On June 24, 2014, deputies of the State Duma of the Russian Federation, Messrs. Dengin, Lugovoy and Yushenko, introduced Bill No. 553424-6 on Amendments to Certain Legislative Acts of the Russian Federation (Specification of Procedure of Processing Personal Data in Information and Telecommunication Networks) (the “Amendments”). The Amendments were intended mainly to amend the Federal Law No. 152-FZ on Personal Data dated July 26, 2006 and the Federal Law No. 149-FZ on Information, Information Technologies and Protection of Information dated July 27, 2006. The sponsors of the Amendments had stated that it is aimed at providing an opportunity for Russian nationals to request that their personal data be deleted from search websites and similar services. The Amendments have been also advocated by the Russian government as means to protect the information of Russian nationals and protect Russian national security. The Amendments were promptly considered by the State Duma and were adopted in final reading on July 4, 2014. Following approval on July 9, 2014 by the Federation Council, the Amendments were signed by the President on July 21, 20141. They will come into force from September 1, 2016.
This update describes the main provisions of the Amendments.
REQUIREMENT FOR A DATABASE IN RUSSIA
The Amendments require that a processor of personal data, while collecting personal data (including through the Internet), must procure that the recording, systematization, accumulation, storage, specification and extraction of personal data of Russian citizens be performed through a database located in the Russian Federation.
The Amendments set out only a limited number of exceptions to this general requirement, including: (i) the processing of personal data for the purposes of an international treaty or law, or for the performance of the functions, powers and obligations imposed on the data processor by Russian law; (ii) for the performance of justice and execution of judicial acts; (iii) for the performance of the duties of state and municipal authorities and agencies while rendering state and municipal services and (iv) for the professional activities of a journalist or mass media or for scientific, literary or creative activities provided that the rights of a personal data subject are not violated. Information on the location of such databases must be included as part of the notification on processing of personal data.
This requirement under the Amendments would introduce a significant change to the regulation and practice with regard to the cross-border transfer of personal data. Under the current legislative framework, the transfer is performed in accordance with the general rules of personal data legislation (if the state in which the data transferee is located is either a member of Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data or provides for adequate protection of the rights of a personal data subject) or, if the state in which the data transferee is located does not meet the criteria mentioned above, with the consent of the relevant personal data subject. When brought into force, the Amendments will complicate, to a significant extent, the cross-border transfer of personal data, since transferees, including foreign employers, will not be able to store personal data outside of Russia.
RESTRICTION OF ACCESS TO INFORMATION PROCESSED IN VIOLATION OF PERSONAL DATA LEGISLATION
Introduction of the Register of Persons Infringing Rights
The Amendments empower the Federal Service on Oversight in the Sphere of Communication, Information Technologies and Mass Media (“Roskomnadzor”) to maintain a “Register of Persons Infringing the Rights of Personal Data Subjects” (the “Register”). The Register will, among others, include (i) the domain names or references to Internet pages which contain information processed in violation of personal data legislation (“Inappropriate Information”) and (ii) Internet addresses allowing identification of Internet sites which contain Inappropriate Information. Entries to the Register will be made on the basis of court judgments, and entries will be removed from the Register upon the remedy of the relevant breach or the entry into force of a court judgment which overturns the prior court decision.
Limitation of Access to Inappropriate Information
The Amendments describe in detail the procedures for limiting access to Inappropriate Information, consisting of several stages:
- A personal data subject applies to Roskomnadzor to take measures to limit access to Inappropriate Information on the basis of a court judgment;
- Roskomnadzor notifies the provider which procures the processing of Inappropriate Information on the site on which such information is placed and demands that the relevant violations be eliminated;
- The provider notifies the owner of the Internet site upon receipt of the Roskomnadzor notification and demands that violations be eliminated or access to the information be restricted; and
- The owner of the Internet site must then take measures to eliminate the violation indicated in Roskomnadzor notification.
If the owner of the Internet site fails to take measures necessary to eliminate the relevant violations, the provider must restrict access to the site. In the event that the provider fails to restrict access, the identification data of the relevant Internet site is transferred to a communications service provider in order to restrict access to the site.