Processing of personal data in Russia

Data economics

Main article: Data economics and digital transformation of the state (national project)

Personal Data Protection

• Personal Data Law No. 152-FZ
• Protection of personal data in Russia

Data depersonalization

Main article: Data depersonalization

Chronicle

2024

Roskomnadzor plans to introduce mandatory standards for the processing of personal data, allowing only the necessary information to be collected

In October 2024, the Federal Service for Supervision of Communications, Information Technology and Mass Media announced the introduction of mandatory standards for the processing of personal data. It's about allowing organizations to collect only the data they need to perform specific tasks.

According to RBC, the collection of personal data will be possible solely on the basis of the law, and not by the consent of citizens. Organizations will be able to receive the necessary information through authorized bodies instead of direct collection from users.

Roskomnadzor introduces standards for the processing of personal data, allowing only the necessary information to be collected

Alexander Khinshtein, Chairman of the State Duma Committee on Information Policy, noted that in Russia more than 5 million legal entities, including individual entrepreneurs, are personal data operators, but not all are able to ensure their proper protection.

Kristina Mkrtchyan, advisor to the intellectual property practice of the EBR law firm, points out the similarity of the proposed approach with the principle of minimizing data in the European GDPR regulation. The expert emphasizes the need to provide companies with sufficient time to adapt to new requirements.

The founder of Privacy Advocates, Alexei Muntyan, considers the initiative an important step in improving the protection of personal data in Russia, while noting possible resistance from business due to the potential impact on income and development.

Director of Analytics of ANO "Digital Economy" Karen Ghazaryan notes that Roskomnadzor as a supervisory authority does not have the authority to issue standards, which will require amendments to the legislation.

For violation of the rules for the protection of personal data, fines of up to ₽300 thousand are established for individuals and up to ₽1 million for legal entities. Criminal liability for violation of privacy provides for imprisonment for up to five years.^[1]

Khinshtein explained how special personal data operators will work

The head of the State Duma Committee on Information Policy, Alexander Khinshtein, explained the principles of work of special personal data operators, the creation of which is being discussed in Russia. The deputy shared information in October 2024, stressing the need to strengthen the protection of personal information of citizens in the context of cyber war against the country.

According to RBC, according to Khinshtein, more than 5 million legal entities are engaged in the processing of personal data in Russia, which makes it difficult to ensure the proper level of information protection. In this regard, it is proposed to create trusted special operators who will be able to store personal data of organizations that are not able to independently ensure their safety.

Head of the State Duma Committee Alexander Khinshtein

The deputy compared the principle of operation of such operators with a bank repository, where professionals controlled and verified by the state will deal with the safety of data. At the same time, information owners will always be able to access it through secure channels.

Khinshtein noted that without the threat of inevitable punishment and financial sanctions, businesses, especially small ones, will continue to save on security, which leads to data leaks and violation of citizens' rights.

In August 2024, Roskomnadzor identified criteria for potential authorized personal data operators. According to these requirements, operators must process at least 100 thousand records, have at least five employees with specialized higher education and financial support in the amount of ₽100 million to compensate for possible losses from leaks.

Special operators will be prohibited from profiting from storing other people's databases, and their activities will be limited to the territory of Russia.^[2]

The Ministry of Digital Development of the Russian Federation will allow telecom operators and banks to use state money

On October 9, 2024, it became known that it Ministry of Digital Development RUSSIAN FEDERATION would determine the procedure for providing state data to telecom operators and banks. The use of such information is expected to assist market participants in conducting marketing research and risk assessment.

According to the Kommersant newspaper, the order to develop rules for organizing companies' access to government funds came from Deputy Prime Minister Dmitry Grigorenko. The requirements will be worked out by the Ministry of Digital Development and other federal authorities together with the Big Data Association (ABD), which unites Yandex, VK, Rostelecom, MegaFon, etc.

The Ministry of Digital Development will allow operators and banks to use state money

The order refers to a wide set of information. These are, in particular, data on real estate objects, on the validity of citizens' passports, information on labor activity in the compulsory pension insurance system, on the state of the individual insurance account, on the subscriber of the telephone number, on the owners of vehicles, on road accidents, on driver's licenses, SNILS, etc. Access to this data is planned to be provided to telecom operators and banks that "provide services within the framework of digital ecosystems."

The ABD believes that the initiative will create incentives for businesses to invest in the development of data-based services. The managing partner of Comply Artyom Dmitriyev believes that the project does not contradict the law on personal data and "may fit into the legal structures provided for by law." At the same time, experts point to the need for integrated security. The head of the consulting and audit department of Angara Security, Alexander Khonin, says that the security of information will depend on the level of cybersecurity of the company to which state money is transferred.^[3]

Roskomnadzor creates an institute of authorized personal data operators

In early August 2024, it became known that Roskomnadzor and the State Duma Committee on Information Policy, Information Technologies and Communications were creating an institute of authorized personal data operators. It is assumed that the initiative will ensure the protection of information from leaks.

According to the Vedomosti newspaper, the head of the specified committee, deputy Alexander Khinshtein, told about the project. According to him, "those legal entities should appear, those structures that, in terms of their professional readiness and confirmation of the quality of their work by authorized bodies, will be able to store personal data of others." It is noted that from the point of view of the Law "On Personal Data" (152-FZ), the operator of such information is anyone who processes them.

Roskomnadzor and the State Duma Committee on Information Policy, Information Technologies and Communications create an institute of authorized personal data operators

Considering that there are more than 5 million legal entities in Russia, including individual entrepreneurs, each of them is a personal data operator. These are telecom operators, hotels, shops, retail chains, banks, all those who have data on more than two citizens. Not every company that processes personal data is ready to invest in their protection, says Hinstein.

It is assumed that personal data will be transferred to a certain "authorized person." Such a structure will operate "by analogy with bank storage."

Kirill Semion, General Director of the National Competence Center for Holding Information Management Systems, believes that the creation of personal data operators in Russia is interesting for companies from the medium and small business segment, since it is difficult for them to bear the additional costs of high-quality protection "of such information. Semion believes that large corporations, most likely, will not use the services of personal data operators due to "the desire to have a full guarantee of compliance with commercial secrets^[4]

A mechanism has been developed for revoking consents to the processing of personal data "in one click"

At the end of June 2024, it became known that Roskomnadzor intends to simplify the procedure for revoking citizens' consents to the processing of their personal data. To do this, it is proposed to implement a one-click mechanism.

Milos Wagner, deputy head of Roskomnadzor, told about the initiative, according to the Kommersant newspaper. According to him, most consents to the processing of personal data as of mid-2024 are requested "not in the interests of a person." The information received about individuals can be received "in 20-30 organizations," where it is used for various purposes.

Roskomnadzor has developed a mechanism for revoking consents to the processing of personal data "in one click"

We see ugly cases when a person agrees to data processing within a second, and by reference a multi-page document on 80 sheets, says Wagner.

Alexandra Orekhovich, director of legal initiatives at the Internet Initiatives Development Fund, emphasizes that a citizen "at any time has the right to withdraw consent to the processing of his personal data." However, the form of recall is not defined at the legislative level. Therefore, a citizen who gave consent with a "tick" must submit an application in writing at the organization's office. Moreover, even with the withdrawal of consent, the operator has the right to continue to process the data if he and the individual have contractual relations.

The Roskomnadzor initiative assumes that the data "should not be redundant in relation to the processing goals." To do this, you need to create mandatory standards for working with personal information. The mechanism of simplified revocation of data processing permissions can be implemented through a portal-based consent management platform, "Public services" which Ministry of Digital Development was announced in the spring of 2024. At the same time, market participants say that the proposed changes will provoke additional costs for the restructuring of information systems.^[5]

The Ministry of Digital Development of the Russian Federation has determined the rules for writing materials about affected children

On June 1, 2024, the Ministry of Digital Development of the Russian Federation published methodological recommendations for the preparation and publication of materials containing information about minors who suffered from illegal actions or inaction. The main task is the maximum protection of the identity of the injured child. At the same time, certain information is strictly prohibited from being disseminated.

The recommendations of the Ministry of Digital Development say that when writing materials about affected children, one should rely on moral and ethical standards so as not to harm the child both at the time of publication and in the future. It is prohibited to disclose information such as full name, date of birth, place of residence or temporary stay, as well as place of study or work. In addition, you cannot distribute photo and video images of a child or his parents or legal representatives, audio recordings of voice and other information that allows you to identify your identity, such as posts on social networks, a nickname, an avatar, comments from friends or fragments of correspondence.

The Ministry of Digital Development of the Russian Federation has published methodological recommendations for the preparation and publication of materials containing information about minors

At the same time, according to TASS, exceptions are provided. This information can be disseminated if the purpose of the publication is to protect the rights and interests of a minor. In this case, it is necessary to obtain written consent for publication from the child himself, if he has already reached 14 years old, or his legal representative.

The document Ministry of Digital Development states that the authors of materials about affected children should avoid details and accents that "contribute to the popularization of destructive behavior among minors." "Socially dangerous information" includes calls for suicide, actions against life or health (beatings, mass fights and shooting in public places), child pornography, pro-drug content, information about the manufacture of explosives, etc. When it comes to crimes against sexual inviolability and sexual freedom of a minor, the authors should not allow the disclosure of data on the privacy of participants in the criminal process without their consent.^[6]

2023

The number of requests to delete personal data from the network is growing

In Russia, an increase in applications for legal assistance on the illegal distribution of personal data on the Internet was recorded. Users are asked to remove references to any identity IDs. This was announced on January 25, 2024 by the press service of the State Duma deputy RFAnton Nemkin.

In 2023, the number of requests from individuals with a request to protect the right to delete personal data published without their consent, as well as on the protection of honor and dignity, in the event of negative publication and defamatory information, increased by 10-15%, the BVMP law firm and legal service cite data DestraLegal.ru.

According to the adviser to the BVMP Susana Kirakosyan, the increase in appeals is associated, among other things, with the increased incidence leaks of personal cases. information Kirakosyan emphasizes that "it is more interesting for the victim to ensure the protection of his rights not by administrative, but by private legal measures." That is, citizens will prefer to apply for the removal of personal information on the network, as well as for the payment of compensation for moral damage. In case of non-compliance with the requirements, a trial can be initiated.

Every fifth appeal refers to the topic of illegal processing of personal data of citizens, 7% of appeals on the topic of unwanted advertising, and every twentieth - on the protection of honor and dignity, - said the press service of the center.

