishment that could be applied is a fine under Article 19.7 of the Administrative Code of the Russian Federation.

2017: Inspectors may impose a fine and request that PD processing be stopped

Inspectors can impose a fine, decide to confiscate uncertified protective equipment or make a demand to stop processing personal data, which can bring significant costs to the enterprise. In addition, a company processing personal data in violation of the law carries risks associated with possible civil lawsuits from personal data subjects, especially in cases of leakage of such data.

Russia Vladimir Putin The President signed a law amending the Code of Administrative Offenses of the Russian Federation, which regulates the protection of personal data. According to the law, the article of the code under number 13.11 received a new edition and a new name - "Violation of the legislation of the Russian Federation in the field of personal data." The changes will take effect on July 1, 2017.

The former title of article 13.11 sounds like "Violation of the procedure established by law for the collection, storage, use or dissemination of information about citizens (personal data)." For relevant violations, there is a punishment in the form of a warning or an administrative fine. For ordinary citizens, the amount of the fine is from p300 to p500, for officials - from p500 to p1 thousand. Legal entities pay from p5 thousand to p10 thousand.

Since July 1, 2017, if the processing of personal data exceeds the scope of cases provided for by law, or is incompatible with the purposes of data collection, then it is followed by punishment in the form of a warning or fine. For ordinary citizens, the fine will be from p1 thousand to p3 thousand, for officials - from p5 thousand to p10 thousand, for legal entities - from p30 thousand to p50 thousand. All this is only if such data processing does not contain a criminal component.

In some cases, legislation requires the written consent of the subject to the processing of personal data. If this consent is not obtained, and the data is nevertheless processed, the offender pays a fine. For citizens, the amount of the fine will be from p3 thousand to p5 thousand, for officials - from p10 thousand to p20 thousand, for legal entities - from p15 thousand to p75 thousand. The same punishment is applied if the composition of the information for the processing of which the subject gave consent is changed.

If the operator does not provide access to the document where his policy regarding the processing of personal data is set out, then this operator receives a warning or pays a fine. For ordinary citizens, the amount of the fine will be from p700 to p1.5 thousand. Officials will pay from p3 thousand to p6 thousand. Individual entrepreneurs will be fined in the amount of p5 thousand to p10 thousand, legal entities - from p15 thousand to p30 thousand.

The time frame for the offender to be prosecuted under article 13.11 is still 3 months, but will now be easier to meet because the procedure has been significantly reduced. The fact is that earlier protocols on violation of this article were drawn up by the prosecutor's office, and from July 1, 2017, officials of Roskomnadzor and its regional divisions will do this.

That is, now Roskomnadzor, having revealed a violation, is applying for a protocol to the prosecutor's office, and it is already sending this protocol to the court. Under the new law, prosecutors fall out of the process. This should speed up the course of such cases. If now fines are often not charged due to the expiration of the statute of limitations, then from July 1, 3 months should be quite enough^[8].

What prevents you from complying with the law?

First, technical problems are a major obstacle. Despite the fact that the obligation to use encryption (cryptographic) means was removed in the new version of the law, operators are obliged to use a set of technical and organizational means of protection in accordance with the class of their system. Moreover, in order to organize appropriate protection, most often the company needs to almost completely update the fleet of technical means. Companies that are specialized or have the appropriate staff can independently implement security systems to protect corporate information, including personal data about counterparties and employees. Other companies that, for one reason or another, do not want to deal with security issues on their own, contact specialized firms. But ultimately, the choice of protections falls on the shoulders of whoever pays for them, and a war of economy and security is inevitable. Compliance with the formal requirements of the FZ-152 does not provide real protection of confidential information, including personal data, from leakage and other internal threats.

Secondly, these are problems with certification. Indeed, from the point of view of legislation, it is not security itself that becomes at the forefront, but the compliance of measures to protect personal data with those defined in the standard. And it is possible that some companies will limit themselves only to licensing costs. Already, having run through the top ten companies from the search engine that are outsourcing in the field of information protection, you can see that most of them focus not on the development of protection systems, but on helping to collect documents to obtain a license.

The third significant problem on the path of successful implementation of the law is the imbalance of the operator market. In fact, it is necessary to distinguish the security requirements for different data sources. Data operators can resemble blind kittens in this situation - all the variety of methods and methods of information protection are summed up by regulators under one comb, and existing market associations solve issues of a narrow circle of companies and do not defend the interests of market participants in general.

