The new requirements for personal data protection were approved by the Russian Government’s Resolution No. 1119 dated 1 November 2012 (the “Resolution”), which was published on 7 November 2012 in official journal Rossiiskaya Gazeta (http://www.rg.ru/2012/11/07/pers-dannye-dok.html).
The Resolution was adopted in pursuance of articles 19(3)(1) and 19(3)(2) of Federal Law No. 152-FZ dated 27 July 2006 On personal data (the “Personal Data Law”). Under the Personal Data Law, the Government is to establish the level to which personal data is protected and the requirements for protecting such data when it is processed in personal data systems (the “Requirements”).
The Resolution introduces four levels of protection for personal data, depending on the types of actual threats. Particular organisational and technical measures, which will be binding from now on, apply to each level. There are now fewer requirements for protection and they have become more specific. Even so, as before, companies will have to take particular care when implementing the requirements.
Under article 19(4) of the Personal Data Law and clause 4 of the Requirements, an operator is to select means of protecting information for a personal data information system in accordance with regulations of the Federal Security Service (FSB) and Federal Technical Control Service (FSTEK1). No such regulations have yet been approved.
In addition, regulatory legal acts have not yet been adopted by the core federal executive bodies. These acts should have defined the personal data security threats that are currently relevant for particular sectors (article 19(5) of the Personal Data Law and clause 7 of the Requirements).
Nevertheless, the general requirements for protecting personal data established by the Personal Data Law remain binding.
A new requirement has also been introduced to the effect that control measures will be exercised at least once every three years to ensure that the Requirements are implemented. The operator may carry out this control itself or by engaging on a contractual basis companies and entrepreneurs who are duly licensed to carry out activity relating to the technical protection of confidential information.
The date on which the Resolution came into force was 15 November 2012. In addition, as of that date, the Russian Government’s Resolution No. 781 dated 17 November 2007 On approving the Regulations for ensuring the security of personal data when it is processed in personal data information systems was repealed.
Please note that administrative liability may be imposed on a company and/or its officers if it fails to comply with personal data protection requirements.
We note that, in accordance with the draft law produced by Roscomnadzor (which has still to be put before the Russian State Duma), it is proposed significantly to increase administrative fines for violations of the procedure for collecting, storing, using and distributing personal data. They will be raised to between RUB 30,000 and RUB 500,000 for legal entitles (currently, the maximum administrative fine is RUB 10,000), while for specific violations entrepreneurs and companies will face a turnover-based fine of between 0.5% and 2% of their total income over the previous year.