In 2022, the numbers were slightly different - 140 leaks were discovered, but 600 million records were freely available. Despite the fact that the number of records has halved, the number of "merged" data continues to amaze with its scale. Therefore, the desire of citizens to protect themselves and remove any information from the general access is completely understandable, - said the deputy.

This is due to the scale of digitalization. Internet services and applications are becoming something that we cannot do without in everyday life. At the same time, almost all applications aggregate terabytes of user information, so it will be possible to fully eliminate your digital footprint only in the event of a complete rejection of digital technologies, "he explained.

Rather, it is worth talking about the development of a conscious approach

A significant part of citizens for a long time was rather uncritical about the information that they transmit. Many even prefer to automatically click on the "agree" button, without even getting acquainted with the points of consent for the processing of data, to which they subscribe. As a result of the transfer of information to a large number of companies, the likelihood of finding their data in a leak, of course, increases, "he stressed.

For example, you can create a separate mail and phone number, which will be used exclusively for registration on various services: for example, entertainment. In the context of the development of eSIM, the design process will not take long. In addition, it is not always worth indicating your full name - you can do with the initials, - Nemkin recommended.

This will definitely "shake up" the business, which should understand that the preservation of personal user data is an unconditional priority, the parliamentarian concluded.

Mishustin instructed the Ministry of Digital Development to develop measures to identify inaccurate data

In December 2023, Prime Minister Mikhail Mishustin gave instructions following a strategic session dedicated to the national project "Data Economics." One of them involves working out measures to identify inaccurate data, including those generated using artificial intelligence. The Ministry of Digital Science of the Russian Federation must fulfill this order by March 19, 2024. Read more here.

Russia adopted a law allowing security officials to adjust the data of their employees in the GIS

On November 16, 2023, the State Duma of the Russian Federation adopted a law allowing security officials to adjust the data of their employees in state information systems.

The new norms provide law enforcement agencies with access to state, municipal and other information systems that contain data on the departmental affiliation of their employees in order to change, depersonalize or delete this data.

The document introduces amendments to 11 laws aimed at introducing a special procedure for the processing of personal data of certain categories of persons, the list of which will be established by the President of the Russian Federation.

It is assumed that by September 1, 2025, a register of information systems will be created in which personal data will be processed in a special order. Deputy Head of the Ministry of Digital Science Alexander Shoitov, telling the deputies about the bill, explained the need for its adoption by the "current situation."

Data leaks of protected persons, which can be subsequently used, including by foreign special services, carry risks of their life and health, defense of the country and the security of the state as a whole, and especially in the current geopolitical situation, in connection with which the bill proposes to create a single mechanism that helps minimize the possibility of disclosing data of certain categories of protected persons, - he pointed out (quote from Kommersant).

The Association of Banks of Russia (ADB) opposed this initiative, arguing its position that the law will lead to a violation of the constitutional rights of citizens due to the provision of unrestricted access to personal data of individuals, including those not related to security officials. The Big Data Association did not like the initiative, which includes, in particular, Yandex, VK, Rostelecom and MegaFon: they said that the adoption of the law could lead to a violation of the integrity of IT systems.^[7]

The Ministry of Digital Development of the Russian Federation explained what to consider biometrics

In November 2023, the Ministry of Digital Development of the Russian Federation presented a draft government decree "On approval of the list of types of biometric personal data covered by the Federal Law" On the implementation of identification and (or) authentication of individuals using biometric personal data.... " The document, among other things, introduces the definition of biometrics.

According to the publication D-Russia.ru with reference to the draft resolution, the regulation of the federal law on biometric data includes an image of a person's face obtained using photo and video devices, as well as a recording of a person's voice obtained using recording devices. The innovation will enter into force on September 1, 2024.

As this day, as explained in the materials of the Ministry of Digital Development, the provisions of Part 4 of Article 3 of Federal Law No. 572-FZ do not apply and the action of Federal Law No. 572-FZ "On the implementation of identification and (or) authentication of individuals using biometric personal data... "applies to types of biometric personal data determined by the Government of the Russian Federation in agreement with the federal executive body in the field of security (FSB) and the Coordination Council for the Development of Digital Identification and Authentication Technologies based on biometric personal data.

Earlier, the president Russia Vladimir Putin signed a law that provides for the creation of a list of types of collected biometrics; there are only two of them: a face image and a voice pattern.

This norm is supposed to be valid until September 1, 2024, but changing this list, based on the text of the bill, is possible only by the government at the suggestion of the Coordination Council, which is formed by the government with the mandatory entry of representatives of the public, centralized religious organizations into it, - said the head of the State Duma Committee on Information Policy Alexander Khinshtein.[8]

Public services will not store data of Russians

On November 8, 2023, the Ministry of Digital Development, Communications and Mass Media of Russia announced a decision to avoid storing personal data of users of the State Public services portal in favor of using distributed systems, in which all information will be stored on the servers of departments. Read more here.

The Ministry of Digital Development will oblige telecom operators to transfer the names of subscribers to Roskomnadzor

At the end of August 2023, it became known about the initiative of the Ministry of Digital Development, according to which telecom operators will have to transfer the names of subscribers to Roskomnadzor. The corresponding draft government decree was published on the federal portal of draft regulatory legal acts.

The document says about the need to establish a requirement for the submission to Roskomnadzor in the form of a hash code of information about the surname, name and patronymic of the subscriber and user by the communication services of the subscriber - a legal entity or individual entrepreneur. Also, operators will have to report information about the date of conclusion and termination of the contract with subscribers. In addition, it is proposed to oblige to provide a list of subscriber numbers allocated to commercial companies and individual entrepreneurs who have concluded agreements on the provision of communication services.

It is also proposed to establish the requirement to submit to the information resource of Roskomnadzor in the form of a hash code calculated in accordance with the interstate standard GOST 34.11-2018 "Information Technology. Cryptographic information protection. Hashing function, "only information about the surname, name and patronymic (if any) of the subscriber and the user with communication services of the subscriber - a legal entity or an individual entrepreneur, - said in the explanatory note.

Earlier in 2023, telecommunications operators were obliged to notify Roskomnadzor when transferring personal data of Russians to any country. They must also make sure that the foreign partner can maintain the confidentiality of the transmitted information and ensure its protection during processing. Within 10 days, Roskomnadzor has the right to prohibit the transfer of such data, if the ban is not imposed during this period, then the data can be transferred.

On Amendments to the Rules for Mobile Radiotelephone Operators to Provide Information Necessary for Monitoring Telecom Operators' Compliance with the Obligation to Verify the Reliability of Subscriber Information and Information about Users by Communication Services of Legal Entities or Individual Entrepreneurs

The Supreme Court of Russia recognized the email address as not personal data

On July 21, 2023, the Supreme Court of the Russian Federation issued a ruling according to which an email address cannot be considered personal data of a person registering it.

According to the Russian Agency for Legal and Judicial Information (RAPSI), we are talking about the proceedings initiated by Roskomnadzor. The agency demanded that the processing of personal data of users by the insurance company on its Internet site be declared illegal. Claims arose in connection with the form "Application for registration of a policy" posted on the website: it contains the "Form of appeal" and requests the data "e-mail" and "phone." Roskomnadzor believes that in this case, the insurer, in violation of the current legislation, collects personal information from Russians.

However, the courts of three instances concluded that this form does not imply the collection of personal data in the context of the definition of "personal data" contained in paragraph 1 of Article 3 of the Law on Personal Data, since it is not used to identify the consumer of financial services, but is a form of feedback. It is noted that it is impossible to determine the specific person to whom it belongs exclusively by e-mail address.

After receiving the refusal, Roskomnadzor appealed to the Supreme Court, but did not find support there either. In particular, the Supreme Court concluded that the actions of Roskomnadzor not only do not meet the requirements of the current legislation, but also violate the rights and legitimate interests of society in the field of entrepreneurial and other economic activity.

The case file also states that the email address does not actually have the property of "absolute invariability," since in the event of termination of the user agreement with the electronic mail service or removal for any reason of an email mailbox from a server in the same domain, exactly the same address can be registered for a new user.^[9]

The government of the Russian Federation approved the right of security officials to hide the data of certain categories of citizens

The government of the Russian Federation approved the right of the security forces to "clarify, extract, depersonalize, block, delete or destroy" the data of certain categories of citizens. This was reported by Vedomosti with reference to the corresponding document.

It follows from it that the innovation does not apply to all, but only to "individual categories of persons," which are primarily associated with law enforcement agencies. The categories will be detailed in the presidential decree, and the corresponding procedure for working with the data will determine the regulatory legal acts (NPA) of the rank below. The authors of the bill note that by July 2023 this area has not been regulated, while in Russia and the world there is a "rapid development of data processing technologies (including artificial intelligence)."

According to Igor Cherepanov, Deputy Chairman of the Board of the Russian Bar Association, the initiative will apply to military personnel, judges, law enforcement officers and citizens who have become participants in the witness protection program. Igor Bederov, director of Internet Search and OSINT specialist, believes that most of the changes to the bill apply to very small groups of citizens. Angelina Sevostyanova, head of corporate practice at Key Consulting Group, notes that unfriendly countries can use databases with personal data of Russians.

For the initiative to be effective, a technological data masking system is needed, which will work in case of unauthorized access to information, explains Luka Safonov, CEO of Cyberpoligon. Such tools are used in civil applications and allow you to set up rules for copying part of information when creating a database copy like this, that the original information will be replaced with similar, but not true, he says, for example, when copying, you can replace all customer phone numbers with random sets of numbers, similar in structure to telephone numbers, but the integrity of the database will not be violated.^[10]

Roskomnadzor spoke about the first bans for business on the transfer of personal data of Russians abroad

Roskomnadzor (RKN) issued the first bans on companies in Russia on the cross-border transfer of personal data. The department told about this in mid-June 2023.

According to RBC, the new procedure for transferring personal data abroad began to operate on March 1, 2023. From that moment on, companies must notify Roskomnadzor to transfer such data to any other country. Exceptions are made by countries that have signed the Council of Europe Convention and are included in the list of the control body. The data can be transferred if within 10 days after receipt of the notification, the ILV does not make a decision on the ban.

According to the representative of the ILV, in more than 3 months - from March to mid-June 2023 - 589 such notifications were received from Russian personal data operators, in seven cases the transfer was prohibited or limited. We are talking about financial and logistics companies, he clarified, adding that the decisions on the ban and restriction were made due to the inconsistency of the purpose of the cross-border transfer of personal data with the goals that were announced during the collection, as well as their volume and content.

In particular, the companies planned to transfer personal data of applicants, as well as potential customers, abroad to check their solvency, - explained the representative of the ILV.

