An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition
Public and private enforcementi Enforcement agencies
The primary agency dealing with personal data breaches is the DPA. The DPA is entitled to perform scheduled and unscheduled audits. The schedule of all planned compliance audits for the next year is usually published on the websites of the territorial subdivisions of the DPA. However, the DPA can also perform unscheduled checks and is required to notify the individual or company at least 24 hours before the check.
The DPA performs its own monitoring of data breaches (including monitoring of the internet and the relevant news). The DPA also responds quite actively to complaints, which in practice can be filed by data subjects, prosecutors or competitors. Following a complaint or based on the results of its own monitoring, the DPA performs a non-scheduled check, informing the company 24 hours beforehand.
As a result of such a check, the DPA can issue an order to resolve the breach or institute administrative proceedings in a local court. Based on the statistics, the DPA does not initiate proceedings very frequently. This means that in most cases breaches can be resolved based on the DPA's order.
Data operators may be subject to criminal, civil and administrative liability. The individuals whose personal data has been compromised have a private right to sue, with the right to demand compensation for losses or compensation for 'moral harm'.
The DPA is entitled to initiate administrative proceedings in the event of a data breach and impose administrative sanctions (fines) if the breach is proven. In addition, the DPA may, subject to a court decision, block infringing websites or mobile applications from being accessed in Russia.
The current maximum administrative fine is 18 million roubles for a repeated breach of the data localisation requirement. However, data localisation fines are substantially higher than the other administrative fines for breaching personal data protection laws. For instance, the next highest fine is 500,000 roubles for failure to obtain an individual's consent to process their personal data. In practice, the administrative fines are not multiplied by, for example, the number of emails or employees whose data was compromised or by the number of specific data breaches, but instead applied only once for a particular type of breach. However, this practice may change in the near future.
Criminal sanctions can only be applied against natural persons and can never be applied against companies. However, even those Articles of the Russian Criminal Code that could theoretically apply to personal data breaches are never applied to such cases as far as we know.ii Recent enforcement cases
The Data Localisation Law was rarely enforced for some time. However, in 2016, a major case involving LinkedIn attracted a great deal of attention from the public. A Russian district court upheld a claim by the DPA seeking restriction of access to LinkedIn on Russian territory. The judgment was handed down on 4 August 2016. The information on the case, however, was not disclosed to the media until 25 October 2016.
The court found LinkedIn to be liable for a violation of the Personal Data Law, in particular of its provisions requiring Russian citizens' personal data to be stored and processed on servers located in Russia. The court found that LinkedIn does not operate a server in Russia. Furthermore, in the court's view, LinkedIn processed the personal data of third parties who were not covered by a user agreement. On this basis, the court declared LinkedIn to be in violation of the Personal Data Law and ordered the DPA to take steps to restrict access to LinkedIn. Currently, LinkedIn remains blocked in Russia.
In 2020 both Facebook and Twitter were fined 4 million roubles each for breach of the Data Localisation Law. Currently, according to the DPA, both companies still do not comply with the Data Localisation Law and thus the DPA intends either to issue new fines or block the social networks in Russia.
The same lack of enforcement accompanied the Yarovaya Law. There were occasional blockings (such as Blackberry Messenger); however, due to the limited popularity of such messaging services, the enforcement cases did not attract much attention. Everything changed with a case regarding one of the most popular messengers in Russia – Telegram. On 20 March 2018, the Supreme Court of Russia dismissed the claim by a representative of the Telegram messaging service to set aside the FSB order dated 19 July 2016 requiring messaging services to provide decryption keys to the FSB, which allow the security authorities to read correspondence by Telegram's users.
Telegram has frequently commented in the press that it is unable to provide the decryption keys due to the nature of end-to-end encryption technology, while the FSB believes this is technically possible. Telegram finally refused to provide the FSB with any decryption keys and, therefore, on 13 April 2018, the Taganskyi District Court of Moscow upheld the DPA's claim to block access to Telegram. On 16 April 2018, the DPA reached out to telecoms operators, requesting that they commence blocking the messenger. All Russian telecoms operators are obliged to block access to the relevant resources.
Telegram's lawyers appealed this decision without success. Since April 2018, the DPA has tried to block Telegram from using its IP address, which has proven to be an ineffectual strategy because Telegram was available to its users in Russia even during blocking. Surprisingly, on 18 June 2020, the DPA announced that it would withdraw its claims against Telegram, as the owner of Telegram, Mr Durov, apparently agreed to cooperate with the authorities on anti-terrorism and anti-extremism requests. It is unclear, though, whether Telegram has agreed to provide the decryption keys, since there have been no official comments on this. Since 18 June 2020, the DPA has also removed all IP addresses related (or allegedly related) to Telegram from the blocked list.iii Private litigation
Individuals whose personal data is processed in a manner not in compliance with the Personal Data Law are entitled to claim damages or compensation for moral harm from the infringing company. Such claims can only be adjudicated in a court trial between the affected data subject and the infringer. Generally, the cases where the data subjects use this option (i.e., raise such compensation or damage claims before courts) are fairly rare, and it is unlikely that the number of civil law lawsuits will increase in the near future. The main reason for this is that claimants must go through the cumbersome court procedure and provide evidence of the damage (including moral harm) caused to them. In addition, the competent Russian courts do not award large sums for the data breaches (usually only a few thousand roubles). In practice, individuals prefer to submit complaints to the DPA or the Russian prosecutor's office, which can initiate a compliance audit of the infringing entity by the DPA.