Personal Data Protection

Main article: Protection of personal data in Russia

Chronology of events

2023:75% of companies fail to comply with personal data law requirements

On March 1, 2023, the company K2 Integration announced a survey among enterprises on the implementation of the requirements of the federal law "On Personal." data It turned out that 75% of companies have not yet complied with the provisions of the law, which began to operate in September 2022. And almost no one is fully ready to comply with the second part of the amendments, which comes into force on March 1, 2023. More than 100 business representatives from different took part in the survey. industries economies More. here

2022

Mintsifra of the Russian Federation developed rules of cross-border transfer of personal data

In mid-September 2022, the Ministry of Digital Development, Communications and Mass Media of the Russian Federation presented the rules for the cross-border transfer of personal data developed by the department in accordance with the amendments to the law "On Personal Data."

One of the projects of the Ministry of Digital Science defines the conditions and cases under which cross-border data transfer is prohibited or limited. Another draft government decree establishes cases in which operators who transfer personal data abroad are not subject to the requirements to notify the authorized body of this, as well as to prohibit or restrict such transfer.

{{quote 'Such cases, in particular, include ensuring transport security, remission, security and countering crime, defense and other goals determined by the draft resolution, the text of the document says (quote from TASS). }} Another document developed by the Ministry of Digital Science regulates the procedure for making decisions by Roskomnadzor and its territorial bodies to prohibit or restrict the cross-border transfer of personal data "in order to protect the morality, health, rights and legitimate interests of citizens." It assumes that the operator can send a notification of the planned transfer in the form of a paper or electronic document certified by a digital signature. At the same time, as Interfax was told in the Ministry of Digital Science, we are not talking about the transfer of data for each user. Thus, the implementation of the notification will not entail additional costs for operators, the ministry said.

All three documents should enter into force on March 1, 2023.

{{quote 'It is important to note that by the acts placed we do not introduce additional duties for operators, but only specify the provisions of the law regarding the restriction of cross-border data transfer and offer exceptional cases, the Ministry of Digital Industry added^[9] }}

Half of Russian companies are not able to protect personal data of customers

On September 5, 2022, HFLabs announced that despite high-profile personal data leaks, only 50% of Russian companies plan to increase the budget for their protection. At the same time, more than half of the respondents are not sure that the personal information of their clients is safe.

HFLabs interviewed representatives of 172 Russian companies to understand how the business responds to high-profile leaks and whether it plans to change its approaches to working with personal data. 53% of respondents said that "leaks are likely" in their company, and another 9% reported that they were already happening. And only 37% of respondents are confident that there will be no leakage of customer data in their organization. Read more here.

2021: Hyde from ARinteg: How to simply resolve the issue of reporting under No. 152 of the Federal Law "On the Protection of Personal Data"

What is needed to close the question on the requirements of the FZ-152 "On the protection of personal data"? Memorize the duties of the "operator" by heart, set deadlines for the delivery of documentation (which must be drawn up) and mark in red in the calendar of 12-hour working days of accelerated preparation before checking "from above." Or can you do it differently?

Main article: Hyde from ARinteg: How to simply resolve the issue of reporting under No. 152 of the Federal Law "On the Protection of Personal Data"

2020

Rules for storing data on the Internet have been established in Russia

In September 2020, Prime Minister Mikhail Mishustin signed a decree on the rules for storing data on the Internet. The corresponding document is published on the official portal of legal information.

By a decree of the Government of the Russian Federation, the rules for storing information on the facts of receiving, transmitting, delivering and (or) processing voice information, written text, images, sounds, video or other electronic messages of Internet users and information about these users by the organizers of the distribution of information on the Internet (ARI) and providing it to authorized state bodies carrying out operational-search activities or ensuring the security of the Russian Federation

The ARI includes not only instant messengers, postal services and social networks, but also, for example, sites on which you can leave comments.

The document, which will enter into force on January 1, 2021, determines the composition of the information to be stored. In addition, it defines the types of requests of special services for obtaining information and the procedure for sending them and describes the forms of data transfer and the procedure for interaction between the parties, etc.

According to Article 10.1, the organizer of information dissemination on the Internet is a person who carries out activities to ensure the functioning of information systems and (or) programs for electronic computers, which are intended and (or) used for receiving, transmitting, delivering and (or) processing electronic messages of Internet users.