As the managing partner of the law firm Enterprise Legal Solutions Yuri Fedyukin suggested, we can talk not only about banks, but also about insurance companies that can exchange data on customers and applicants as part of compliance and verification procedures for counterparties. Thus, Russian companies can send this information to foreign partners and back to assess solvency, risks, including sanctions, as well as the presence of outstanding debt and other violations. In addition, foreign companies and their subsidiaries in Russia can exchange customer data, which are considering applications for concluding loan and insurance contracts.^[11]

Roskomnadzor will control the storage of data in the networks of enterprises

On September 1, 2023, amendments to the Law "On Communications" will come into force, according to which Roskomnadzor will assume obligations to control the storage of information by owners of technological communication networks. This became known in early April 2023.

As Vedomosti writes with reference to the representative of the Ministry of Digital Development, large corporations have their own technological communication networks, which are used not to provide communication services, but, for example, to control processes at work.

According to the Ministry of Digital Development, owners of technological communication networks are obliged to store information about the facts of receiving, transmitting, delivering and/or processing voice information, text messages, audio, video and other electronic messages. In addition, interaction between users of information systems (IS) is subject to storage, including (with indication of the exact time) registration, termination of registration, authorization, change of registration data, order, payment, receipt, provision of goods, works and services, receipt of reference information. Owners of technological networks will also have to store information about IC users, including the user's ID in the IC, his registration data, phone number and e-mail addresses, network addresses, ports, location, name of the client program and identification string of the user device application.

Technological communication networks form a closed environment for transmitting traffic coming from engineering and technological systems, Andrei Yatskov, adviser to the general director of the Zyfra Group of Companies, explained to the newspaper. In practice, the owners of such communication networks are telecom operators and large production companies. According to the law "On Communications," technological communication networks are designed to ensure the production activities of organizations, manage technological processes in production, agrees Nikita Danilov, a lawyer and teacher of the educational platform Moscow Digital School.^[12]

2022

Putin instructed to introduce the possibility of refusing to process personal data through Public services

Russia Vladimir Putin The President instructed to work out the possibility of giving consent to the processing of personal data through Public services and recalling it. This information was published on the Kremlin website on September 30, 2022.

The Government of the Russian Federation will have to submit proposals for amending the legislation aimed at expanding the functionality of a single portal of state and municipal services. Proposals for expanding the functionality of EPGU must be submitted by November 15, 2022.

In addition to the possibility of giving consent to the processing of personal data and revoking such consent using the State Public services portal, according to Putin's instructions, it is necessary to add the possibility of posting on the website a list of consents to the processing of personal data that citizens gave to various structures and organizations, including when receiving state, municipal and commercial services.

Another order concerns the possibility of implementing a pilot project to identify the identity of citizens in certain life situations through the use of a mobile application.

The head of the Ministry of Digital Science Maksut Shadayev spoke about the need to introduce revocation of consents to the processing of personal data on Public services at a meeting of Russian President Vladimir Putin with the government at the end of August 2022.

We would be able to regulate such an opportunity so that in his personal account on the State Public services portal there was a list of all the consents that he gave, and so that he could withdraw every consent, and the organization that collected this data from him was obliged to delete this data. Here it is necessary to regulate this story a little legally, to make a register of such consents, - the minister noted.[13]

The Ministry of Digital Development proposes to create a register of consents to the processing of PD with the possibility of revoking them through Public services

On September 1, 2022, the Ministry of Digital Development of Russia proposed to create a register of consents to the processing of personal data that citizens give when receiving various services (in government agencies, banks, when issuing loyalty programs, etc.). The Public services should have the opportunity to withdraw such consents.

Users will be able to:

• See all consents given for the processing of their personal data, to whom and when they were presented;
• See the composition of personal data that are stored in these organizations;
• Revoke consents;
• Control the deletion of your personal data.

These functions will be available in the user's personal account on Public services. Thanks to the service, it will be easy for citizens to always monitor those who have the right to process their personal data. Information about the new consents given will appear automatically.

Russia has adopted a law prohibiting sellers from refusing service to customers without providing personal data

On April 20, 2022, the State Duma in the third (final) reading adopted a law prohibiting sellers from refusing service to customers without providing personal data. The document was initiated by the Government of the Russian Federation and amends the law "On Protection of Consumer Rights."

The law, which should enter into force on September 1, 2022, prohibits sellers, performers and owners of aggregators from refusing to conclude and execute an agreement to a consumer who refused to provide his personal data. At the same time, the exception will be cases provided for by law or the execution of this agreement. At the same time, the consumer will have the right to request an explanation of the reason for the refusal and its legal grounds.

The amendments, according to their creators, were developed in order to suppress unfair behavior in the consumer market, including expressed in the forced or unjustified collection of consumer personal data for purposes not related to the conclusion or execution of the contract.

Now, when shopping or paying for services, people collect phone numbers, email addresses and other personal information under various pretexts. Even in cases where the provision of such information is not mandatory. First of all, this applies to online stores. The adoption of the relevant amendments will further protect consumer rights, explained State Duma Chairman Vyacheslav Volodin.

The changes introduced by law comply with UN guidelines for consumer protection, which, among the principles of good business practice, call the protection of personal information and the use of mechanisms for obtaining consent to the collection and use of personal data of consumers, as well as recommendations of the Council of the Organization for Economic Cooperation and Development (OECD) Consumer Protection in Electronic Commerce Act of 24 March 2016, which requires companies to protect consumer privacy by ensuring that their practices regarding the collection and use of consumer data are legal, transparent and fair.^[14]

The State Duma approved in the first reading the law on expanding the access of the prosecutor's office to personal data of Russians

State Duma approved in the first reading the law on expanding the access of the prosecutor's office to. personal data Russians This became known on March 4, 2022.

According to the authors, the adoption of the bill will allow "better control of deputies and their families within the framework of the anti-corruption law."

The bill enshrines the right of the prosecutor's office to receive the necessary information, access to which is limited. Also, the department will have the right to process personal data "received not only in connection with the implementation of prosecutor's supervision, but also in the exercise of other powers and functions." This was reported on the website of the State Duma.

As noted in the Cabinet of Ministers, personal information is necessary for prosecutors to keep statistics on the state of crime and for investigative work. Personal data is also processed when sending requests to foreign banks in order to check citizens' compliance with the ban on opening accounts in them.

Personal data that the prosecutor's office will process after the adoption of the law:

• name, surname, patronymic;
• race, nationality;
• political views, religious or philosophical beliefs;
• information on the state of health (facts of consumption of psychoactive substances and registration in health care institutions) and intimate life.

The head of the Duma Committee on Security and Anti-Corruption Vasily Piskarev said that the bill takes into account the changes in recent years that have occurred in anti-corruption legislation.

This will expand our understanding of the state of crime in the country and make it possible to better understand what else needs to be changed in the laws to reduce the number of certain crimes - Vasily Piskarev, head of the Duma Committee on Security and Anti-Corruption[15].

2021

Putin instructed to ensure citizens the right to object to the processing of personal data

In December 2021, Russian President Vladimir Putin instructed to ensure citizens the right to object to the processing of personal data. This was reported by the Kremlin press service.

It is clarified that the Government of the Russian Federation, together with the Bank of Russia, is instructed to prepare and submit changes, thanks to which citizens in certain cases will be able to "dispose of information contained in information systems about their business operations, including personal data." The order must be completed by June 1, 2022.

On December 9, 2021, Vladimir Putin pointed out that there are too many leaks of personal data of Russians, it is necessary to take measures to ensure the rights of citizens. It is necessary to study the possibilities for the development of additional regulatory measures in this area, the head of state specified. According to the head of state, it is also necessary to "restore order" in the issue of surveillance of Russians, which is conducted by Internet platforms.

In mid-December 2021, Vladimir Putin also instructed to speed up work on amendments that provide for the ability to give companies working in the field of artificial intelligence access to impersonal data.

The order was given to the government and the State Duma, responsible - Prime Minister Mikhail Mishustin and Speaker of the Lower House of Parliament Vyacheslav Volodin. According to the instruction, it is necessary to speed up the preparation of amendments to the legislation, according to which the authorities will be able to provide organizations developing technological solutions using artificial intelligence and scientific organizations with access to "sets of impersonal data." At the same time, the instruction emphasizes that it is necessary to ensure the safety and confidentiality of personal data, including impersonal ones.

The deadline for the execution of the order is March 1, 2022.^[16]

The Ministry of Digital Development has determined the indicators of control over the processing of personal data

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation has determined key indicators of control over the processing of personal data. This became known in early October 2021.

The Ministry of Digital Development explained to TASS that at the legislative level it is proposed to consolidate the key indicator of federal control over the processing of personal data, the achievement of which will illustrate the effectiveness of control (supervisory) activities. In accordance with the proposed target indicators, starting from 2022, the share of persons in respect of whom violations of the law will be detected will decrease, which will minimize the risks of violation of the law in the field of personal data, and, as a result, increase the security of personal data of our citizens.

According to TASS, citing a document developed by the ministry, the share of persons in respect of whom violations of the law will be revealed as a result of scheduled inspections will be 90% in 2022, 89% in 2023, 88% in 2024, 87% in 2025, and 86% in 2026.

The document was developed in connection with the adoption of the law "On state control (supervision) and municipal control in the Russian Federation," according to which various types of control will become less, and the main emphasis will be on the prevention of violations. It is noted that the innovation will not require additional costs.

The document complements the provision with the section "VIII. Key indicators of federal control and their target values." One indicator appears:

The share of controlled persons whose activities, as a result of scheduled inspections, revealed violations of the legislation of the Russian Federation in the field of personal data from the total number of controlled persons in respect of whom scheduled inspections were carried out (%).[17][18]

The Central Bank proposed to enable Russians to withdraw personal data from business

The Central Bank and banks advocated the creation of a platform in Russia that allows Russians to give and withdraw consent to the processing of their data not only at Public services, but also at business. This became known on September 10, 2021. Such a register should enable business and financial market participants to track which of the clients gives or revokes certain consents and the citizens themselves are able to manage their consents.

This was reported to RBC by the first deputy chairman of the Central Bank Olga Skorobogatova.

We made such a platform within the framework of the "Digital Profile," but it only concerns the provision of information from "Public services," from state sources. We have two hands in favor of making such a platform for commercial consent, "Olga Skorobogatova said.

According to the representative of the Central Bank, if the project is implemented, the platform will significantly simplify the process of providing data from various commercial sources with the consent of a citizen and manage these consents. The regulator considers this idea promising and expedient for implementation. According to him, the regulator is ready to study this issue at the AFL site of the ^[19].

