An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition
The Russian legal system is based on a continental civil law, code-based system. Both federal and regional legislation exist; however, federal legislation takes priority in cases of conflict. Generally, issues of data privacy are regulated at federal level, and the regions of Russia do not issue any specific laws or regulations in this respect.
The latest Constitution of Russia, which provides that each individual has a right to privacy and personal and family secrets, was adopted in 1993. Each individual has a right to keep his or her communication secret, and restriction of this right is allowed only subject to a court decision. Collection, storage, use and dissemination of information about an individual's private life are allowed only with the individual's consent. The protection of these basic rights is regulated by special laws (e.g., on communications) and also by specific regulations enacted in relation to these laws.
In 2007, Russia adopted a major law regulating data privacy issues, Federal Law No. 152-FZ on Personal Data dated 27 July 2006 (the Personal Data Law). The Personal Data Law covers almost all aspects of data protection: what is considered personal data, what types of data can be collected and processed, how and in what cases can data be collected and processed, and what technical and organisational measures must be applied by companies or individuals that collect data. Unlike European law, the Personal Data Law does not distinguish between data controllers and data processors. Therefore, any individual or entity working with personal data is considered a personal data operator and is thus governed by the Personal Data Law. There are also several specific regulations, mainly covering the technical side of data processing and to a certain extent clarifying the provisions of the Personal Data Law. Such regulations are issued by the Russian government, the Russian data protection authority (the Federal Service for Supervision in the Sphere of Communication, Information Technology and Mass Communications (DPA)) or the authorities responsible for various security issues in Russia, such as the Federal Service for Technical and Export Control (FSTEK) or the Federal Security Service (FSB).
Since 2007, data privacy has never been a topic of intense discussion or major enforcement. However, this changed rather dramatically in 2014. The general approach of the government to privacy became fairly protectionist. In 2014, the Russian parliament adopted amendments to the Personal Data Law (that then became known as the Data Localisation Law) that require data operators that collect Russian citizens' personal data to store and process such personal data using databases located in Russia. The Data Localisation Law was highly criticised by business and the media but nevertheless came into force on 1 September 2015. While this law generated a great deal of profit for Russian data centres, it also created high costs for ordinary businesses, which needed to redesign their data storage infrastructure.
In addition to the Data Localisation Law, Russia adopted amendments to the Russian Federal Law on Information, Information Technology and Protection of Information. These amendments require companies that provide video, audio or text communication services (usually 'messengers') to register with the authorities, to store users' messages or audio or video calls for up to six months and to provide the security authorities with decryption keys if the messages are encrypted. These rules have resulted in the blocking of Blackberry Messenger and a few other messenger apps in Russia and in a campaign to block the Telegram messenger.
The year in review
Recent years have been very intense in Russian data protection law. The first step was Federal Law No. 97-FZ of 5 May 2014 (the Yarovaya Law), which directly affects Russia's telecoms and internet industries. In particular, mobile operators need to store the recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs, while internet companies (e.g., messenger apps) need to store the recordings of all phone calls and the content of all text messages for six months and the related metadata for one year.
In addition, the law requires such operators to provide any such communications to Russian police and intelligence on their request and to install special systems used for investigation purposes or to 'reconcile the use of software and hardware with the authorities' as well as to provide the security authorities with decryption keys if the messages are encrypted.
Non-compliance may result in fines or blocked access to the non-compliant service. The parts of the Yarovaya Law that are already effective are actively enforced by the DPA, and several messengers, including Blackberry Messenger, Imo and Vchat, have been blocked in Russia. The relevant enforcement also resulted in a major case against the Telegram messenger app, described in more detail below.
As a second step in data protection legislation, the Russian authorities adopted the Data Localisation Law and created a new procedure restricting access to websites that violate Russian laws on personal data.
In particular, based on the Data Localisation Law, the DPA created a register of infringing websites. The law provides for a detailed 'notice and take down' procedure. Most importantly, the Data Localisation Law requires that all personal data of Russian citizens be stored and processed in Russia. The location of databases with personal data of Russian citizens must be reported to the DPA. In 2019, lawmakers adopted amendments that dramatically increased the fines for non-compliance with the data localisation requirement up to 18 million roubles.
Currently, Russia is planning to require foreign technology companies to set up representative offices in Russia. There is a draft bill under consideration in the Russian parliament and it is very likely to be adopted this year. The bill would mainly affect foreign companies who are owners of websites, information systems, software and apps with a daily audience of at least 500,000 users in Russia and who provide information in Russian, distribute advertising targeted at a Russian audience, process personal data of Russian users, or receive money from Russian individuals or legal entities.
Technology companies would also need to register accounts in a special system run by the DPA and respond to queries from the authority (e.g., to delete certain prohibited or unwanted content). The bill also provides for a range of sanctions for non-compliance: prohibitions on advertising, restrictions of money transfers, prohibitions on the collection and transfer of personal data, etc. It remains to be seen how these sanctions and the law as such would be enforced, though.
Owing to the outbreak of covid-19, it has become apparent to the authorities, businesses and society in general that the market should move even more quickly towards total digitalisation. Currently, there are intensified initiatives to create a proper legal basis for remote working, electronic paperwork and digital passports for individuals, for example. It appears that the next few years will change the Russian privacy landscape significantly.
In 2019, Russia signed the Protocol to the Council of Europe Convention No. 108. We expected new amendments to the Personal Data Law that would harmonise the law with Convention No. 108. However, the introduction of amendments was delayed by the covid-19 outbreak. We still expect the introduction of the rules for breach notification and depersonalisation of personal data owned by commercial entities (up to now, the DPA was of the opinion that only governmental entities were allowed to perform depersonalisation).
As noted above, Russia is planning to require foreign technology companies to set up representative offices in Russia. It will be interesting to see the enforcement of this new law and whether any multinational companies without presence in Russia will either open offices in Russia or will stop working on the market.
It is also expected that more court practice will appear. The number of court cases related to data privacy is already increasing, and we expect even more enforcement actions and court clarifications in this field.