The rules define the concepts of "authorization," "user identification in an Internet communication service," "Internet communication service," "registration" and "exact time." On the Internet, you can store information such as

• User ID in the Internet Communication Service
• information on registration data;
• authorization facts:
• Phone and e-mail numbers
• data on paid services provided, etc.^[10]"

FSSP decided to forcibly collect fines from Facebook and Twitter for refusing to localize data

The bailiffs opened cases of forced recovery from Facebook and Twitter of fines imposed by the court in the amount of 4 million rubles for refusing to localize the data of Russian users of social networks on the territory of the Russian Federation.

The relevant information appeared in the Data Bank of Enforcement Proceedings of the Federal Bailiff Service (FSSP).

According to the documents, the procedure will be carried out by employees of the Office for the Execution of Particularly Important Enforcement Proceedings of the FSSP.

In mid-March, court decisions on administrative fines of 4 million rubles against Facebook and Twitter came into force for refusing to localize data from Russian users of social networks in the Russian Federation. The 60 days provided by law to pay fines have expired. Facebook did not comply with the court's decision. It is not known whether Twitter paid the fine. Both companies have not yet responded to relevant requests from Interfax.

In the spring of 2019, Facebook and Twitter were already fined by the court for failure to provide information (Article 1.7 of the Administrative Code of the Russian Federation) on the implementation of the requirements of the legislation on the localization of personal data of Russian users on the territory of the Russian Federation. Then the world section of the Tagansky district fined companies 3 thousand rubles.

In December 2019, amendments to the Code of Administrative Offenses were adopted, which strengthened responsibility for violation of the requirements for the storage of personal data. Now, for such violations, the primary fine for legal entities is from 1 to 6 million rubles, for repeated violations - from 6 to 18 million.

The court fined Twitter 4 million rubles for refusing to transfer servers to Russia

On February 13, 2020, the magistrate's court To Moscow imposed Twitter a fine for refusing to transfer the social network RUSSIAN FEDERATION servers to the data of Russian users.

To recognize a foreign legal entity Twitter Inc. (registered in California, USA) guilty of an administrative crime and impose a fine of 4 million rubles, - Judge Alexander Mikhalev announced the decision (quoted by RIA Novosti).

A marketplace has been created in Russia to sell these Russians to companies

At the end of January 2020, it became known about the launch of the Datamania platform, developed by IDX and allowing Russians to earn money by selling their data. The Internet Initiatives Development Fund (IIDF) and the Israeli investment fund Human Digital Capital invested 50 million rubles in this project. The total investment in Datamania in three years will amount to 250 million rubles.

2019

In Russia, a "White Paper" will be created with examples of responsible data handling

The Analytical Center under the Government of the Russian Federation signed the Code of Ethics for the Use of Data in December 2019. The document was prepared with the participation of the Big Data Association and the Institute for Internet Development.

According to the plan of the initiators of the development of the Code, the provisions of the document will become the basis for self-regulation of data market participants when they interact with citizens, legal entities, the state and among themselves. The document applies to work with all types of data: from user to industrial.

Main article: Code of Ethics for the Use of Data

Rospotrebnadzor will protect skin, hair and blood as personal data

At the end of November 2019, it became known that Rospotrebnadzor attributed skin, hair and blood to personal data for protection by law. Such biomaterials can only be used with the written consent of a person.

As the head of Rospotrebnadzor Anna Popova told Rossiyskaya Gazeta, the law "On Personal Data" has a gap that allows you to collect genetic information (for example, about health, lifestyle and nutrition, as well as behavioral features) and use it for criminal purposes. Therefore, any genetic information about Russians should be protected from getting into third hands.

It becomes possible to use personal information about living conditions and behavioral features, about health and family secrets - establishing paternity, the child's gender, and so on without taking into account the opinion of the owner of personal data, - said Popova.

By the end of November 2019, the law defines only a general ban on the processing of certain categories of personal data without consent. It does not say about biomaterials, so they can be collected uncontrollably, the department said.

Biomaterials include any human tissue and fluids (hair, skin, nails, etc.) that contain DNA.

Rospotrebnadzor has developed a bill implying that biological materials will relate to personal data, so they will be subject to appropriate legislation. For example, it is assumed that Russians will have to give written permission to use their bio-data.

These changes, according to the head of Rospotrebnadzor, comply with the requirements of international legislation and approaches to regulatory regulation in the field of circulation of biological material and the information contained in it used in international practice.^[11]

Operators in Russia were obliged to immediately block sites that violate the law on personal data

On November 18, 2019, a government decree was published on the official Internet portal of legal information, according to which telecommunications companies will have to immediately block access to sites on which personal data is processed in violation of Russian law.