Roskomnadzor and the Central Bank explained the requirements for the processing of personal data of citizens

In early August 2021, the Central Bank of Russia and Roskomnadzor issued a joint letter explaining the requirements for the processing of personal data of citizens by financial organizations.

According to the document, banks and microfinance organizations are advised to obtain a separate consent of the borrower to the processing of personal data in relation to each person who may have access to them.

Practice has shown that some lenders use broad formulations when issuing consumer loans and loans: the borrower, with one signature, agrees to transfer data about himself not only to the lender, but also to other persons. As a result, this information can be used, in particular, for advertising and other purposes not related to the issuance and servicing of a loan. In addition, it can be used even after the client has paid off the loan, the Central Bank explained.

Roskomnadzor and the Central Bank of the Russian Federation remind that the processing of personal data should be limited to achieving specific predetermined legal goals. The consent provided to the creditor must set a data processing time. It is unacceptable to include a condition on the automatic extension of the validity period of consent to the processing of personal data or an indication of the indefinite validity of consent, according to a letter from the financial regulator and the supervisory authority.

It also adds that when providing their personal data and appropriate consent, a citizen must clearly understand to whom consent and data are provided, what goals and tasks the financial institution pursues, given that the provision of such a separate consent by a person is not required to fulfill the terms of the contract.

The financiers interviewed by Kommersant considered the recommendations of the Central Bank redundant. The need to obtain separate consents for each third party involved in the processes can in this sense significantly complicate the process and make it cumbersome for both the client and the bank, one of the newspaper's interlocutors said.^{[20] [21]} is tightened]

Foreign IT giants with an audience of 500 thousand people will be obliged to open representative offices in Russia

On June 16, 2021, information appeared that the State Duma of the Russian Federation approved in the second reading a bill obliging large foreign IT companies to open their representative offices in Russia. Companies with a daily audience in the Russian Federation from 500 thousand people fall under the law. Such organizations will have to create branches from January 1, 2022, open representative offices or establish Russian legal entities, "which must fully represent the interests of parent companies" and will become the main channel of interaction with the Russian regulator, the document says.

The preliminary list of Internet resources, the owners of which may oblige to open branches or representative offices in Russia, includes 20 platforms. It includes social networks (Facebook, Instagram, TikTok, Twitter), video hosting (YouTube, Twitch.tv), messengers (WhatsApp, Telegram, Viber), mail service (Gmail), search engines (Google, Bing.com), provider engineering (Amazon, Digital Ocean, Cloudflare, GoDaddy), online stores (Aliexpress.com, Ikea.com, Iherb.com), as well as Wikipedia.org. This list can be adjusted.^[22] on^[23]

According to the bill, companies will need to register a personal account on the site Roskomnadzor and use it to interact with the authorities, place a form on their website for appeals from residents Russia and local organizations (details will be determined by Roskomnadzor). In addition, IT giants will need to install the selected Roskomnadzor user counter.

For refusing to comply with the requirements of the law, IT companies will face a ban on the distribution of advertising, restriction of payments and transfers of funds to the Internet resource, a ban on the collection and transfer abroad of personal data of Russians, exclusion from search results, as well as partial or complete blocking of the violating resource.

A list of foreign IT companies that have opened representative offices in Russia will be available on the Roskomnadzor website.

The bill was submitted to the State Duma on May 21, 2021.^[24] Its authors were United Russia deputies Alexander Khinshtein, Sergey Boyarsky, Maxim Kudryavtsev, Anton Gorelkin and Russian Senator Alexei^[25]

Roskomnadzor ordered Facebook and Twitter to localize the data of Russians until July 1

Foreign social networks, including Facebook and Twitter, will have to localize the personal data of Russian users by July 1, 2021. This was announced on May 26 by the deputy head of Roskomnadzor Milos Wagner at the final meeting of the board of the department.

According to him, demands have already been sent to the companies to bring their activities in line with this.

Until July 1, we expect information on how this requirement is being fulfilled, "added Wagner (quoted by TASS Information Agency of Russia).

Since 2015, Russian and foreign companies are required to store personal information of Russians only in Russia. According to Wagner, by the end of May 2021, about 600 foreign companies had localized databases in Russia in accordance with the requirements of the law. Apple and Microsoft previously provided data localization, these requirements are also met by LG, Samsung, PayPal, Booking and other companies.

Earlier, Roskomnadzor opened administrative proceedings against Facebook and Twitter, since the companies did not provide information on the localization of databases of Russian users on servers located in Russia. In February, the court fined the company 4 million rubles. each for violation of part 8 of article 13.11 of the Administrative Code ("Violation of the legislation of the Russian Federation in the field of personal data").

In addition, in May 2021, a bill was submitted to the State Duma obliging foreign IT companies with a daily audience in the Russian Federation from 500 thousand people to open their branches in the country. If companies do not comply with this requirement, they, in particular, may be prohibited from distributing advertising, as well as collecting personal data. This requirement may include Facebook, Instagram, Twitter, TikTok, Google AdWords, YouTube, WhatsApp, Viber, Telegram, Steam and World Of Tanks.^[26]

The Ministry of Digital Development has developed a regulation on state control over the processing of personal data

On May 20, 2021, it became known about the organization developed by the Ministry of Digital Development of the Russian Federation and the implementation of state control over the processing of personal data. The corresponding document is posted on the federal portal of draft regulatory legal acts.

Approve the attached regulation on federal state control (supervision) over the processing of personal data. Recognize as invalid the decree of the Government of the Russian Federation of 13.02.2019 No. 146 "On the approval of the rules for the organization and implementation of state control and supervision over the processing of personal data." To establish that the implementation of the powers provided for by this resolution is carried out by Roskomnadzor within the maximum number of employees of the central office and territorial bodies of Roskomnadzor established by the government of the Russian Federation, as well as the budgetary allocations provided for Roskomnadzor for management and management in the field of established functions, - according to the document, excerpts from which TASS leads the Information Agency of Russia.

According to this initiative, Roskomnadzor will establish control over the activities of operators and third parties acting on behalf of the operator, as well as its results. The service will classify supervised objects as one of the categories of risk of harm: significant, medium, moderate or low. The frequency and type of checks will also be regulated.

The department also noted that according to the draft resolution, when exercising federal state control (supervision) over the processing of personal data, a risk assessment and management system is used.

The Ministry of Digital Development believes that the implementation of the project will contribute to increasing the security of personal data of citizens and reducing offenses in this area. The resolution comes into force on July 1, 2021.^[27]

Passport data and winning amounts of casino players will be transferred to the Federal Tax Service

At the end of April 2021, it became known about the order of the Federal Tax Service (FTS), according to which the personal data of casino players and slot machine halls should be transferred to the department for further placement in a special register. Tax authorities will receive full names, passport data, TIN and the amount of players' winnings. Read more here.

Ministry of Digital Development of the Russian Federation opposed the creation of a new system for collecting data on Russians

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation opposed the creation of a new system for collecting data on citizens. This became known in early April 2021.

As Kommersant explains, the department considers it unnecessary to transfer information from Internet users to the Roskomnadzor system, which is posted on the public services portal, and asked to finalize the draft order "On approval of the rules for using the Roskomnadzor information system." This document refers to a single information system for managing the personal data of Russians, collecting and revoking their consents to processing data from social networks, from ad sites and from open registers.

The Ministry of Digital Development believes that the collection of consent to sending personal data of users should be voluntary, and the initiative should be finalized, but before that, the changes should be discussed with business. The department sees no reason to spend additional money on creating another data collection and storage system.

The system proposed by Roskomnadzor is designed to store information, since the draft order states that the department will store information contained in consent, says Oleg Blinov, a teacher at Moscow Digital School. The plus, according to him, is that both Roskomnadzor and the ministry so far insist on exclusively voluntary use of the consent system. But in the future, the department may tighten the requirements for the format for collecting consents by services during inspections.

As a result, they will be forced to connect to public services to facilitate user registration, added Blinov.

Ekaterina Portman, director of Deloitte Legal in the CIS, notes that volunteerism is one of the basic principles of consent to the processing of personal data, but it is unclear how to assess the situation when a citizen wants to register on a social network or on another site that distributes data and refuses to provide consent to their processing.^[28]

Roskomnadzor has developed rules for using the system for processing personal data

On March 23, 2021, it became known about the rules developed by Roskomnadzor for using the IT system, which can be used to give and revoke consent to the processing of personal data.

According to Interfax, citing a document published by the department, in order to use the personal data processing system, it will be necessary to register with the following data:

• FULL NAME;
• date of birth;
• passport data;
• place of residence or registration;
• phone number;
• email address,
• foreigner or apatrid.

In this case, the data operator must indicate the name or full name (for individual entrepreneurs and individuals), address, as well as registration information, including OGRN, TIN and code (s) of classifiers by direction of activity.

All this information is verified, including using the ESIA identification system, and only after that the registration is considered completed and access to the personal account is provided on the Roskomnadzor website. The system provides for submission and withdrawal of the operator's consent, formation of a register of records on submitted, received and withdrawn consents, registration of actions of Roskomnadzor officials, the possibility of sending them requests or demands for elimination of detected violations in the field of personal data, etc.

Roskomnadzor proposes to introduce the obligation of the personal data operator to compensate for the damage to their leakage in accordance with the harm caused. This proposal was made on March 23, 2021 at a meeting of the State Duma's inter-factional working group on combating cybercrime.

According to Roskomnadzor, only 17% of those deceived on the Web tried to initiate a criminal case, and 83%, when they lost data, or when they were somehow deceived, do not contact the Ministry of Internal Affairs.^[29]

Adoption of a law on increasing fines for violation of personal data processing rules

On February 10, 2021, the State Duma adopted in the third (final) reading a bill to double fines for violating the rules for processing personal data. Changes will be made to Article 13.11 of the Code of Administrative Offenses (CAO) "Violation of the legislation of the Russian Federation in the field of personal data."

According to TASS, the Russian Information Agency, citing the text of the amendments, processing personal data if it is not provided for by law, will entail fines:

• for citizens - from 2 thousand to 6 thousand rubles;
• for officials - from 10 thousand to 20 thousand rubles;
• for legal entities - from 60 thousand to 100 thousand rubles.

For repeated violation of the law, fines will be:

• for citizens - from 4 thousand to 12 thousand rubles;
• for officials - from 20 thousand to 50 thousand rubles;
• for individual entrepreneurs - from 50 thousand to 100 thousand rubles;
• for legal entities - from 100 thousand to 300 thousand rubles.

