Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
Overall, Russian data protection law is in line with international standards in this area. In fact, the Strasbourg Convention 1981 (ratified by Russia in 2005) laid the foundation for the Russian personal data protection legislation, which was adopted in 2006. In contrast to developed foreign regimes, however, Russian data protection law is less adapted to constantly evolving technologies (eg, big data, cloud computing, cookies and online behavioural targeting). The regulator also often opts to remain silent on many such issues, leaving room for uncertainty.
At the same time, over the past few years privacy and personal data protection have been at the forefront of the regulator’s focus. In 2014 Russia adopted a rule that requires all data operators (both controllers and processors) that process the personal data of Russian citizens to use databases physically located in Russia. This policy had a major impact on international online services, making such service providers rethink their data flows. One notable enforcement action against a foreign online service involved the blocking of LinkedIn in Russia.
The year 2017 was further marked by the significant increase in fines for non-compliance with personal data regulations, which entered into force on July 1 2017.
Amid these developments, the regulator has actively monitored and enforced compliance with personal data laws. Companies are advised to review forward-looking lists of legal entities subject to audits published by the regulator on an annual basis (see https://rkn.gov.ru/plan-and-reports/).
Are any changes to existing data protection legislation proposed or expected in the near future?
Several legislative initiatives affecting the personal data legislation have been announced, including with regard to:
- the regulation of big data;
- the clarification of rules applicable to cross-border transfers of personal data and the processing of biometric personal data; and
- the breach notification obligations.
These initiatives are in the early stages of development and are unlikely to cause significant disruption for the business community.
What legislation governs the collection, storage and use of personal data?
The main pieces of legislation governing the collection, storage and use of personal data in Russia are the Personal Data Act (Federal Law 152-FZ, July 27 2006) and the Information Act (Federal Law 149-FZ, July 27 2006).
Specific rules are spread across other laws, such as:
- the Labour Code, which governs the processing of employees’ personal data;
- the Air Code, which governs the transfer of passengers’ personal data;
- the Civil Code, which sets general civil law principles applicable to privacy; and
- Federal Law 323-FZ (November 21 2011), which governs patients’ data.
Detailed data protection measures are set out in Russian Government Decision 1119 (November 1 2012) and Federal Service for Technical and Export Control Order 21 (February 18 2013), with a number of other administrative and technical rules contained in decrees and decisions of various other authorities.
Scope and jurisdiction
Who falls within the scope of the legislation?
The personal data legislation generally applies to all Russian legal entities, individuals, state and municipal bodies. It also has an extraterritorial reach in certain cases. For instance, the requirement to process personal data relating to Russian citizens in databases physically located within the territory of Russia also applies to foreign companies.
What kind of data falls within the scope of the legislation?
Under the Personal Data Act, ‘personal data’ is defined to include “any information relating directly or indirectly to an identified or identifiable individual (personal data subject)”. The law also defines two particular categories of personal data that are subject to stricter rules:
- ‘Special categories of personal data’ include information that relates to racial or ethnic origin, political opinions, religious or philosophical beliefs and the state of health or private life; and
- ‘Biometrical personal data’ includes data characterising physiological and biological features of a human being, based on which the individual’s identity may be ascertained.
Are data owners required to register with the relevant authority before processing data?
A data operator must notify Roskomnadzor (the principal authority overseeing compliance with data protection legislation in Russia) of its intention to process personal data before commencing with the processing, with certain exceptions provided for in Article 22(2) of the Personal Data Act. Such exceptions include the processing of the following personal data:
- data processed pursuant to labour legislation;
- data obtained by the operator in the course of entering into a contract with a personal data subject, provided that such data is not disseminated or transferred to third parties without the data subject’s consent and is used only to perform the contract and enter into further contracts with the personal data subject;
- data that has been made publicly available by the personal data subject;
- data comprising only the surname, first name and patronymic of the personal data subject;
- data contained in databases that are classified as state automated information systems; and
- certain other types of personal data.
The notification must be submitted in hard copy or electronic form and reviewed by Roskomnadzor within 30 days. No registration fee applies.
The data operator must also notify the authority of any changes in the submitted notification, as well as of the termination of data processing within 10 days.
Is information regarding registered data owners publicly available?
The register of personal data operators is publicly available on the website of Roskomnadzor (http://rkn.gov.ru/personal-data/register/).
Is there a requirement to appoint a data protection officer?
A data operator which is a legal entity must appoint a person responsible for the organisation of personal data processing (ie, a data protection officer). Duties of the data protection officer include:
- internal control over compliance by the operator and its employees with data protection legislation;
- communication to the operator’s employees of the provisions of the Russian data protection legislation and internal data protection regulations; and
- receipt and processing of requests from personal data subjects or control thereof.