After receiving information processed in violation of the law, the telecom operator is immediately obliged to restrict access to the information resource, including to the site on the Internet, on which information is processed in violation of the legislation of the Russian Federation in the field of personal data, the document says.

The Resolution "On Amending the Rules for the Creation, Formation and Maintenance of an Automated Information System Register of Violators of the Rights of Personal Data Subjects" was signed by Prime Minister Dmitry Medvedev on November 13, 2019.

The register was created in order to restrict access to information on the Internet processed in violation of the legislation of the Russian Federation in the field of personal data.^[12]

In the first 9 months of 2019, Roskomnadzor revealed more than 2.4 thousand violations by personal data operators. As a result of the inspections, 4 thousand administrative protocols were drawn up, fines were imposed in the amount of 2.6 million rubles. In addition, access to 1 thousand 97 Internet pages where illegal distribution of personal data was carried out was limited.

On November 7 , the head of Roskomnadzor, Alexander  Zharov, said that the department was preparing legislative proposals to introduce responsibility not only for the distribution of stolen personal data, but also for their purchase and further use. Zharov said that at that time about 400 thousand companies, including transnational giants, store their data in Russia.

Rospotrebnadzor proposed to equate genetic data with personal

The Russian government approved in July 2019 a bill on the peculiarities of processing personal data of a person obtained from his genetic material. According to the document, data characterizing a person's genetic characteristics should be equated with personal ones and protected accordingly^[13].

The author of the bill is Rospotrebnadzor. The document proposes to amend Art. 11 of the Federal Law "On Personal Data" of July 27, 2006 in terms of the processing of biometric personal data.

If passed, the bill will close the gap in legislation in the field of protecting information about a person obtained from his biomaterial containing genetic information. Such information allows a third party to get acquainted with additional data about a person, for example, about the state of health, lifestyle, sensitivity to drugs and allergens, etc. In this regard, the authors of the initiative proposed to equate such information with personal data, to which additional protection measures should be applied.

The purpose of the bill is to ensure compliance with the constitutional rights of citizens in the field of relations related to the processing of personal data containing information about the genetic characteristics of a person.

See also:

• Genetic data banks (biobanks, biorepositories, storing biological samples)
• Genetic engineering (genetic engineering)

2017

Facebook and Twitter will comply with the requirements of Russian legislation

Large American companies Facebook and Twitter will comply with the requirements of the law "On Personal Data." Facebook plans to create a Russian representative office, and Twitter will transfer servers with personal data of Russians to the territory of the Russian Federation, Izvestia reported in November 2017, citing its sources.

According to representatives, the Roskomnadzor department received a letter from Twitter confirming the readiness of the social network to localize databases in the Russian Federation by mid-2018. The implementation of the agreement is under constant monitoring of the service, but so far no control measures are planned, the department noted.

According to the interlocutors of the publication, Facebook also decided to fulfill the requirements of the legislation and is preparing to open its representative office in Russia. Company representatives are looking for an office and head of the local division in Russia. According to experts, this step may be due to the fact that Facebook's earnings on the Russian market have become quite significant for the company. In 2016, Facebook could earn in Russia from $70 million to $100 million, an increase in this indicator in 2017 could be 25-30%. At the same time, it is not known whether Facebook is going to follow the example of Twitter and transfer servers with personal data of Russians to the territory of the Russian Federation.

Analysis of typical violations in the field of personal data

According to the regulator, the most common violation in this area is the provision by the operator of a notification on the processing of personal data containing incomplete or inaccurate information. In second place is the failure to take measures to fulfill the obligations provided for by the Law "On Personal Data."

The results of 65% of scheduled inspections conducted in the first half of 2017 revealed violations of the mandatory requirements of the legislation of the Russian Federation in the field of personal data

Submission to the authorized body of a notification on the processing of personal data containing incomplete and (or) inaccurate information - 11%
Part 3 of Art. 22 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data"

• 1) name (surname, first name, patronymic), address of the operator;
• 2) purpose of personal data processing;
• 3) categories of personal data;
• 4) categories of subjects whose personal data are processed;
• 5) the legal basis for processing personal data;
• 6) a list of actions with personal data, a general description of the methods of processing personal data used by the operator;
• 7) description of measures provided for by Articles 18.1 and 19 of this Federal Law, including information on the presence of encryption (cryptographic) means and the name of these means;
• 7.1) the surname, first name, patronymic of an individual or the name of the legal entity responsible for organizing the processing of personal data, and their contact phone numbers, postal addresses and email addresses;
• 8) date of the beginning of processing of personal data;
• 9) period or condition of termination of personal data processing;
• 10) information on the presence or absence of cross-border transfer of personal data during their processing;
• 10.1) information on the location of the database of information containing personal data of citizens of the Russian Federation;
• 11) information on ensuring the security of personal data in accordance with the requirements for the protection of personal data established by the Government of the Russian Federation.