The following punishment is imposed for processing personal data without consent given in writing:

• for citizens - in the amount of 6 thousand to 10 thousand rubles (previously it was from 3 thousand to 5 thousand rubles);
• for officials - from 20 thousand to 40 thousand rubles (previously - from 10 thousand to 20 thousand rubles);
• for legal entities - from 30 thousand to 150 thousand rubles (formerly - from 15 to 75 thousand rubles).

As the agency notes, the listed provisions were added to the bill, initially aimed at introducing fines only for violating the law on sustainable Internet in Russia.

This bill is a logical and understandable continuation of the policy aimed at protecting the country's digital sovereignty, said Alexander Khinshtein, head of the Committee on Information Policy, Information Technology and Communications.

I want to say, knowingly understanding what colleagues from opposition factions will say, that the bill establishes responsibility for non-compliance with the requirements of the existing law, including this law introduces administrative responsibility synchronizing with the law on countering censorship on the Internet that we previously adopted, "he stressed.[30][31]data

Ros­komnad­zor raz­ra­botal new tre­bova­niya to personal data processing

At the end of January 2021, it became known about the order developed by Roskomnadzor "On establishing requirements for the content of consent to the processing of personal data allowed by the subject of personal data for distribution."

According to requirements of Roskomnadzor, consent will be demanded to make out in Russian. It has to contain a full name, the phone number, the e-mail address or the postal address of the subject of the owner of personal data and also the name and the address of the operator receiving consent.

The form of the document providing consent to the processing of personal data will include the section "special personal data." These are information about criminal record, nationality, race, attitude to religion, as well as the philosophical worldview that a citizen adheres to.

In addition, there will be a line in agreement about political views, health and intimate life. Finally, biometric the data section will include DNA, an image of the iris of the eye, fingerprint information, color photo and recording with a voice sample, as well as a photo image of a palm vein pattern in the infrared range.

Also, the consent must include the period during which it is valid, as well as information about the operator's information resources, through which he will transfer access to data to an unlimited number of persons.

It will be possible to draw up consent both in the form of an electronic document using the information service and in handwritten form.

Roskomnadzor proposes to draw up consent in the form indicating the patronymic, mobile phone and email or postal address - this will be difficult, since the operator must try very hard to collect all the required data, Tatyana Vukolova, associate partner of Rödl & Partner in Russia, told ComNews.^[32]

2020

The State Duma adopted a law prohibiting the dissemination of personal data of citizens without their consent

State Duma adopted in the third, final reading a law banning the distribution of personal data citizens without their special consent. The law (N1057337-7) spelled out the procedure for mandatory approval for the processing of personal data Russians data by any operator. This became known on December 23, 2020. More. here

The Ministry of Digital Development Industry supported the tightening of personal data regulation, but business did not

In early December 2020, the Big Data Association (ABD), which unites the largest IT companies, banks and telecom operators, asked the State Duma not to adopt the bill of deputy Anton Gorelkin on tightening the regulation of personal data.

This bill provides for a ban on the placement and distribution of publicly available personal data by operators without the consent of users. It is also proposed to oblige operators to delete personal data of Russians and change the parameters of permission for their processing at the first request.

As Kommersant writes with reference to the letter that the ABD sent to the head of the State Duma Committee on Information Policy Alexander Khinshtein, one of the complaints is that the bill could lead to additional costs for the platforms to finalize the interfaces. In this case, Russian resources will be at a disadvantage, since it will be impossible for foreigners to control compliance with the requirements, the association believes.

The ABD recall also states that if a user gives consent to two social networks to process data, but with different parameters, this creates legal uncertainty when using the data.

The Ministry of Digital Development of the Russian Federation, as the deputy head of the department Oleg Ivanov said during a meeting in the Federation Council on December 4, 2020, supports the bill on the regulation of publicly available personal data, but asks to postpone until mid-2021 the creation of a special IT system through which citizens will submit consent to the processing of such data.

{{Quote 'This system is currently not ready. Roskomnadzor, as an authorized body, in its response letter asked that, taking into account the need to prepare and put it into operation, provide for the deadline for the entry into force of these provisions from June 1, 2021. There are no difficulties in creating such a system, but time is needed to create such a system, "Ivanov said (quoted by TASS Information Agency of Russia).^{[33] [34]}}}

The Ministry of Digital Development proposed to develop a mechanism for revoking consent to the processing of personal data

On February 6, 2020, it became known that the Ministry of Digital Development, Communications and Mass Media of the Russian Federation proposed to develop a mechanism that allows citizens to withdraw their consent to the processing of personal data. Among other things, this will allow them to protect themselves from spam, according to the ministry.

The intention to create a mechanism for revoking consent to the processing of personal data was announced by the head of the Ministry of Communications Maksut Shadayev at a meeting of the State Duma Committee on Information Policy, Information Technology and Communications.

As a subscriber, I do not have the opportunity to complain (to telephone spam - ed.), And the operator has the obligation to take into account these complaints and block such calls. The same applies to a large number of SMS notifications, letters in the mail. We must provide a mechanism so that from those who send this there is a simple and accessible unsubscribe mechanism,

According to Shadayev, as of February 2020, users give their consent to the collection and processing of data, sign documents, but in which case they cannot withdraw this consent due to the lack of an appropriate mechanism. Therefore, it is necessary to provide citizens with the opportunity to look to whom they gave the right to use their personal data, and withdraw consent to their processing, the minister is sure.

We must come up with and work out a scheme to see the list of organizations to whom we have given consent to use personal data, and how we can revoke this consent, blocking the further possibility of using it, noted Shadayev

So far, the mechanism is only being worked out, and there is no specifics in this matter. As the minister suggested, spam calls and SMS messages may be blocked in the future by the telecom operator of^[35].

2019

The State Duma approved in the second reading a bill on the storage of personal data

On November 19, 2019, the State Duma adopted in the second reading a bill that significantly increases the fine for refusing to store personal data of Russians on servers in the Russian Federation. Read more here.

Roskomnadzor fined personal data operators 2.6 million rubles

On October 24, 2019, it became known that according to the results of inspections conducted in the period from January to September 2019, Roskomnadzor revealed more than 2.4 thousand violations by personal data operators. As reported on the regulator's website, according to the results of the measures taken, 4 thousand administrative protocols were drawn up and fines were imposed for a total of 2.6 million rubles.

During the specified period, according to the results of planned and unscheduled inspections, Roskomnadzor and its territorial bodies revealed 1,942 violations in the field of protecting the rights of personal data subjects. The most frequent violation was the submission to the Authorized Body of a notification on the processing of personal data with incomplete or inaccurate information.

456 violations of the law on personal data on the Internet were also revealed. Most of the violations were committed by healthcare institutions (92 violations), state and municipal bodies (82 violations), educational institutions (71 violations) and housing and communal services organizations (61 violations). Most often, organizations did not publish on websites and did not provide access to a document defining their policy regarding the processing of personal data, and also did not provide information about the requirements for the protection of personal data being implemented. ^[36]

The rules for organizing and exercising control over the processing of personal data have been approved

On February 16, 2019, it became known that the Government of the Russian Federation approved the rules for organizing and exercising state control and supervision over the processing of personal data (PD). The corresponding document is published on the portal of legal information.

The rules establish the procedure for organizing and conducting inspections of legal entities and individual entrepreneurs - personal data operators, as well as other persons who are PD operators.

The rules do not apply to control and supervision over the implementation of organizational and technical measures to ensure the security of personal data processed in personal data information systems established in accordance with Art. 19 of the Federal Law "On Personal Data."

According to the document, control and supervision will be carried out by Roskomnadzor and its territorial bodies. Pod Kontrolem and supervision implies measures to prevent, detect and suppress violations by PD operators of the provisions of the Law "On Personal Data," including scheduled and unscheduled inspections, taking measures to suppress and (or) eliminate the consequences of detected violations, carrying out control measures without interaction with operators, carrying out measures to prevent violations.

As indicated in the resolution, PD operators will be notified of the planned inspection three working days before it begins, and unscheduled - at least 24 hours. The document also describes the rules for organizing various types of inspections and the procedure for their implementation; the rights and obligations of officials in the implementation of state control and supervision; procedure for execution of inspection results; measures taken in relation to the facts of violation of the requirements; rules for organizing and carrying out measures to prevent violations of requirements; pre-trial (out-of-court) procedure for appealing decisions and actions^[37] of the^[38].

Roskomnadzor opened cases on Twitter and Facebook due to non-compliance with the law on the storage of data of Russians in the Russian Federation

Roskomnadzor on January 20 announced that it was starting administrative proceedings against Twitter and Facebook. The received responses of companies on the implementation of the law on the localization of personal data databases of Russian users on the territory of the Russian Federation did not satisfy the service.

Earlier, the head of Roskomnadzor, Alexander Zharov, told TASS the Russian Information Agency that in December 2018 he sent notifications to the company about the need to comply with Russian legislation in the field of user data. Companies had to provide legally meaningful answers or not respond, which means no, he said. In case of a negative answer, the head of Roskomnadzor promised to initiate administrative cases and fine corporations 5,000 rubles. The period during which they will have to localize the databases is from six months to a year. At the moment, the companies have not yet localized their user databases in Russia.

2017

Roskomnadzor will expand the list of countries protecting personal data

Roskomnadzor published in May a draft order expanding the list of countries that are not members of the Council of Europe Convention on the Protection of Individuals when Processing Personal Data, but ensure adequate protection of the rights of subjects of such data.

The regulator proposes to remove Senegal from the list and include Costa Rica, Qatar, Mali, Singapore, South Africa, Gabon and Kazakhstan.

In addition to the countries participating in the Convention, cross-border transfer of personal data is allowed to countries from this list. In other cases, operators need to seek written consent from regulators.

Roskomnadzor was instructed to control the processing and exchange of all personal data

In Russia, Roskomnadzor was instructed to carry out state control over the processing of personal data. The corresponding government decree was prepared in May 2017 by the Ministry of Communications.

The draft government decree on the procedure for state control over the processing of personal data was published by the Ministry of Telecom and Mass Communications. After the document comes into force, Roskomnadzor will have access to all Russian information systems that contain and process personal data. The press service of the ministry notes: "Article 23 of the Law" On Personal Data "has been amended to give the government the authority to determine the procedure for conducting inspections in the field of personal data processing."

