Russia has signed a Protocol designed to modernise the Council of Europe’s 1981 Convention on the processing of personal data to take account of current technology and data protection and privacy concerns. Once implemented, the Protocol is expected to bring Russian data protection legislation broadly in line with the provisions of GDPR.

On 10 October 2018, the Russian Federation signed a protocol modernising the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981 (the ‘Protocol’ and ‘Convention 108’ respectively).

Convention 108, which was adopted by the Council of Europe, is the only legally binding multilateral agreement in the field of personal data protection. Convention 108 provides a legal framework, and requires the parties to incorporate measures necessary to ensure the protection of human rights in the area of personal data processing into their respective national laws. Convention 108 was a source of inspiration for the EU data protection laws. Its provisions also served as guidance for Russian lawmakers.

Convention 108 was opened for signature in 1981, long before recent digital technological breakthroughs and globalisation in information technology. The purpose of this Protocol is to modernise Convention 108 to reflect the new challenges of the digital era.

As a party to Convention 108, Russia will have to incorporate the amendments and ensure their proper enforcement. Below, you will find a brief overview of the key changes introduced by the Protocol, which are likely to be incorporated into Russian legislation in the near future.

Harmonisation with the EU General Data Protection Regulation (‘GDPR’)

The Protocol significantly increases the level of data protection and specifies principles and requirements already implemented by the GDPR, which has recently come into force.

In this sense, incorporation of the Protocol’s provisions into national legislation will be a step towards the harmonisation of Russian data protection legislation with European rules.

Important new provisions in the Protocol

The update to Convention108 ensures a higher level of protection by introducing some fundamental changes, set out below.

Data breach notification

Under the Protocol, a data controller must, without delay, notify its data protection authority of any data breaches that may seriously interfere with the rights and fundamental freedoms of data subjects. Russian laws currently do not require data controllers to notify the data protection authority of security incidents.

New types of sensitive data

The Protocol expands the categories of sensitive personal data to those recognised as sensitive data under the GDPR, for example, data relating to genetics, trade union membership and ethnic origin.

New roles in data processing

Apart from the data controller, Convention 108 defines and regulates data recipients (parties to whom data is disclosed, or made available) and data processors (parties processing data on behalf of the data controller).

Strengthening proportionality and data minimisation principles

In accordance with the Protocol, data processing must be proportionate in relation to the legitimate purpose pursued and reflect, at all stages of the processing, a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake.

New data subjects’ rights

The Protocol specifies that data subjects have the right not to be subject to a decision, based exclusively on automatic processing, without having their views taken into consideration, the right to be informed of the reasoning underlying the processing and the right to object.

Additional safeguards protecting data subjects

Data controllers are obliged to examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing and to implement relevant technical and organisational measures.

Privacy by design principle

Data controllers and data processors must design the data processing procedure in such a manner as to prevent or minimise the risk of interference with data subjects’ rights and fundamental freedoms.

Please note that this is not an exhaustive list of the novel legislative provisions set out in the Protocol.

Entry into force and further impact on data exchanges with the EU countries

The Protocol will enter into force on the first day of the month following the expiration of a period of three months after the date on which all parties to Convention 108 have consented to be bound by the Protocol. Currently, only 21 (of 53) parties to Convention 108 have signed the Protocol and therefore it has not yet entered into force. If all 53 parties do not sign the Protocol within five years after the date on which it was opened for signature (i.e. after 25 June 2018), then it will come into force automatically for those parties who have signed it. Officials of the Russian data protection authority (Roskomnadzor) have already announced that they are working on a draft bill to amend Russian legislation in accordance with the amended Convention 108. This means that Russia will implement GDPR standard protections into its national legislation.

If Russia implements the provisions of Convention 108 efficiently, it will be more likely to be recognised under EU law as a jurisdiction providing adequate levels of data protection. This will remove many restrictions regarding international data transfers. The final decision in this regard will be made by the European Commission.