While it has been two years since Russia enacted its data protection law, details about the law’s implementation have only recently begun to emerge. The Federal Law of the Russian Federation on Personal Data does not specify which federal agency is responsible for its implementation, and various agencies’ broad and overlapping powers made it difficult to predict which agency would have the primary enforcement role. This uncertainty has now been resolved with the launch of a data protection website by the Russian Federal Service for Oversight of Mass Media, Communications and Protection of Cultural Heritage. According to the website, this agency has been authorized by the government to oversee compliance with the requirements of the Russian data protection law.
Scope of the Law
The Russian law is similar in style to data protection laws in the European Union. The law contains extensive restrictions on the collection, use, storage, transfer and other processing of personal data. The law defines “personal data” to include any information related to a specific individual or to an individual who can be identified on the basis of such information. Examples of personal data include not only name and contact information but also family, social and financial status, education, occupation and income.
The law authorizes businesses to collect, use, store or otherwise process personal data only for the specific purposes set forth in the law or with the individual’s written consent. The law imposes detailed requirements on the content and form of the consent and the disclosures that must be provided to the consenting individual. There are also restrictions on the transfer of personal data outside of the Russian Federation. Although businesses may transfer personal data to countries that adequately protect the rights of data subjects, there is currently no list of approved countries. In addition, personal data may be transferred to any country, regardless of the level of personal data protection the recipient country offers, with written consent of the individual. The onerous requirements for obtaining written consent for data processing, however, also apply to data transfers.
The law also contains a host of other requirements that can be found in the EU law. For example, it requires businesses to collect the minimum amount of personal data required to fulfill the purpose for which the information is collected, to ensure the integrity of the data, to minimize the storage of the data and to implement appropriate data security measures. The law grants individuals and their representatives the right to access the individuals’ personal data and to object to the processing of the data.
Compliance with the law may prove to be challenging because of its onerous requirements, possible inconsistencies with other Russian laws and lack of interpretation and enforcement precedent. Businesses that process personal data for marketing purposes may face additional hurdles because such processing requires the prior consent of the relevant individuals.
Data Protection Website
The initial focus of the data protection website is to facilitate the registration of “data operators,” which are entities that process personal data and determine the purpose and nature of the processing. This definition closely mirrors the EU’s concept of “data controller.” The data protection law provides a number of exceptions to the registration requirement, but many businesses, including those processing personal data for marketing purposes, are required to register. More than 11,500 operators have registered to date, and registration is continuing at a fast pace with over 300 businesses added to the agency’s database during the week of July 28, 2008.