The new powers will give the regulator the right not only to check the operators' servers, but also to assess the compliance with the declared goals of the content, volume, method of processing, and shelf life of personal data. According to the project, Roskomnadzor will control both the processing of data and the provision of services and the sale of goods where "the subject is personal data and (or) their processing activities."

When the document comes into force, Roskomnadzor will have access not only to server rooms, hardware and software of personal data information systems (ISDS), but also to the personal data itself.

In accordance with the new procedure, during the audit, Roskomnadzor will have the right to:

• Request any information, documents and local acts related to the fulfillment of the requirements of the legislation in the field of personal data;
• Conduct surveys of premises and personal data information systems;
• Issue mandatory instructions on elimination of violations;
• Use special equipment and equipment;
• Get access to the personal data sheet (including personal data itself);
• Request documents confirming that the operator has taken measures to comply with the requirements of the law, check and evaluate these measures;
• Issue mandatory requirements for blocking, destruction, suspension of PD processing;
• Draw up protocols on administrative offenses;
• Contact law enforcement and prosecution authorities in case of obstruction of the audit;

An unscheduled inspection is possible in the following cases:

• Based on the decision of the head of Roskomnadzor;
• In case of failure to comply with the order to eliminate the violation;
• Based on the results of consideration of citizens' appeals;
• In the event of a violation identified as a result of systematic observation measures;
• Based on the submission of the prosecutor's office;

2016: Microsoft, Samsung and HP in terms of checks on the storage of personal data of Russians

On January 11, 2016, it became known about the plans of Roskomnadzor to check more than ten foreign and Russian IT and Internet companies for compliance with the requirements of the law on the localization of personal data of citizens of the Russian Federation.

According to Interfax, citing the press service of Roskomnadzor, in 2016 the department will check the procedure for storing personal data of Russians in Russian offices of Microsoft (verification is scheduled for March), Samsung and HP (August).

In addition, similar checks will be held in the social network VKontakte online store "Ozone" (Internet Solutions LLC), recruiting companies SuperJob and online HeadHunter stores (Kupishuz LLC LaModa) and, Wildberries as well as in the online hotel booking service Островок.ру and (CJSC Soup Media part of the holding). Rambler & Сo

In total, it is planned to conduct about 1,000 checks on the localization of user data. In addition to IT and Internet companies, the activities of banks, insurance companies and retailers will be studied. As for foreign companies that do not have representative offices in our country (for example, Facebook and Apple), by January 11, 2016 they were not mentioned by Roskomnadzor.

In 2015 , the department checked 302 companies, no gross violations were identified. Organizations operating on the Russian market that do not store personal data of Russians on servers located on the territory of the Russian Federation face a fine of up to 300 thousand rubles and blocking the site. The violating company is placed in a special register (its operator is Roskomnadzor) and pays a fine only by a court decision.^[39]

2015

Announcement of Roskomnadzor on intentions to conduct inspections of IT companies under the law on the storage of personal data of Russians in Russia

On November 10, 2015, it became known about the plans of Roskomnadzor to initiate checks of IT companies for compliance with the law banning the storage of personal data of Russians abroad.

As Interfax reported with reference to the head of Roskomnadzor Alexander Zharov, in 2016 the department intended to check social networks, financial institutions, online stores and other service companies that use cross-border information transmission.

Although the law obliging companies to store and process data of their Russian clients only on servers within the Russian Federation entered into force on September 1, 2015, by November 10, Roskomnadzor had not received a response from Facebook and Twitter to an official request whether these services comply with the legislative requirement. Zharov did not specify whether Facebook and Twitter will be included in the list of audited companies for 2016, and noted that the full list will be published in December 2015.

'

We'll wait patiently. Both social networks are informed that Roskomnadzor believes that they are processing data from Russians. This follows from the essence of their user agreements. Sooner or later they will be checked, "said Alexander Zharov

.

According to him, in 2016 it is planned to check more than 300 companies and focus on those who belong to the Internet economy. In addition, those companies that receive complaints from users who suspect that their personal data is "inadequately protected and used illegally" will be subjected to checks.

In 2015, Roskomnadzor intends to check a total of over 300 companies for compliance with the law, including Military Insurance Company and Yota^[40]

Explanations of the Ministry of Telecom and Mass

Before the entry into force of the new rules on the localization of storage and individual processes for processing personal data, the Ministry of Communications prepared and published a list of explanations.

This was required because the individual terms and wording used in the text of the provision did not have legal definitions and allowed for different interpretations. In addition, due to the novelty of the concept of localization of data, a number of questions arise regarding the relationship of this provision with other norms of the Federal Law "On Personal Data."

The department states that legal uncertainty has formed regarding the procedure for fulfilling the requirements of the FZ-242: many organizations do not understand what changes they need to make to their IT infrastructure and (or) business processes in order to comply with the law, especially if such infrastructure is of a cross-border nature. Early clarification is necessary, since the correct understanding of the content of a number of concepts and the mechanism for implementing localization provisions directly depends on the amount of costs that organizations must incur to comply with the requirements of the law.

The list of explanations was prepared on the basis of information received from representatives of business, the scientific community and state authorities of the Russian Federation (Federation Council of the Russian Federation, Ministry of Telecom and Mass Communications of the Russian Federation, Roskomnadzor). Most of these issues were also the subject of discussions at a series of closed meetings held by Roskomnadzor in February-March 2015.

Scope of FZ-242 by territory and circle of persons

In connection with the cross-border nature of the Internet, which ensures the possibility of purchasing goods and services from foreign persons, the question arises under which conditions the requirements of Part 5 of Art. 18 of the Federal Law "On Personal Data" apply to foreign organizations that do not have a physical presence in the territory of the Russian Federation.

The Federal Law "On Personal Data" does not contain special provisions governing its scope in the territory and circle of persons. In this regard, in order to resolve the issue, it is necessary to refer to the provisions of other laws. In accordance with Part 1 of Art. 15 of the Federal Law "On Information, Information Technologies and Information Protection" in the territory of the Russian Federation, the use of information and telecommunication networks is carried out in compliance with the requirements of Russian legislation in the field of communications, this Federal Law and other regulatory legal acts of the Russian Federation. Thus, the effect of Russian laws, including the Federal Law "On Personal Data," is generally limited to the territory of the Russian Federation.

At the same time, when carrying out activities on the Internet, which does not make it possible to clearly identify geographical boundaries, it is necessary to establish special criteria under which activities can be attributed to those carried out on the territory of the Russian Federation. The availability of the Internet site on the territory of the Russian Federation alone is not enough to conclude that it is subject to the legislation of the Russian Federation, including the use of data, since in this case its scope would be essentially worldwide in nature and would make it almost impossible to control its implementation, the Ministry of Telecom and Mass Communications explains.

In this regard, in international private law and legislation on the protection of consumer rights (Article 1212 of the Civil Code of the Russian Federation), with which the legislation on personal data is closely related, a criterion was developed for the orientation of a person's activities into the territory of the Russian Federation as a condition for applying the legislation of the Russian Federation to relations with a foreign entity. A similar criterion is used in European practice (Art. 15 (1) (c) of EU Regulation No 44/2001 of 22 December 2000 "On the Jurisdiction, Recognition and Enforcement of Judicial Decisions in Civil and Commercial Matters"; Article 6 of EC Regulation No 593/2008 of 17 June 2008 "On the right applicable to contractual relations"; Art. 3 (2) Draft EU General Data Protection Regulation).

In this case, the action of the Federal Law "On Personal Data" will be directed to Internet resources (Internet site, Internet site page), using which a person carries out activities directed to the territory of the Russian Federation, which can be blocked in the prescribed manner if their owner, who is a resident of a foreign state, does not comply with the requirements of the Federal Law "On Personal Data."

The following circumstances may indicate the focus of the Internet site on the territory of the Russian Federation:

• the use of a domain name associated with the Russian Federation or its constituent entity of the Russian Federation (.ru,.рф.,.su,.mosqua., moscow, etc.)
• the presence of a Russian-language version of the Internet site created by the owner of such a site or on his behalf by another person (the use of plugins on the site or by the user himself that provide the functionality of automated translators from various languages ​ ​ should not be taken into account).

At the same time, since the Russian language is widely used in some countries outside the Russian Federation, to determine the focus of the Internet site on the territory of the Russian Federation, it is additionally necessary to have at least one of the following elements: the possibility of making settlements in Russian rubles; the possibility of fulfilling the contract concluded on such an Internet site on the territory of the Russian Federation (delivery of goods, provision of services or use of digital content on the territory of Russia), the use of advertising in Russian referring to the corresponding Internet site, or other circumstances that clearly indicate the intention of the owner of the Internet site to include the Russian market in its business strategy.

Thus, the obligations to localize certain processes of processing data apply to foreign operators, provided that they carry out directed activities to the territory of the Russian Federation and there are no exceptions directly specified in Part 5 of Art. 18 of the Federal Law "On Personal Data" (for example, an international treaty for the purpose of which processing is carried out).

Scope of Time FZ-242

The Ministry of Telecom and Mass Communications notes that business representatives have a lot of questions in connection with the possible retroactive effect of the FZ-242 and the spread of its action on the processes of processing data pers that took place before its entry into force.

In accordance with established legal principles, retroactive application of legal norms that impair the legal status of persons and establish new obligations is, as a general rule, unacceptable. The exception is cases when the reverse force is directly provided for in the law. FZ-242 does not contain such provisions. Accordingly, the localization obligation provided for in Part 5 of Art. 18 of the Federal Law "On Personal Data" applies to relations for the processing of personal data that will arise after its entry into force.

Thus, recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation within the framework of the collection, which will be carried out starting from September 1, 2015, should be carried out taking into account the new requirements of Federal Law No. 152-FZ, namely, using databases located on the territory of the Russian Federation.

Concept of personal data collection

The wording of Part 5 of Art. 18 of the Federal Law "On Personal Data" connects the operator's obligation to ensure localization with the process of collecting personal data. In this regard, the definition of the concept of "collection" of personal data becomes important, since the amount of costs that need to be incurred to adapt the IT systems involved in the process of processing personal data to the requirements of the FZ-242 directly depends on it.

Responsibilities for localizing individual processes for processing data arise only when they are collected. From Part 1 of Art. 18 of the Federal Law "On Personal Data," dedicated to the operator's duties when collecting them, we can conclude that the collection can be understood as a targeted process of obtaining personal data by the operator directly from the subject of personal data or through third parties specially involved for this purpose. Thus, only personal data obtained by the operator as a result of his purposeful activities to organize the collection of such data, and not as a result of accidental (unsolicited) entry into it, for example, due to the receipt of letters by e-mail or other mail containing personal data, are subject to localization.

