As a result of the recent implementation of Decree No. 327, Russia’s data protection authority – the Roskomnadzor – now has greater authority to conduct audits of online companies to monitor their handling of user data. Decree No. 327, adopted in April, introduces compliance audit rules which apply to all online organisers of information distribution, and provides the Roskomnadzor with increased supervisory powers.
The Decree enables the Roskomnadzor to check how online businesses process, store and transmit text, voice and other electronic messages of Internet users, and how organisers of information distribution, process, store and transmit information about Internet users. These new capabilities are designed to assist the Roskomnadzor in protecting the legitimate rights of the users by ensuring data protection requirements are met.
These additional powers are not unlimited, though. The Roskomnadzor must give businesses a 24-hour warning ahead of any planned audit, and must finalise their investigation within 60 days. Furthermore, the audit can only be carried out at the request of a law enforcement agency, or if organisers of information distribution have failed to abide by the law.
Internet businesses operating in Russia should already have registered as organisers of information distribution under Federal Law No. 97 – FZ, and so should ensure they are familiar with the new investigatory powers the Roskomnadzor has, and are prepared for an audit should it be requested.