Failure by the operator to take measures necessary and sufficient to ensure the fulfillment of the obligations stipulated by Federal Law No. 152-FZ "On Personal Data" of July 27, 2006 and the regulatory legal acts adopted in accordance with it - 9%
Part 1 of Art. 18.1 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data"

The Operator shall independently determine the composition and list of measures necessary and sufficient to ensure the fulfillment of the duties stipulated by this Federal Law and the regulatory legal acts adopted in accordance with it, unless otherwise provided by this Federal Law or other federal laws.

Non-compliance of standard forms of documents, the nature of information in which implies or allows the inclusion of personal data in them, with the requirements of the legislation of the Russian Federation - 7%
item a, paragraph 7 of the Regulation on the peculiarities of personal data processing carried out without the use of automation means, approved by the Decree of the Government of the Russian Federation dated 15.09.2008 No. 687

The standard form or related documents (instructions for its filling, cards, registers and logs) shall contain the following information:

• on the purpose of personal data processing carried out without the use of automation means,
• name (s) and address of the operator,
• surname, first name, patronymic and address of the personal data subject,
• source of personal data,
• terms of personal data processing,
• list of actions with personal data that will be performed during their processing,
• general description of the methods of processing personal data used by the operator.

"" Failure to submit to the authorized body information about the termination of processing of personal data or about changing the information contained in the notification about the processing of personal data - 7% "'

According to Part 7 of Art. 22 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data" in the event of a change in information, the operator is obliged to notify the authorized body for the protection of the rights of personal data subjects within ten working days from the date of such changes or from the date of termination of personal data processing, as specified in Part 3 of this Article, as well as in case of termination of personal data processing.

"'Operator's failure to comply with the requirements for informing the processing persons personal data without automation - 6% "'
Clause 6 of the Regulation on the peculiarities of processing personal data carried out without the use of automation means, approved by Decree of the Government of the Russian Federation of 15.09.2008 No. 687

The following shall be informed:

• the fact of their processing of personal data, the processing of which is carried out by the operator without the use of automation means,
• categories of personal data processed,
• on the specifics and rules of such processing established by regulatory legal acts of federal executive bodies, executive bodies of constituent entities of the Russian Federation, as well as local legal acts of the organization (if any).

Non-compliance of the content of the written consent of the personal data subject to the processing of personal data with the requirements of the legislation of the Russian Federation - 6%
Part 4 of Art. 9 of the Federal Law of 27.07.2006 No. 152-FZ "On Personal Data"

Shall include:

• 1) the surname, first name, patronymic, address of the personal data subject, the number of the main document certifying his identity, information about the date of issuance of the specified document and the authority issuing it;
• 2) surname, first name, patronymic, address of the representative of the personal data subject, number of the main document certifying his identity, information on the date of issuance of the specified document and the issuing authority, details of the power of attorney or other document confirming the authority of this representative (upon receipt of consent from the representative of the personal data subject);
• 3) the name or surname, first name, patronymic and address of the operator who receives the consent of the personal data subject;
• 4) purpose of personal data processing;
• 5) a list of personal data to be processed with the consent of the personal data subject;
• 6) the name or surname, first name, patronymic and address of the person processing personal data on behalf of the operator, if the processing is entrusted to such person;
• 7) a list of actions with personal data, for which consent is given, a general description of the methods of processing personal data used by the operator;
• 8) the period during which the consent of the personal data subject is valid, as well as the method of revoking it, unless otherwise established by federal law;
• 9) signature of the personal data subject.

Operator's absence of a place (s) for storing personal data (material media), a list of persons processing personal data or having access to it - 6%
Clause 13 of the Regulation on the peculiarities of processing personal data carried out without the use of automation means, approved by Decree of the Government of the Russian Federation of 15.09.2008 No. 687.