Similarly, it is not a collection for one legal entity to receive personal data from another legal entity if such data is the contact information of employees or representatives of such legal entity transferred during the course of their legal activities. " It should also be noted that when the subject collects information containing personal data and its subsequent processing using computing power provided by another person, the responsibility for compliance with the requirements of Part 5 of Art. 18 of the Federal Law "On Personal Data" lies with the specified subject, taking into account the purposeful nature of its activities in collecting and processing relevant information.

Legal Grounds for PD Processing

Correlation of the requirement for localization of individual processes of personal data processing with the provisions on cross-border transfer of personal data

The question of the admissibility, as well as the conditions for the admissibility of storing, processing personal data of citizens of the Russian Federation abroad, invariably arose during any discussion related to the adoption of the FZ-242, they say in the Ministry of Telecom and Mass Communications. This is largely due to the novelty of the very concept of localization of personal data, as well as a number of statements and comments made in the media space regarding the incompatibility of the requirements for localizing the processes of storing personal data on the territory of the Russian Federation with the possibility of their processing abroad. At the same time, the functioning of not only cross-border companies in the Russian market, but also a number of domestic companies that optimize their costs through the use of foreign IT services depends on the availability of clear explanations on this issue.

In accordance with Part 5 of Art. 18 of the Federal Law "On Personal Data," personal data should be collected, updated and changed using databases located on the territory of the Russian Federation, with the exception of cases specified in paragraphs 2, 3, 4, 8 of Part 1 of Art. 6 of the Federal Law "On Personal Data." However, it should be borne in mind that the amendments to the Federal Law "On Personal Data" made by the FZ-242 did not affect the provisions of the law on cross-border data transfer. Accordingly, the transfer of personal data outside the Russian Federation is possible, as before, in compliance with the conditions specified in Art. 12 of the Federal Law "On Personal Data."

Thus, the requirement to localize certain processes of processing personal data contained in Part 5 of Art. 18 of the Federal Law "On Personal Data" should be interpreted in systemic unity with the provisions of Art. 12 on cross-border data transfer and taking into account the definition of this concept contained in paragraph 11 of Art. 3: "transfer of personal data to the territory of a foreign country to a foreign person: authority of a foreign state, a foreign individual or a foreign legal entity. " Thus, personal data of a citizen of the Russian Federation, initially entered into the database on the territory of the Russian Federation and updated in it ("primary database"), can then be transferred to databases located outside Russia ("secondary databases"), administered by other persons, in compliance with the provisions on cross-border data transfer.

Such secondary databases may be used, inter alia, for backup, advertising services, etc. At the same time, when transferring personal data abroad to another operator, such operator shall be responsible for actions taken in relation to the transferred personal data in accordance with the applicable legislation. It is not prohibited to provide remote access to databases located on the territory of the Russian Federation from the territory of another FZ-242 state.

Frequently Asked Questions

Nationality

• How should the citizenship of the personal data subject be determined for the purpose of fulfilling the localization requirements?

The question of the procedure for determining the citizenship of personal data subjects is not regulated in a regulatory manner. The legislator thus provided an opportunity for the personal data operator to independently resolve this issue based on the specifics of its activities. If this issue was not resolved by the operator on its own, then it is possible to apply Part 5 of Art. 18 of the Federal Law "On Personal Data" to all personal data collected on the territory of the Russian Federation.

Air transportation

• Do the requirements provided for in Part 5 of Article 18 of the Federal Law "On Personal Data" (as amended by the Law of 242-FZ) apply to the activities of air carriers, their authorized agents, as well as other persons, in terms of processing personal data of passenger citizens for the purpose of booking, issuing and issuing them air tickets (travel tickets), baggage receipts and other transportation documents?

From the provisions of Parts 2 and 3 of Article 105 of the Air Code of the Russian Federation, the passenger's air transportation contract it follows that the cargo or mail air transportation contract is certified by a ticket and baggage receipt, respectively, in the event of a passenger transporting baggage, a consignment note, and a consignment note. A ticket, baggage receipt, other documents used in the provision of services for the air transportation of passengers can be issued in electronic form (electronic transportation document) with the placement of information on the terms of the air transportation contract in the automated information system for registration of air transportation. Thus, in order to implement the above provisions of the law, air carriers require the processing of passenger personal data in order to draw up documents certifying the conclusion of an air transportation contract.

In accordance with Art. 85.1 of the Air Code of the Russian Federation, in order to ensure aviation safety, carriers ensure the transfer of personal data of passengers of aircraft to automated centralized databases of personal data in accordance with the legislation of the Russian Federation on transport security and in the field of personal data, as well as during international air transportation - to authorized bodies of foreign states in accordance with international treaties of the Russian Federation or legislation of foreign states of departure, destination or transit. It should be borne in mind that the Russian Federation is a party to a number of international conventions in the field of air transportation, which also form an integral part of the legal regulation of the activities of air carriers and related information processes.

Based on the above, the requirements of Part 5 of Art. 18 of the Federal Law "On Personal Data" do not apply to the activities of Russian, as well as foreign air carriers in terms of collecting and processing personal data of passenger citizens for the purpose of booking, issuing and issuing transport documents to them, since they fall under the exception provided for in paragraph 2 of Part 1 of Art. 6 of the Federal Law "On Personal Data." The requirements of Part 5 of Art. 18 of the Federal Law "On Personal Data" also do not apply to the activities of persons acting on behalf of the air carrier (authorized agent) and other persons in terms of processing personal data of passenger citizens solely for the purpose of booking, issuing and issuing transportation documents to them.

Personnel

• Does the employer (with the written consent of the personal data subject) have the right to cross-border transfer of personal data of its employees?

Considering that the Federal Law "On Personal Data" does not provide for a ban on the transfer of personal data, including cross-border, if such a transfer is carried out in accordance with the legislation of the Russian Federation, we consider it possible to cross-border transfer of this category of personal data.

• Does the requirement of the law on mandatory processing of PD of citizens of the Russian Federation using databases located on the territory of the Russian Federation apply to an employer who processes personal data of his employees in order to comply with the norms of labor legislation of the Russian Federation and who, due to the specifics of the work, has the need to process PD of his employees using databases located outside the Russian Federation?

If the processing of personal data falls under the exceptions provided for in paragraphs 2, 3, 4, 8 of Part 1 of Article 6 of the Federal Law "On Personal Data," the provisions of Part 5 of Article 18 152-FZ do not apply. The appropriate qualification of actions for processing personal data and ensuring their compliance with the requirements of the law must be carried out by the personal data operator himself. The correctness of the mentioned qualification and ensuring processing in a specific situation is checked by the authorized federal body during control measures.

Medical secrecy and personal data

Information about the fact of a citizen's request for medical care, his state of health and diagnosis, other information obtained during his medical examination and treatment constitute a medical secret.

Goods and Services

• Will citizens of the Russian Federation be able to place their PD in a format convenient for them and use the services offered on the world market of goods, works, services (for example: tourism (booking), ordering goods, banking services, etc.)?

We believe that the amendments made to the legislation of the Russian Federation by Federal Law No. 242-FZ do not prevent Russian citizens from receiving services outside the Russian Federation if these services provide for the processing of their personal data outside the Russian Federation, in accordance with an international treaty or in accordance with federal law, or within the framework of other exceptions that are not covered by the norm of Part 5 of Article 18 of the 152-FZ.

Cross-border

• Does the law apply extraterritorially and should those persons (including non-residents of the Russian Federation), to whom the operators or the subjects of the PD themselves (citizens of the Russian Federation) send PD, legally also process them on the territory of the Russian Federation?

In accordance with the principles of international law, the domestic legislation of a state operates exclusively in the territory of such a state and does not apply to non-residents of a state located in the territory of another state. A similar rule that federal laws operate on the territory of the Russian Federation is also contained in Article 4 of the Constitution of Russia. Thus, FZ-242 clarifying the procedure for processing personal data in information and telecommunication networks do not apply to non-residents of the Russian Federation located and operating on the territory of other states.

• The ratification of the Russian Federation of the Council of Europe Convention on the Protection of Individuals in relation to automated processing of personal data may lead to a conflict between the law and the convention: "a party should not prohibit or condition with special permission cross-border flows of personal data going to the territory of the other party for the sole purpose of protecting privacy." Should the law or convention be followed in this situation?

From the totality of the provisions of Part 5 of Article 18 of the Federal Law "On Personal Data" and Paragraph 2 of Part 1 of Article 6 of the same law, it follows that the processing of personal data for and in accordance with the requirements of, established by the ratified Convention of the Council of Europe on the Protection of Individuals in relation to automated processing of personal data does not contradict the legislation of the Russian Federation governing relations in the field of personal data protection. In addition, part 5 of Article 18 does not 152-FZ restrict the cross-border transfer of personal data of citizens of the Russian Federation.

• Does the law apply to PD of citizens of the Russian Federation who were legally transferred for their processing outside the territory of the Russian Federation before its entry into force?

The law applies to legal relations that arose after its entry into force, unless otherwise defined in the law itself. In FZ-242, there is no indication of a different procedure for disseminating its norms over time. If the personal data of citizens of the Russian Federation were legitimately collected before the entry into force of the FZ-242, they may be unchanged abroad.

At the same time, if, after the entry into force of the FZ-242, personal data were collected, as a result of the processing of which, including in relation to previously collected personal data, the actions provided for in Part 5 of Article 18 of the Federal Law "On Personal Data" (recording, systematization, accumulation, storage, clarification (updating, modification), extraction), then in relation to such previously collected personal data, the operator is obliged to perform the mentioned actions using databases located in the territory of the Russian Federation. This position is shared by the State Legal Department of the President of the Russian Federation.

• If the personal data subject gave his consent to the operator to process his PD in the PD databases outside the Russian Federation, does this allow the operator, on the basis of such a will of the PD subject, to process PD in the databases outside the Russian Federation?

In itself, this is not the basis for the implementation of these actions.

• In FZ-242, there is a wording "When collecting personal data, including through the information and telecommunication network" Internet, "the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation, with the exception of cases specified in paragraphs 2, 3, 4, 8 part 1 of Article 6 of this Federal Law." Does the law prohibit the subsequent processing (after collection, for example, reporting, data analysis, etc.) of personal data in databases located outside the Russian Federation?

The law does not provide for the concept of "primary collection," but establishes the requirements for the processing of personal data in any collection of information, while highlighting such operations with PD as clarifying (updating, changing) information containing personal data. For the purposes of the law, the information collection process also includes procedures for storing and accumulating information, which in itself does not allow using such a concept as "primary collection."

