Introduction

In Summer 2022, Russia significantly amended its Personal Data Law (Federal Law on Personal Data No.152-?? dated 27 July 2006). The new rules and restrictions concern, among other things:

  • cross-border transfers;
  • the extra-territorial application of the law; and
  • data breach notification procedures.

This article outlines the key amendments and provides guidance on how businesses can ensure their compliance.

Extra-territorial scope

Currently, the Personal Data Law applies within the borders of Russia. According to guidance from the Ministry of Digital Development, Communications and Mass Media, it also applies to international websites that contain content in Russian and meet other criteria which indicate that "the website owner seeks to expand its business over the Russian market".

As of 1 September 2022, the Personal Data Law applies in cases where foreign legal entities and/or natural persons process Russian nationals' personal data on the basis of either agreements concluded with data subjects or their consent. This rule may be understood such that non-Russian data controllers will be obliged to comply with all provisions of the Personal Data Law, including the requirement to process data "with the use of databases located in the territory of the Russian Federation" (the so-called "data localisation requirement"). It is unclear how foreign controllers with no presence in Russia are expected to learn about the rules applicable to them and how the local privacy watchdog (Roscomnadzor) might verify their compliance.

Cross-border transfers

The amendments to article 12 of the Personal Data Law provide that a data controller must notify Roscomnadzor prior to conducting cross-border transfers. The notice must describe, among other things:

  • the destination country;
  • the lawful basis of the transfer;
  • the purpose of the transfer; and
  • data categories.

Roscomnadzor has the power to prohibit the notified cross-border transfer within 10 business days of receipt of the notice.

If there is an adequacy decision in respect of the destination county, the data exporter may transfer personal data immediately upon notifying Roscomnadzor. There are adequacy decisions in respect of all parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (European Treaty Series No. 108) and several other countries shortlisted by Roscomnadzor (eg, Australia, Canada, Singapore and Japan). The data exporter may transfer personal data to the rest of the world after 10 business days from the date of notice unless Roscomnadzor prohibits such transfer after reviewing the notice.

If the exporter transferred data outside Russia before Roscomnadzor had prohibited such transfer, the exporter must ensure that the importer delete all data received prior to the prohibition. The amendments do not clarify what exactly the exporter and importer should do. From a practical point of view, they should agree on an appropriate data deletion procedure in their data processing or data transfer agreement.

Prior to performing a cross-border transfer, the data exporter must assess how the data importer will ensure the confidentiality and security of personal data. The new article 12(5) of the Personal Data Law states that the data importer must inform the data exporter about the personal data laws of the destination country (if there is no adequacy decision), and the importer's data security measures, company name and contact details. The data exporter must disclose such information upon request by Roscomnadzor. Roscomnadzor may potentially use this new rule to collect basic information about business relations between a Russian exporter and foreign importer of personal data.

The new cross-border rules take effect on 1 March 2023.

Data processing agreements

Article 6(3) of the Personal Data Law currently requires the following mandatory clauses to be added to data processing agreements:

  • processing purposes and actions;
  • data confidentiality and security undertakings; and
  • IT security requirements.

The amendments supplement the list of mandatory clauses with the following:

  • the full list of processed data categories;
  • auditing and data breach reporting procedures; and
  • the processor's obligations to fulfil the data localisation requirement and perform various compliance measures.

Data breach notification

As of 1 September 2022, data controllers are required to notify Roscomnadzor if they become aware of a data leak affecting data subjects' rights. The first notice – containing details about the incident, its alleged reasons, the potential harm to data subjects, elimination measures and the controller's contact person – must be submitted within 24 hours.

The second notice must contain an internal investigation report and information about persons (if any) whose actions led to the leak. This notice is to be filed within 72 hours of becoming aware of the data leak. This means that the controller must investigate the leak within this timeframe.

Other important changes

Among other things, the amendments require data controllers to:

  • maintain records of processing activities and adopt certain other compliance documents;
  • organise data destruction according to rules that are to be adopted by Roscomnadzor;
  • conduct evaluations of harm according to rules that are to be adopted by Roscomnadzor. This will likely be the Russian version of the EU General Data Protection Regulation data protection impact assessment;
  • connect to the State System of Detection, Prevention and Elimination of Consequences of Computer Attacks;
  • respond to Roscomnadzor's inquiries and letters within 10 business days (the previous term was 30 days);
  • inform data subjects of how their data is processed within 10 business of a data subject request (the previous term was 30 days); and
  • not discriminate against customers who do not want to provide biometrical data unless otherwise prescribed by law.

Liability

The amendments do not strengthen the fines for breaching the Personal Data Law. It is expected that the Ministry of Digital Development, Communications and Mass Media will introduce a bill introducing turnover fines for data leaks. The level of the controller's compliance with the Personal Data Law may be considered as an extenuating or aggravating circumstance.

What should controllers do?

Controllers should audit their data processing activities and plan their compliance measures. The highest priority should be given to:

  • drafting data breach notification and privacy audit policies;
  • reviewing and updating other internal policies and procedures in line with the amendments;
  • preparing records of processing activities; and
  • updating data processing agreements.

Controllers should revise their cross-border transfers and request information from data importers on their security measures and permission to disclose their contact details to Roscomnadzor by 1 March 2023. These steps will help to prepare cross-border transfer notices as soon as Roscomnadzor releases the notice form. The authorities are expected to provide further guidance on how to comply with the key legislative changes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.