Twitter transfers personal data of users to Russia

In April 2017, it became known that the social network Twitter will begin to store the personal data of Russians at its disposal in Russia, as required by the law "On Personal Data." The transfer of information to Russian servers is planned to be carried out by mid-2018. Now the company is determining which data will be moved. This was announced by Roskomnadzor, which received a letter of notification from Twitter Vice President for Public Policy in Europe, Asia and the Middle East Sinead McSweeney.

The court considered the transfer of impersonal data a violation of the law

Roskomnadzor revealed violations in connection with the transfer of user data. As the representative of the regulator Ampelonsky Vadim told Izvestia, we are talking about numerous facts of the conclusion of agreements by operators on the transfer to third-party companies. This was discovered after inspections conducted by Roskomnadzor on behalf of the president. The exact number of violations and violating companies is not reported.

It is known, however, that MGTS collected data on user traffic, assigning an individual number to each of them, and transmitted them to partners. Despite the fact that the data was impersonal and included searches and addresses of the pages visited, the court decided that this was enough to identify specific users. Based on this, users are shown personalized advertising.

"The advertiser personally directs certain ads depending on the preferences of the subject, viewed Internet pages, goods, works, services, etc.," the publication quotes an excerpt from court materials.

According to the newspaper, the operator was fined 30 thousand rubles. The company does not agree with the decision, but the data transfer was terminated.

"MGTS did not transmit information about subscribers to third parties. It was only about impersonal data. Such information is constantly accumulated in search engines without the consent of users, and it is impossible to control its further transmission. It is possible to prohibit the use of such impersonal information only by law, "said Ivan Nikitina, director of legal support at MGTS

.

Vadim Ampelonsky also noted that the issue of using such information is not sufficiently settled. In turn, market representatives believe that inspections indicate the beginning of work to tighten legislation in this area.

2016

LinkedIn blocked in Russia

A network of professional contacts LinkedIn has been blocked in Russia. The court closed access to the service at the suit of Roskomnadzor: the department did not like the fact that the company still stores personal data of Russian users on servers located outside the Russian Federation. The regulator issued an order to block LinkedIn to providers on November 17. Blocking applies to both the site and the mobile application of the social network.

Read more. here

The Ministry of Telecom and Mass Communications of Russia wants to tighten the consent procedure for the processing of personal data

The Russian Ministry of Communications and Mass Media advocated tightening the procedure for giving consent to the processing of personal data at the legislative level.

The procedure for giving consent to the processing of personal data should be legally tightened. This position of the department was expressed by Deputy Minister of Communications of the Russian Federation Aleksei Sokolov.

The official stressed that "our citizens often give this kind of consent without a clear understanding of the legal consequences and their possible future use." It is for this reason that the ministry came up with a similar initiative - within the framework of the law to improve both the procedure itself and the procedure for giving consent to the processing of personal information. Moreover, as Sokolov noted, at the moment, the possibility of creating a state resource on which citizens would record data consents to the processing of personal information in order to control their use is being worked out.

Ministry of Digital Development, Communications and Mass Media also proposes at the legislative level to distinguish and develop approaches to regulatory regulation of the processing of personal data, an impersonal array of personal data and the results of the activities Internet of things. The official notes: "One of the most discussed problems is, so-called. big data The current legislation does not contain such or similar in meaning of the concept, but establishes that the processing of personal data is allowed to achieve specific, predetermined goals, after which they are subject to depersonalization or destruction. Thus, a huge array of impersonal personal data is accumulating in Internet services that do not allow you to identify yourself. In addition, the rapid development of the Internet of things, various types of meters, sensors, household appliances generates a significant amount of another type of data, which also cannot be attributed to personal data. Taking this into account, it is necessary at the legislative level to work out the issue of delineation and develop various approaches to regulatory regulation of the processing of personal data, an impersonal array of personal data and the results of the Internet of Things. Our proposals will be ready in the first half of 2017, "the Ministry of Telecom and Mass^[14]

The powers to oversee the processing of personal data of Russians will be given to the ILV

Russian Prime Minister Dmitry Medvedev instructed the government in the summer of 2016 to submit to the State Duma a bill prepared by the Ministry of Telecom and Mass Communications that would give Roskomnadzor the necessary powers to monitor and supervise the processing of personal data. Such information is contained in the materials of the government.

It is noted that the bill is aimed at eliminating legal uncertainty in the legislation. So, at the moment in Russia, the obligation to control the processing of personal data of citizens in accordance with the law is not assigned to any body. They want to assign these powers to Roskomnadzor.

