Since the beginning of 2012, a number of new regulations on personal data protection have been passed. In the light of the above and taking into account new legislation under preparation and the increasing number of checks being carried out (see below), it is highly recommended that companies adopt the following measures for the protection of personal data:
- submit a notification to the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications (“Roscomnadzor”) by 1 January 2013;
- adopt internal regulations, and
- develop procedures for protecting personal data.
Companies in the healthcare, insurance and banking industries, as well as those selling mass consumption goods, are at the highest risk of sanctions for violations since processing of personal data of the customers and other data subjects represent an important part of their business.
The recent regulations implement certain provisions of the Law “On Personal Data” (the “Law”), as revised and effective since 27 July 2011.
Cross-border transfer of personal data
Roscomnadzor has prepared a draft list of the states which ensure the relevant protection for personal data. It is expected that the list shall be approved and published in the near future. In accordance with the provisions of the Law, the cross-border transfer of personal data to such states may be performed on the basis of consent of an individual presented in any form (providing the consent in written form and indicating the passport details of an individual are not necessary).
Protecting personal data in specific sectors
Decree No. 940 of the Government of the Russian Federation (“Decree No. 940”) came into force on 2 October 2012. The document allows data controller associations and unions to develop industry standards on data processing within their specific industry sectors. The Decree No. 940 also establishes a procedure for such industry standards to be approved by the Federal Security Service of the Russian Federation (the “FSB”) and the Federal Service for Technical and Export Control (the “FSTEC”).
The development of standards for processing and protecting personal data in particular industries is common international practice. Such industry standards exist, for example, in insurance and private banking, as well as in healthcare and tourism. Companies operating in one industry as a rule process personal data of a similar type, for similar purposes and in a similar way. Therefore, they experience the same issues with protecting personal data security and such an industry standard on the processing of personal data is a practical and convenient solution. Currently standards providing for additional measures of protection are being developed (including at the state level) for the banking industry and, by the Decree issued on 13 June 2012, the Russian Government approved for example a standard for protecting information (including personal data) processed by payment systems, money transfer operators, and bank payment agents.
Data protection outsourcing
Often companies that process personal data engage information protection specialists to comply with the technical requirements on personal data protection. In the spring of 2012, certain Decrees of the Russian Government came into force that establish licensing rules for such specialists providing services in the field of protecting confidential information. Consequently, prior to hiring a service company in this area, it is now necessary to verify that the provider has a license to provide such services.
The particular Decrees are described in more detail in the table below.
Click here to see table.
Law enforcement in practice
Roscomnadzor compliance checks
On 9 March 2012, came into force the Administrative Regulations that establish an audit procedure for Roscomnadzor regarding compliance with laws on personal data protection. A clear regulated procedure for such monitoring is to be welcomed as the number of checks has increased substantially over the past year. The controlling authority has started to scrutinise the activities of those who process personal data, irrespective of whether they are registered as data controllers. We reiterate that, under the Law, personal data controllers are required to submit a notification to Roscomnadzor on or before 1 January 2013.
The number of spot checks carried out by the authorities against companies processing personal data has increased in response to complaints from individual data subjects. As a result, a number of banks have been held administratively liable following complaints by bank customers for infringement of the law. Specifically, the banks were held liable for refusing to provide customers with their credit files, as well as for transferring personal data to third parties (i.e. collection agencies) without the consent of the customer.
Recent court practice
There has been a growing number of appeals of data controllers against decisions imposing liability for non-compliance with personal data protection laws. In January of this year, the Basmanny Court of the City of Moscow held that a bank was administratively liable for transferring personal data relating to one of its debtors to a collection agency without the consent of the debtor. In May of this year, the Savyolovsky District Court of the City of Moscow upheld a fine against bank for processing personal data without the consent of the data subject.
Recently draft amendments to the Administrative Offences Code of the Russian Federation (the “Draft Amendments”) appeared on Roscomnadzor’s website. The Draft Amendments outline in particular such types of infringements of personal data processing as the illegal processing of special categories of personal data and violating the conditions of cross-border transfer of personal data.
The Draft Amendments envisage a substantial increase in fines of up to RUB 700,000 for legal entities. In individual cases, fines could be as much as 1.5% - 2 % of the revenue of a legal entity for the reporting period. At this time, the Draft Amendments are still awaiting review by the State Duma.
Closing loop holes in the regulation of personal data protection and increasing penalties for violations are the main trends in the developing legislation in this sphere. At the same time, guidance on practical implementation of the regulations on personal data protection, remain poorly developed and pose a compliance issue for companies.