The law sets no qualification requirements for data protection officers. Information on the data protection officer must be included in notifications to Roskomnadzor (see above).
Failure to appoint a data protection officer may result in an administrative fine.
Which body is responsible for enforcing data protection legislation and what are its powers?
The main body responsible for the enforcement of data protection legislation in Russia is Roskomnadzor, under the Ministry of Communications and Mass Media.
Roskomnadzor is empowered to:
- request information from individuals and legal entities as is necessary to exercise its powers, and receive such information free of charge;
- examine the information contained in the notification of personal data processing or engage other state bodies in examination within the scope of their authority;
- request the personal data operator to update, block or destroy unreliable or unlawfully obtained personal data;
- restrict access to information that is not processed in compliance with the applicable legislation;
- take measures to suspend or discontinue the unlawful processing of personal data;
- file suit to protect the rights of personal data subjects, including the rights of the general public, and represent the interests of personal data subjects in court;
- transfer information on measures implemented by data operators to the Federal Security Service and the Federal Service for Technical and Export Control;
- file a petition with an authority that issued a licence for the operator’s activities to decide on measures to be taken to suspend or cancel the respective licence, provided that it was issued on the condition that no personal data be transferred to third parties without the written consent of the personal data subject;
- file materials with the prosecutor’s offices or other law enforcement bodies to decide on the initiation of criminal proceedings;
- make proposals to the Russian government concerning the improvement of data protection regulation; and
- institute administrative proceedings against persons guilty of non-compliance with the Personal Data Act.
Roskomnadzor is also charged with:
- handling the complaints of personal data subjects;
- maintaining the register of personal data operators;
- implementing measures at the request of certain government bodies;
- informing the general public of the state of affairs regarding personal data protection; and
- certain other powers and obligations.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Any processing of personal data, including collection and storage, is subject to the data subject’s consent, with certain exceptions set out in the Personal Data Act.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The personal data legislation does not define a specific term during which an organisation may (or must) retain personal data records. However, the Personal Data Act prescribes that retention (ie, storage) of personal data must last no longer than is required for the purposes of processing the personal data, unless a specific term of storage or retention is set out by the law or by an agreement to which the data subject is a party, beneficiary or guarantor.
Do individuals have a right to access personal information about them that is held by an organisation?
Individuals have the right to request a broad range of information about their personal data from organisations. This right may be restricted if:
- the relevant personal data – including personal data obtained through special investigative techniques, counterintelligence and intelligence operations – is processed for the purposes of national defence, state security or law enforcement;
- the personal data is processed by agencies that have:
- detained the personal data subject on suspicion of committing an offence;
- brought criminal charges against the personal data subject; or
- applied restraint measures to the personal data subject before a charge is brought;
- the personal data is processed in accordance with the legislation on anti-money laundering or combating the financing of terrorism;
- access to the subject’s personal data may infringe the rights and legitimate interests of third parties; or
- the personal data is processed in accordance with the transport security legislation.
Do individuals have a right to request deletion of their data?
Yes, individuals have the right to request the data operator to correct, block or delete their personal data where such data is incomplete, outdated, incorrect, unlawfully obtained or unnecessary for the stated purposes of processing.
Is consent required before processing personal data?
Consent is required before processing personal data, with the exception of situations explicitly stipulated in the Personal Data Act (see below).
If consent is not provided, are there other circumstances in which data processing is permitted?
No consent of the personal data subject is required in cases where the personal data processing is:
- necessary to:
- achieve objectives stipulated by law or an international agreement to which Russia is party; and
- exercise and discharge functions, powers and responsibilities imposed on the data operator by law;
- carried out in connection with a person’s engagement in constitutional, civil, administrative or criminal proceedings, or proceedings in arbitration (commercial) courts;
- necessary to execute a court ruling, or a ruling of another authority or official subject to execution in accordance with the enforcement legislation;
- required to execute the powers of state authorities;
- necessary for the performance and execution of an agreement to which the personal data subject is a beneficiary or guarantor;
- necessary to protect the life, health or other vital interests of the personal data subject, if it is impossible to obtain consent otherwise;
- necessary to exercise the rights and legitimate interests of the data operator or third parties, or to achieve important social objectives, provided that this does not infringe the rights and freedoms of the personal data subject;
- necessary for the conduct of the professional activities of journalists or other legitimate media activities, or of scientific, literary or other creative activities, provided that this does not infringe the rights and legitimate interests of the personal data subject;
- carried out for statistical or other research purposes, except for the purposes set out in the Personal Data Act, subject to mandatory anonymisation of the personal data;
- carried out with respect to personal data made publicly available by the personal data subject; or
- subject to publication or mandatory disclosure in accordance with federal law.
