The Russian personal data localisation requirements that were introduced over a year ago proved to be a significant challenge for businesses. It seems, however, that companies may have to contend with further regulation of so-called “big data”.
Personal data localisation – where do we stand one year on?
The personal data localisation rules (see here for our previous Alert on this issue) have now been in force in Russia for over a year. In this regard, the Federal Service for Supervision of Communications, Information Technology and Mass Media (“Roskomnadzor”) reviewed* its application of the localisation rules in the first year of their implementation.
According to Roskomnadzor, 1,036 inspections, including 82 unscheduled checks, were carried out over this period. Roskomnadzor found 23 violations of the data localisation requirements. Also, eight of these violations were discovered during its systematic monitoring of companies’ compliance with this regulation (see here for our previous Alert on this aspect). Interestingly, the violations of the localisation rules represent only a small part of the total number of discovered infringements. This shows, in particular, that Roskomnadzor continues to actively search for and detect other cases of non-compliance with the personal data protection rules, including the failure to obtain consent to processing of personal data, where such consent is required. As before, Roskomnadzor prefers to give the offenders time to rectify their violations rather than impose fines on them.
Roskomnadzor has focused its inspections on certain economic sectors, taking into consideration the spheres of operations of the companies under review. Over the past year, Roskomnadzor inspected, in particular, insurance companies, recruitment agencies, e-commerce operators, ticketing and booking services providers, financial organisations and dealership centres. The list of inspected companies shows that inspections primarily target companies that collect and process large volumes of personal data.
Roskomnadzor also reported that about 63,000 data operators had disclosed the location of their databases with Russian citizens’ personal data.
Further to Roskomnadzor’s activities, 161 web resources have been added to the Register of Violators of Personal Data Subjects’ Rights (the “Register”).
In addition, a court of first instance ruled, in August 2016, in favour of Roskomnadzor, empowering it to restrict access to LinkedIn, a popular social networking site. The appeal proceedings on this case are still pending, and if the lower court’s judgment is upheld, LinkedIn will also be added to the Register.
This case may be a signal to the business community, indicating that Roskomnadzor is ready to impose sanctions for violations of the personal data localisation rules even against global blue chip corporations.
Roskomnadzor’s review shows that it is ready to add web resources to the Register. Thus, companies whose business processes or active marketing activities involve the internet and relate to the collection and processing of Russian citizens’ personal data, should take this development into account.
Big data regulation
Big data implies the processing of a significant amount of unstructured information (data) and its presentation in a format that is useful to human specialists. Today, big data represents one of the backbone elements of the activities of IT and e-commerce companies.
Due to the increasing role of big data and the scope of its applications, the state authorities in several countries, including Russia, have recognised the need for a special legislative regulation of big data processing.
Alexander Zharov, the head of Roskomnadzor, has repeatedly highlighted the need for taking special measures to monitor big data. Specifically, these measures include the creation of a single big data operator* and the adoption of a special law* dedicated to this field.
Despite the fact that these initiatives have yet to be officially adopted, companies using big data processing means should:
- monitor all the legislative and regulatory developments in this area; and
- introduce corporate regulations into their business processes (i) to make their operations more transparent; and (ii) to monitor potential violations of personal data rules when processing big data.
* In Russian