On 7 November 2019, 10th annual International Data Protection Conference under the auspices of the Russian DPA (Roskomnadzor) took place in Moscow. The conference is a helpful platform for the business to communicate with the regulator.

This time some of the data protection issues arising in the commercial activities discussed during the conference were as follows:

Personal data: is defined in the Russian Law On Personal Data as 'any information related to a directly or indirectly identified or identifiable individual' which is in line with the respective definition in the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Having said this, there are still questions from the business community which arise in relation to the data which may be deemed personal, in particular, whether telephone number on its own may be considered personal data. Previously, the DPA clarified that the telephone number identified the end user equipment and did not identify an individual data subject. Now, the DPA commented that the DPA is drafting clarifications in relation to the categories and scope of personal data which the DPA aims to publish until the end of 2019. The DPA also commented that there is no intention to amend the statutory definition of personal data and it will remain wide.

Legitimate interest: Under the Russian Law On Personal Data, legitimate interest is one of the statutory grounds for the processing of personal data. Having said this, it is not common in the Russian market to rely on this ground due to limited information on the views of the regulator and enforcement practice. Now the DPA commented that it intends to consider this ground further but it is unlikely to be interpreted widely. The latter alludes to a conclusion that the future interpretation by the Russian DPA of the legitimate interest is unlikely to enable the Russian data operators to rely on legitimate interest as widely as the data controllers under the GDPR under which legitimate interest remains the most flexible legal basis for processing.

Written consent: there are stringent statutory requirements to written consent which the DPA interprets narrowly as requesting a separate consent form for each purpose of processing. As this is cumbersome to comply with in commercial context the Russian Ministry of Communications has initiated a draft law to allow having a number of purposes for processing listed in one consent form enabling a data subject to actively grant consent in relation to each listed purpose.