What information must be provided to individuals when personal data is collected?
There are no specific requirements on what information must be provided to individuals when their personal data is collected. However, the Personal Data Acts requires that the processing of personal data be limited to achieving specific, pre-defined and lawful goals. Therefore, such goals should be communicated to the personal data subject when his or her personal data is collected. Moreover, the personal data subject may always request information related to the processing of his or her personal data, including:
- confirmation of the collection of the personal data;
- the legal basis and goals for processing the personal data, as well as the processing methods;
- the name and location of the data operator, and information on persons (except for the operator’s employees) that have access to the personal data;
- the scope and source of processed personal data relating to a corresponding data subject, as well as the term of such processing, including storage;
- information on completed or contemplated international transfers of the personal data; and
- the name and address of the person processing the personal data, where applicable.
Data security and breach notification
Are there specific security obligations that must be complied with?
Unlike the cybersecurity laws, the Personal Data Act requires data operators to implement extensive legal, organisational and technical measures to ensure the security of personal data and its protection against unauthorised access, modification, replication or other unlawful acts. Such measures include (but are not limited to):
- identification of personal data security threats in the course of data processing in the information systems;
- implementation of organisational and technical measures which ensure the levels of personal data protection established by the Russian government;
- implementation of security measures that have undergone the prescribed conformity assessment procedure;
- evaluation of the effectiveness of the measures to ensure that the personal data security applied before commissioning the personal data information system;
- registration of personal data machine-readable media;
- identification of events of unauthorised access to personal data and taking corresponding action;
- restoration of personal data that has been modified or destroyed as a result of unauthorised access;
- establishment of access rules for personal data processed in the personal data information system, as well as ensuring the registration and recording of all actions carried out with the personal data in the personal data information system; and
- control over the measures taken to ensure personal data security and the security level of personal data information systems.
Detailed rules in respect of personal data security are set out in Russian Government Decision 1119 (November 1 2012) and Federal Service for Technical and Export Control Order 21 (February 18 2013).
Are data owners/processors required to notify individuals in the event of a breach?
No, there is no obligation to notify individuals (ie, personal data subjects) if their personal data is compromised.
Are data owners/processors required to notify the regulator in the event of a breach?
No, there is no obligation to notify Roskomnadzor (the regulator) in the event of a breach.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
Unsolicited electronic marketing (spam) is not allowed without the recipient’s authorisation. This rule is repeated in varying forms in several laws, including the Personal Data Act, the Advertising Act (Federal Law 38-FZ (March 13 2006)) and the Communication Act (Federal Law 126-FZ (July 7 2003)).
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
In general, the cross-border transfer of personal data to jurisdictions which provide “adequate protection” of data subjects’ rights is not subject to any additional restrictions, provided that the transfer is carried out in accordance with other provisions of the Personal Data Act.
Before any cross-border transfer of personal data, data operators must ensure that the foreign state to which the data is transferred maintains adequate protection of data subjects’ rights. All of the signatory countries to the Strasbourg Convention 1981 are automatically considered to maintain adequate protection. A further list of countries with adequate protection has been adopted by Roskomnadzor (the relevant regulator).
Information on cross-border transfers of data must be reported as part of the data processing notification procedures.
Are there restrictions on the geographic transfer of data?
Cross-border transfers of personal data to jurisdictions that do not provide adequate protection may be carried out in the following cases (and thus subject to the following constraints):
- The written consent of the data subject has been obtained;
- The transfer is allowed under international treaties to which Russia is party;
- The transfer is allowed under federal laws where necessary for the purposes of protecting the constitutional order or national defence and security, as well as the security of the transportation system;
- The transfer is carried out in the course of performing a contract to which the data subject is party; or
- The transfer is required to protect the life, health or other vital interests of a data subject or other persons, and it is impossible to obtain consent in written form.
Cross-border transfers of personal data – even to countries with adequate protection – may be prohibited or restricted if necessary to protect the constitutional order, morality, health, rights and legitimate interests of citizens, or for national defence and security.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
With the data subject’s consent, a data owner may commission a third party to process personal data pursuant to a contract. The third party must abide by the principles and provisions of the Personal Data Act. The corresponding contract under which the third party will process the personal data must:
- specify permissible actions (operations) involving the personal data;
- stipulate the goals of processing;
- impose confidentiality and security obligations on the third party; and
- contain requirements for the protection of the processed personal data.