2012: Dmitry Medvedev approves changes to data protection requirements

On November 1, 2012, Russian Prime Minister Dmitry Medvedev approved changes in the requirements for the protection of personal data when they are processed in personal data information systems. The corresponding document was published on the website of the Russian government.

Market participants argue that although the measures will have a positive effect on the industry as a whole, they are clearly not enough and they are still too conservative.

A government decree establishes four levels of personal data security when processed in information systems and requirements for each of them. The classification of information systems to a particular level of security is carried out depending on the type of personal data that the information system processes (special, biometric, public, other), the type of current threats (1st, 2nd, 3rd), the number of personal data subjects processed by the information system and whether personal data are processed about the operator's employees.

The decree also establishes the requirement to use information protection tools that have passed the procedure for assessing compliance with the requirements of the legislation of the Russian Federation in the field of information security, in case the use of such tools is necessary to neutralize current threats.

The document will allow operators of information systems processing personal data to determine the required level of personal data security, which will further greatly simplify the procedure for determining the necessary and sufficient measures to protect personal data from illegal or accidental access to them, destruction, modification, blocking, copying, distribution of personal data, as well as from other illegal actions.

According to Microtest Sergei Borisov, leading information security engineer of the system integration department of the company, the new government decree reduced the number of mandatory requirements to 14 against 34 in the previous document. "However, in my opinion, the new resolution did not make life easier for companies," said Sergei Borisov. - the most burdening requirement - the need for certification of CSR - remained mandatory for all ISDS. "

"The next point is the classification of the ISPD," he continued. - If earlier the operator could choose the classification of a typical personal data base according to the table or the classification of a special personal data base according to the results of the threat model, now there is no choice. The level of security is always determined based on the relevance of threats. The operator is unlikely to be able to determine them on his own - he will have to contact a higher organization or a consultant. "

Another problem of the new decree, Sergei Borisov sees the loss of legal significance of most of the documents of the FSTEC R and the FSB R, developed in pursuance of the canceled decree. "Without new documents, it will not even be possible to establish levels of security. This means that PP No. 1119 is still useless, "Borisov summed up.

Sergei Borisov sees in the new government decree a potential increase in the costs of companies for the protection of personal data due to the fact that most of the data that used to be insignificant are now transferred to another category that requires a higher degree of protection.

Experts of the Russian Association of Electronic Communications are confident that currently the legislation on personal data does not take into account the current level of Internet development and significantly slows down the development of e-commerce and cloud services in the Russian Federation.

RAEK continues to insist on the creation of an interdepartmental working group with the participation of representatives of the Internet industry, information security experts, representatives of the Ministry of Communications of the Russian Federation, the Ministry of Economic Development of the Russian Federation, the FSB, FSTEK, Roskomnadzor to more clearly formulate the positions of the industry on legislation and its changes. In particular, in the provision in accordance with international law and standards of existing documents and regulations.

2011

Housing Code and Personal Data

On June 16, 2011, the Federal Law of June 4, 2011 No. 123-FZ "On Amendments to the Housing Code of the Russian Federation and Certain Legislative Acts of the Russian Federation" entered into force, Article 5 of which introduced the next novella to the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data."

The amendment has undergone part 2 of article 6 of the FZ-152, supplemented by a new paragraph as follows:

"5.1) the processing of personal data is necessary for management organizations, homeowners' associations, housing cooperatives, housing and construction cooperatives or other specialized consumer cooperatives that manage apartment buildings in accordance with the Housing Code of the Russian Federation, or for persons with whom the owners of premises in an apartment building under the direct management of an apartment building concluded contracts for the provision of services and (or) carrying out works on maintenance and repair of common property in this house, or persons with whom the owners of premises in an apartment building under direct management or the owners of residential buildings have entered into contracts for the provision of utilities, or persons engaged on the basis of contracts to make settlements with the owners of premises in an apartment building, owners of residential buildings, employers of residential premises of the state or municipal housing stock for the maintenance and repair of common property in an apartment building, residential buildings and utilities;... "

The above paragraph supplemented a number of situations when the personal data operator is not required to obtain the consent of the subject to the processing of personal data.

On the

one hand, this amendment logically fits into the new legal regime for managing apartment buildings, which at the level of federal legislation enshrines the rights and obligations of participants in relevant public relations and determines the specifics of these relations. From the point of view of the legislation on personal data, the considered change does not make fundamental changes to the existing regime for regulating the processing and protection of personal data, but to a certain extent simplifies the life of numerous organizations that manage apartment buildings, as well as the provision of utilities and settlements with the owners of the premises.