Thus, the law imposes an obligation on the operator when processing collected personal data by systematizing, accumulating, storing, clarifying, extracting, using databases located on the territory of the Russian Federation. If, in order to compile reports or analyze information containing personal data, the operator needs to carry out the mentioned forms of personal data processing, then such actions should be carried out using databases located in the territory of the Russian Federation.

• How justified is the interpretation of the law, according to which the personal data operator is obliged to ensure the recording, systematization, accumulation, storage of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation only during (primary) collection of personal data, and subsequent processing using databases located not on the territory of the Russian Federation, as well as cross-border data transfer to a third party is not prohibited?

The interpretation in terms of primary collection is incorrect for the following reasons. The law does not provide for the concept of "primary collection," but establishes the requirements for the processing of personal data in any collection of information, while highlighting such operations with PD as clarifying (updating, changing) information containing personal data. For the purposes of the law, the information collection process also includes procedures for storing and accumulating information, which in itself does not allow using such a concept as "primary collection." Thus, the law imposes an obligation on the operator when processing collected personal data by systematizing, accumulating, storing, clarifying, extracting, using databases located on the territory of the Russian Federation.

• Does the localization requirement apply to cases of entering personal data of Russian citizens into databases that are located outside the Russian Federation, if such personal data have previously been localized in accordance with the FZ-242?

The relevance of this issue is due to the frequent presence within one organization of many databases in which personal data can be processed. Also, personal data is often collected initially in "paper" form with their subsequent entry by an employee of the organization into a general corporate electronic database located abroad.

The imposition on the operator of the obligation to localize each of these databases leads to a significant increase in costs that are not accompanied by an increase in the protection of personal data subjects (since their data have already been localized on the territory of the Russian Federation). In addition, in some cases, the peculiarities of building the company's information infrastructure do not allow the localization of all databases without a radical restructuring of its global infrastructure.

As follows from the text of Part 5 of Art. 18 of the Federal Law "On Personal Data," the operator's obligation to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation is considered performed when these actions were performed when collecting personal data using a database located on the territory of the Russian Federation. At the same time, the article does not contain an indication that such actions should be carried out exclusively using databases located in Russia.

In this regard, if the requirements of the FZ-242 have already been met in relation to a certain set of personal data, re-localization of such personal data is not required, since the goals of the law have already been achieved. Accordingly, if personal data were recorded during collection in a database located on the territory of the Russian Federation, then subsequently such personal data can be entered by the employee (representative) of the operator into an electronic database belonging to him, located outside the Russian Federation.

• Is it possible to store personal data (PD) of citizens of the Russian Federation outside of it, provided that there is a duplicate (copy) of the PD database of citizens of the Russian Federation in the territory of the Russian Federation (and vice versa, when the PD database outside the Russian Federation is a copy (or part) of the database formed and located in Russia?), Or is processing of PD in the territory of another state generally prohibited?

In accordance with the provisions of paragraph 7 of Part 4 of Article 16 of Federal Law^[41] "dated 27 July 2006, information holder, operator of the information system in cases established by the legislation of the Russian Federation, must ensure that the databases using which the collection is carried out are located on the territory of Russia, recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation.

The Ministry of Telecom and Mass Communications believes that taking into account the provisions of Part 5 of Article 18 of Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" (which comes into force on September 1, 2015, the processing of PD of citizens of the Russian Federation on the territory of another state may be carried out exclusively in cases provided for by paragraphs 2, 3, 4, 8 of Part 1 of Article 6 of the Federal Law "On Personal Data," for which there is an exemption in Part 5 of Article 18 152-FZ. It should also be borne in mind that it does not legally have divisions into the "main" personal database and its "copy." In both cases, we are talking about a database with which personal data is processed. At the same time, the Federal Law does not contain indications of a general ban on the processing of personal data of citizens of the Russian Federation using databases that are not located in Russia.

In this regard, the Ministry of Telecom and Mass Communications believes that the processing of personal data of citizens of the Russian Federation through collection, recording, systematization, accumulation, storage, clarification, extraction can be carried out using databases that are not located on the territory of the Russian Federation in the following cases:

• where such activities fall within the scope of paragraphs 2-4, 8 part 1 of article 6 152-FZ;
• if such activities do not fall under the cases provided for in paragraphs 2-4, 8 of Part 1 of Article 6 of the 152-FZ, and the databases used for such processing of personal data are located on the territory of the Russian Federation, which contain a larger amount of personal data or equal to those located outside the territory of the Russian Federation (in this case, it is unacceptable to find personal data outside the territory of the Russian Federation that are not simultaneously within its territory).

Terminology

• Taking into account the explanatory note to the law, which states that the purpose of this is to improve the institution of processing personal data of citizens of the Russian Federation in information and telecommunication networks, it is necessary to clarify whether the requirements of the law apply to all persons who meet the concept of "operator" within the meaning of Art. 3 of the Federal Law of the Russian Federation No. 152-FZ of 27.07.2006, or only to operators whose main activity can be recognized as PD processing using information and telecommunication networks?

In accordance with the provisions of Clause 2 of Article 3 of the Federal Law "On Personal Data," the operator is a state body, municipal body, legal entity or individual, independently or together with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

Thus, the provisions of the FZ-242 apply to all of the above entities. The adopted Federal Law does not bind the distribution of part 5 of article 18 152-FZ only to operators where the processing of personal data is their main activity, or to operators who process personal data only using information and telecommunication networks.

• In an explanatory note to the bill, as well as when covering the amendments by the press, it was mentioned that the purpose of the bill is to restrict the processing of personal data exclusively through the Internet, while the final version of the bill, which was adopted by the State Duma, contains a more expansive and ambiguous interpretation of this norm. Does the law really apply to any processing of personal data (and not only on the Internet) and, if not, are there any bills planned for adoption that clarify this point?

In accordance with the provisions of Clause 2 of Article 3 of the Federal Law "On Personal Data," the operator is a state body, municipal body, legal entity or individual, independently or together with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data. Thus, the provisions of the FZ-242 apply to all of the above entities.

The adopted Federal Law does not bind the distribution of part 5 of article 18 152-FZ only to operators where the processing of personal data is their main activity, or to operators who process personal data only using information and telecommunication networks. The existing plans for legislative activity do not provide for the development of a draft Federal Law correcting this provision.

• What is meant by the collection of personal data in the context of the requirements of the law?

152-FZ term is not disclosed herein. For purposes of interpretation, the collection of personal data can be understood as a documented procedure for the operator to obtain personal data from the subject, for their subsequent processing in accordance with the stated purposes of collection. A similar definition is contained in article 2 of the Model Law on Personal Data, adopted at the XIV Plenary Meeting of the Inter-Parliamentary Assembly of the CIS Member States by Resolution No. 14-19 of October 16, 1999 (Collection of Personal Data - a documented procedure for the holder of personal data from subjects of this data).

• New requirements (Clause 5 of Article 18) are heard "When collecting personal data, including through the information and telecommunication network" Internet, "the operator is obliged to ensure the recording, systematization, accumulation, storage, clarification (updating, modification), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation...." Does this mean that these requirements apply exclusively to the collection process, but do not apply to any subsequent actions with personal data?

The above requirements of the law apply, among other things, to the processing by the operator of personal data obtained as a result of collection, namely, recording, systematization, accumulation, storage, clarification (update, change), extraction.

• Please clarify in the regulations the concept of personal data due to the fact that this is rather vague in the law.

The existing concept contained in paragraph 1 of Article 3 of the 152-FZ ("any information relating directly or indirectly to a certain or determined individual") corresponds to international law - subparagraph "a" of Article 1 of the Convention on the Protection of Individuals in the Automated Processing of Personal Data, ratified by Federal Law No. 160-FZ of December 19, 2005 ("any information about a certain or identifiable individual"). It seems unrealizable to more accurately determine the composition of personal data, including a list of them. The law also does not contain the authority to clarify this term by by-laws.

• Considering that using databases located in Russia, the operator is obliged to ensure recording, systematization, accumulation, storage, clarification when collecting PD (update, change), extraction of PD of citizens of the Russian Federation, and the concept of "processing personal data" in addition to these actions also includes the collection, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of PD, do we understand correctly that such PD processing as collection, use, transmission, depersonalization, blocking, deletion, destruction is possible using databases located outside the Russian Federation? Please clarify what actions are included in the concept of "use of personal data."

The understanding is correct. 152-FZ term "use of personal data" is not disclosed. For purposes of interpretation, the term "use of personal data" can be understood to mean actions with personal data that are not related to other forms of processing of personal data, including making decisions based on personal data, for the implementation of which personal data was collected (the purpose of collecting personal data must correspond to the purpose of using personal data).

• According to paragraph 2 of Article 3 of Law No. 152-FZ, the concept of "operator" includes a legal entity that independently or together with other persons organizes and (or) performs processing of PD, and also determines the goals of PD processing, the composition of PD to be processed, actions taken with PD. If the legal entity only partially meets this definition (for example, does not process PD, but only determines the goals of PD processing), whether such a legal entity is considered. person by the PD operator?

The concept of "operator" is contained in Article 3 of Law No. 152-FZ, which means a state body, municipal body, legal entity or individual, independently or together with other persons organizing and (or) carrying out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

Whereas Article 3 of Law No. 152-FZ does not contain exceptions in terms of individual personal data processing operations performed by a person, as well as other definitions other than the operator, the person determining the purpose of personal data processing or performing individual actions on personal data processing in the context of the provisions of Law No. 152-FZ is the operator processing personal data.

2014: Adoption of a law on the storage of personal data of Russians in Russia

Regulation on localization of storage and individual processes of personal data processing, defined in FZ-242^[42]" of July 21, 2014, indicates that "when collecting personal data, including through the information and telecommunication network of the Internet, the operator must ensure the recording, systematization, accumulation, storage, clarification (update, change), extraction of personal data of citizens of the Russian Federation using databases located on the territory of the Russian Federation. " The exception is the cases specified in paragraphs 2, 3, 4, 8 part 1 of article 6 of this Federal Law (part 5 of article 18 of the Federal Law "On Personal Data").

Law 242 amended laws 152 ("On personal data"), 149 ("On information") and 249 ("On the protection of the rights of legal entities and individual entrepreneurs in the implementation of state control (supervision) and municipal control").

See also

• Processing of personal data in Kazakhstan
• Protection of personal data in countries of the world
• GDPR (EU Personal Data Regulation)
• Data Code of Ethics
• IDX: Datamania

Notes