On 21 July 2014, the President of the Russian Federation signed Federal Law No. 242-FZ "On Amendments to Certain Laws of the Russian Federation in Order to Clarify the Procedure for Personal Data Processing in Information and Telecommunications Networks" (the "Law"). The Law seeks to change the regulation of personal data processing in information and telecommunications networks, as well as personal data processing in databases. The Law will come into force on 1 September 2016.
The following changes to the current law are proposed:
- Processing of Russian citizens’ personal data to occur only in Russian databases
In accordance with the amendments to Federal Law No. 152-FZ dated 27.07.2006 "On Personal Data", an operator will be required to ensure that the recording, systemisation, accumulation, storage, clarification (updating, modification) and retrieval of Russian citizens’ personal data is to be conducted only in databases located within Russia.
Some exceptions to this rule exist in connection with certain goals of personal data processing. These include achieving the objectives of international treaties or laws, the implementation of an operator’s statutory powers and duties, the administration of justice, the acts of public law entities and organisations that provide state and municipal services, the professional activities of journalists and/or the lawful activities of mass media, or scientific, literary or other creative activities provided that this does not violate a data subject’s rights and legitimate interests.
An operator’s duty to procure that databases which process Russian citizens’ personal data are located within Russia is also envisaged in Federal Law No. 149-FZ dated 27.07.2006 "On Information, Information Technology and Data Protection". When notifying the authorised body in charge of protecting personal data subjects’ rights ("Roskomnadzor") about the commencement of processing of personal data, the operator will be required to provide data on the location of the database containing Russian citizens’ personal information. Under applicable laws, such notification is not required in some cases, in particular, where personal data is processed in accordance with labour laws in connection with the conclusion of a contract to which a personal data subject is a party or where personal data subjects’ full names only are collected.
- Creation of a "Register of Violators of Personal Data Subjects’ Rights"
Pursuant to the Law, Roskomnadzor will create a "Register of Violators of Personal Data Subjects’ Rights", which, on the basis of a court judgment, will include information about such violators. In particular, the register will contain the domain names or other links to web-site pages on the Internet containing information processed in violation, network addresses which enable the identification of such web-sites, and other data.
On the basis of such a judgment, a personal data subject may apply for measures to be taken to restrict access to the information processed in violation of the law on personal data. The draft law establishes a procedure for the interrelation between Roskomnadzor, the hosting provider and the information resource owner with the aim of limiting access to the offending information. In the event that such measures are not implemented, access to such information resource will itself be limited.
These amendments are, in particular, supposed to implement a personal data subject’s right, which is already recognised at European level, to be "forgotten" on the Internet.
It should be noted that an operator can collect personal data and form a database using both the Internet and other means. We believe that the changes may affect not only companies operating directly via the Internet (such as Internet shops, agencies selling tickets and booking services to individuals), but also the operators that form personal data bases in other ways (for example, employers storing their employees’ and customers’ personal data on foreign servers, as well as providers of services for data storing and processing in information and communication networks).
It seems that in these cases, the operator will be required to process Russian citizens’ personal data by recording, systematising, accumulating, storing, clarifying (updating, modifying) and retrieving them (from a database) only in Russia. Failure to do so may result in the imposition of sanctions on the operator. In particular, experts agree that once the Law comes into force, there will be a risk of the blocking (pursuant to a court order) of foreign web-sites that contain Russian citizens’ personal data.
It should be noted that the Law does not prohibit the accessing of databases located within Russia from abroad, or impose any special restrictions on the transfer (including cross-border transfers) of personal data from a database located in Russia. Therefore, foreign companies should still be able to process Russian citizens’ personal data. However, the Law raises a number of issues that require further clarification. For example, whether foreign companies transferring their servers will also have to comply with all other requirements of Russian personal data laws related to Russian personal data operators. We believe that the practical application of the Law will be commented on further by the regulatory authority in charge of personal data and become clearer in practice.