Even where personal data is processed by a third party, the initial data operator (owner) is still obliged to notify Roskomnadzor (the relevant regulator) of the personal data processing.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
The range of punishable actions subject to penalties was recently expanded. Fines are the principal type of penalty. As of July 1 2017, the maximum fine is Rb70,000 (approximately €1,000).
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Individuals are entitled to file suit for compensation of damages and recovery of moral harm. Moral harm is actionable regardless of compensation of damages.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
No special legislation has yet been introduced to address cybercrime and cybersecurity in Russia. Instead, cybercrimes are penalised under the Criminal Code, while rules relating to cybersecurity are spread across numerous laws.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
Unlike the personal data protection law, the cybersecurity regulations in Russia are neither well developed nor codified in a single statute. The only notable exception are the information security rules that govern the activities of financial organisations. In particular, the Central Bank of Russia has introduced a set of standards covering various aspects of cybersecurity within the Russian payment system (although these standards are not binding, they are applied by most members of the local financial market). Further, Russian banks must observe some mandatory regulations that imply, among other things, reporting of cyber incidents that threaten security of data related to payment transactions.
The legislature is nonetheless making efforts to adopt a more holistic approach towards cybersecurity regulations. For instance, in July 2017 the president of the Russian Federation signed into law a new act intended to set basic cybersecurity standards for critical informational infrastructure. The act will enter into force on August 1 2018.
Russia is also a signatory to international treaties in the area of cybersecurity, such as the Treaty on Cooperation of Commonwealth of Independent States Member States in Combating Crime in the Computer Information Sphere. Notably, Russia has not signed the Budapest Convention on Cybercrime, a Europe-wide treaty setting standards regarding cybercrime, which requires states (among other things) to ensure that legal persons can be held criminally liable for a cyber offence.
Which cyber activities are criminalised in your jurisdiction?
The following activities are criminalised under the Criminal Code:
- unauthorised access to computer information (Article 272);
- development, use and dissemination of malware (Article 273);
- breach of rules applicable to the storage, processing or transfer of protected computer information or network systems and end-user equipment, which causes major damage (Article 274);
- fraud in the use of payment cards (Article 159.3); and
- computer fraud (Article 159.6).
The following activities are subject to administrative liability under the Code of Administrative Offences:
- use of uncertified communication facilities and uncertified means of cryptography in the transmission of messages over the Internet, where certification is required by law (Article 13.6); and
- interference with the working of websites (Article 13.18).
Which authorities are responsible for enforcing cybersecurity rules?
Several authorities have complementary powers to enforce cybersecurity rules and investigate cybercrimes, including the police (ie, the Ministry of Internal Affairs through its specialised department, Division K), the Federal Service for Technical and Export Control, the Federal Security Services, the Prosecutor’s Office and Roskomnadzor. Industry regulators (eg, the Central Bank of Russia) also have powers to supervise information security compliance within respective spheres of governance.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Yes, companies may obtain insurance coverage against cyber risks. With the proliferation of cyberattacks, it is becoming increasingly common for companies to seek insurance.
Are companies required to keep records of cybercrime threats, attacks and breaches?
No, except for those records that must be maintained due to industry specific regulations (see below).
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
There is no general obligation to report cybercrimes. However, companies in certain industries may be subject to reporting obligations. For example, as noted above, Russian banks must report certain cybersecurity incidents to the Central Bank of Russia. Further, owners of fuel and energy infrastructure must also report cybersecurity incidents to the Federal Security Service and some other agencies.
In June 2017 Russian legislators proposed a new initiative making it mandatory for all companies dealing with personal data to submit a data breach notification immediately after discovering such an incident are revealed. Therefore, general reporting obligations may be introduced in the near future.
Are companies required to report cybercrime threats, attacks and breaches publicly?
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
Potential criminal penalties for cybercrimes include fines of up to Rb500,000 (approximately €7,150), community service (ie, ‘corrective work’), compulsory labour, disqualification from holding certain positions and imprisonment of up to seven years.
What penalties may be imposed for failure to comply with cybersecurity regulations?
The following criminal penalties may be imposed on an individual for breach of the rules applicable to the storage, processing and transfer of protected computer information or network systems and end-user equipment, which causes major damage (Article 274 of the Criminal Code):
- a fine of up to Rb500,000 or the 18-month salary or other income of the person convicted;
- community service for six to 12 months; or
- compulsory labour, custodial restraint or imprisonment of up to two years.
Further, non-compliance by a legal entity with cybersecurity regulations may result in administrative fines or cancellation of certain licences, where such licences were issued on the condition of cybersecurity compliance.