On 1 March 2021, a Federal Law* comes into force to amend the Federal Law “On Personal Data”.
The amendments remove from the law the concept of “personal data made publicly available by the personal data subject” and remove an article that previously allowed anyone to process such data without the consent of the data subject.
At the same time, a new Article 10.1 and the notion of “personal data in respect of which the data subject authorised dissemination” have been introduced. This new concept includes data for which an individual gives access to an unlimited number of persons via consent and authorises its dissemination.
Under the new requirements, operators must obtain the consent of personal data subjects before the dissemination of their personal data. It is expected that the changes will affect primarily the owners of websites on which personal data is published (e.g. social networks, ad sites) and employers who publish information about employees on their websites.
The new rules do not apply when personal data is processed in the interests of the state, society and public.
Requirements for consent
Consent for the processing of personal data permitted for dissemination must meet the following requirements:
- Consent must be obtained separately from other consents. Consequently, employers will have to collect additional consent for posting information about employees on their websites.
- Individuals must be able to choose which data they consent to have disseminated.
- Consent for the dissemination of data must be unequivocal. In practice, this means that simply referring to the processing methods provided for by law will not be sufficient.
- The data subject must express consent by active actions. The data subject’s silence and inaction are not considered consent.
- The personal data subject must be able to prohibit the transfer of data (except for providing access to data) to an unlimited number of persons, and to prohibit the processing or to establish data processing conditions by an unlimited number of persons (except for such persons obtaining access to the data). Thus, even if data is available to an unlimited number of persons after publication, their subsequent use may be limited since the data subject will be able to formulate certain conditions for their processing.
- If an individual wishes not to impose any restrictions on the processing of their data, this must expressly and unambiguously follow from the consent. At the same time, it is not sufficient just not to prescribe restrictions and prohibitions. It is necessary to clearly state that the data subject does not limit the processing of their data.
The Russian data protection authority Roskomnadzor may establish additional requirements for consent. However, no explanations have been published to date.
Consent may be given in any form. At the same time, the operator can receive consent directly or through Roskomnadzor’s information system. As of this writing, such an information system and the rules for its use have not yet been created.
Rights and obligations of operators and data subjects
Within three days obtaining consent, the operator must publish the conditions and restrictions on the use of personal data established by the data subject.
At the same time, the personal data subject has the right to demand the termination of the transfer of personal data (i.e. its dissemination, provision, access) at any time from any operator either disseminating the data or processing it in the future.
If individuals disclose their own personal data, or if the data becomes available due to unlawful actions or force majeure circumstances, the obligation to prove that personal data has been processed lawfully lies with each data processor. Thus, operators are not entitled to process data obtained due to data leakage or their unlawful publication on the internet in the absence of a proper legal ground.
The new Federal Law does not provide for a separate liability for failure to comply with the new rules. Therefore, it is expected that general liability clauses will apply, in particular, processing of data without proper legal grounds (Art. 13.11(1) of the Code on Administrative Offences).
The new rules introduce additional restrictions for working with personal data which affect almost all companies publishing data or using data from the internet.
Before using data posted in the public domain, it will now be necessary to conduct an additional check to ensure that dissemination of this data is lawful, and the data subject has not established any prohibitions or restrictions on the use of this data. The burden of proof for the lawfulness of the use of the data lies with the person or entity using it.
In addition, given the need for active consent, in practice it is necessary to avoid obtaining consent with the help of “pre-ticked” boxes or through the mechanism of continuing to use a website when consent for the dissemination of personal data is “embedded” in the offer to use the website.
Given the ambiguity of the wording of the amendments, the practical implementation of the new requirements may raise questions that, we hope, Roskomnadzor will clarify in the near future.
In the meantime, we recommend that companies check their current personal data processing activities, and, if necessary, introduce new forms of consent, as well as formalise internal rules for the use of publicly available data.