On the other hand, the appearance of the next exception leads to sad thoughts about the integrity and applicability of the norms of the institution of consent of subjects to the processing of their personal data. The text of the amendment clearly stipulates the condition that there is no need to obtain consent: personal data are processed in connection with the norms of the Housing Code of the Russian Federation or in connection with the provisions of the relevant agreement. But the above condition actually duplicates the content of paragraphs 1 and 2 of part 2 of article 6 FZ-152. Thus, the legislator descends from the level of regulation of typical situations (for example, the processing of personal data in connection with the implementation of the provisions of the contract) to the level of regulation of specific situations (contractual relations in the field of housing and communal services). In addition, there is a devaluation of the meaning and value of other norms of the institution of consent of subjects to the processing of their personal data (in particular, paragraphs 1 and 2 of Part 2 of Article 6 FZ-152).

Draft Federal Law "On Amendments to Certain Legislative Acts of the Russian Federation" No. 535056-5

The draft federal law "On Amendments to Certain Legislative Acts of the Russian Federation" No. 535056-5 proposes to bring into line the legislation of the Russian Federation with the norms of paragraph 2 of Article 7 of Federal Law No. 210-FZ "On the organization of the provision of state and municipal services" that come into force on July 1, 2011. In accordance with this rule, the bodies providing state services and bodies providing municipal services are not entitled to demand from the applicant the provision of documents and information that are at the disposal of state bodies, local governments.

Paragraph 2 of Article 1 of the above draft law specifies the procedure and conditions for processing personal data of applicants and other persons in connection with the provision of state or municipal services. In particular, it is proposed to consolidate in Art. 7 of the Federal Law "On the organization of the provision of state and municipal services," the norm according to which: "For processing by state bodies, local authorities and organizations participating in the provision of state and municipal services provided for in Part 1 of Article 1 of this Federal Law, personal data available to such bodies and organizations for the provision of such personal data to the body (organization) providing a state or municipal service at the request of the applicant, it is not required to obtain the consent of the personal data subject, at whose request the processing is carried out, in accordance with the requirements of paragraph 1 of part 2 of Article 6 of the Federal Law of July 27, 2006 No. 152-FZ "On Personal Data."

The applicant's request to the authority (organization) for the provision of state or municipal services shall be equal to the consent of such applicant with the processing of his personal data in order to provide the authority (organization) with the relevant state or municipal services. In the event that the provision of state or municipal services requires the provision of documents and information about other persons who are not the applicant, when applying for state or municipal services, the applicant shall additionally submit documents confirming his authority to act on behalf of these persons (their legal representatives) and expressing the consent of these persons (their legal representatives) to the processing of personal data of such persons. "

Comment from InfoTechnoProekt: According to Part 1 of Art. 6 of the Federal Law "On Personal Data," the main condition for processing personal data of subjects is the consent of the subject himself. Part 2 of the above article establishes cases when the consent of the personal data subject is not required. In the above quote from the text of the draft law there is a direct indication of one of such exceptions, when the processing of personal data is carried out on the basis of the federal law establishing its purpose, the conditions for obtaining personal data and the circle of subjects whose personal data are to be processed, as well as the determining authority of the operator. Thus, personal data operators (... "state bodies, local governments and organizations involved in the provision of... state and municipal services... ") will be relieved of the need to obtain the consent of the subject to the processing of his personal data, at the request of which processing is carried out. Nevertheless, hereinafter, the authors of the bill propose to consider the request of the subject (applicant) for the provision of state or municipal services to him equivalent to the consent of the applicant with the processing of his personal data. The need for this clarification seems doubtful in light of the above reference to the absence of the need to obtain the consent of the subject. The introduction of such a clarification casts doubt on the existence of any Federal laws (except for the Labor Code of the Russian Federation), which can generally be considered subject to the exception provided for in Clause 1 of Part 2 of Article 6 No. 152-FZ.

Internet censorship (control)

Шаблон:Main 'Internet censorship (control). World Experience Шаблон:Main 'Internet censorship (control). Russian Experience

See also

• Regulation of personal data in the Russian Federation
• Processing of personal data in Russia
• Personal Data Law No. 152-FZ
• Protection of personal data in Russia
• Protection of personal data in countries of the world
• GDPR (EU Personal Data Regulation)
• Data Code of Ethics
• Datamania

Notes