On 26 July 2011, the Russian President signed a new law clarifying the rules on the processing and transferring of personal data as well as the rights and obligations of data controllers and subjects.
The law “On Personal Data” was adopted five years ago and, since then, has been amended repeatedly. However, it is clear that the amendments comprising the new law are the most significant since the law first came into force. Their adoption will force legal entities to again revise their internal policies related to personal data processing.
The initial aim of adopting the new law was to clarify certain provisions of the existing law “On Personal Data” and to simplify the related procedures for commercial organisations. However, in the course of its approval by various authorities, the draft law has been considerably revised and supplemented with a number of cumbersome provisions for data controllers. Ultimately, the adopted law has become a compromise option which, on the one hand, fills the gaps of the previous regulations and creates some advantages for data controllers but, on the other hand, imposes additional and very stringent requirements for personal data processing.
Key innovations introduced by the new law, which will satisfy the interests of data controllers, include, in particular, the following:
- The law clarifies the principles and conditions of personal data processing, and expressly provides for a data controller’s right to engage any other natural or legal person for personal data processing;
- It provides for certain events in which a data controller is relieved from its obligation to notify a data subject about his/her personal data processing, and events where the data controller may continue personal data processing even after the data subject revokes his/her consent to the processing;
- It allows for extending the period for holding personal data even after the aim of personal data processing has been achieved;
- It provides greater detail on applications to a data controller by a data subject or an authorised body in charge of personal data protection; and extends the period within which the data controller must reply to a request from a data subject to 30 days;
- It provides for conditions under which personal data may be obtained from an individual who is not a data subject;
- It clarifies the rules on the cross-border transfer of personal data.
At the same time, some provisions of the law impose more severe requirements for handling personal data, for example:
- The law provides that state authorities, the Bank of Russia and local authorities may, within their competence, adopt regulations on certain issues related to personal data processing;
- It expands the list of details which must be included in individuals’ written consent to their personal data processing and in notices on personal data processing which must be given to the regulator;
- It states essential requirements for personal data security, with the Russian Government, the Federal Security Service and the Federal Service for Technical and Export Control retaining the right to formulate requirements for personal data protection;
- It entitles state authorities, the Bank of Russia and associations and unions of data controllers, subject to certain restrictions, to determine threats to personal data security;
- It now requires the data controller to: (i) publish or otherwise make publicly available its policy on personal data processing as well as details of measures for the protection of personal data, (ii) appoint an individual to be in charge of arranging for personal data processing (the law provides for the principal responsibilities of this individual), (iii) by 1 July 2013, provide a competent authority with the statutory supplemental information on personal data processing (if processed prior to 1 July 2011).
It seems clear that, in light of the new law, data controllers will have to work hard to revise their internal policies and measures related to personal data processing and security. This work is critically required, including in the context of the contemplated stricter liability for failure to comply with personal data legislation and the regulator’s greater focus on personal data protection.
Although the revised law “On Personal Data” will only come into effect following its official publication, it will cover legal relations from 1 July 2011.