News from the Russian DPA Conference
Written By
Senior Associate
UK
I am a member of the Russia Desk based in London and I am a Belarussian qualified lawyer who is admitted to practice Russian law. I have also qualified as an English solicitor by completing a training contract with Bird & Bird in April 2016.
Partner
UK
I'm a partner and head of Bird & Bird's Russia Desk in London, offering over fifteen years of practical experience as a Russian qualified lawyer and native speaker to businesses entering and working in the Russian market and advising Russian companies in their outbound activities.
On 7 November 2019, 10th annual International Data Protection Conference in association with the Russian DPA (Roskomnadzor) and the Ministry of Communications took place in Moscow. The conference is a helpful platform for the business to communicate with the regulators.
Personal data: is defined in the Russian Law On Personal Data as 'any information related to a directly or indirectly identified or identifiable individual' which is in line with the respective definition in the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Having said this, there are still questions from the business community which arise in relation to the data which may be deemed personal, in particular, whether telephone number on its own may be considered personal data. Previously, the DPA clarified that the telephone number identified the end user equipment and did not identify an individual data subject. Now, the DPA commented that the DPA is drafting clarifications in relation to the categories and scope of personal data which the DPA aims to publish until the end of 2019. The DPA also commented that there is no intention to amend the statutory definition of personal data and it will remain wide.
Legitimate interest: Under the Russian Law On Personal Data, legitimate interest is one of the statutory grounds for the processing of personal data. Having said this, it is not common in the Russian market to rely on this ground due to limited information on the views of the regulator and enforcement practice. Now the DPA commented that it intends to consider this ground further but it is unlikely to be interpreted widely. The latter alludes to a conclusion that the future interpretation by the Russian DPA of the legitimate interest is unlikely to enable the Russian data operators to rely on legitimate interest as widely as the data controllers under the GDPR under which legitimate interest remains the most flexible legal basis for processing.
Written consent: there are stringent statutory requirements to written consent which the DPA interprets narrowly as requesting a separate consent form for each purpose of processing. As this is cumbersome to comply with in commercial context the Russian Ministry of Communications has initiated a draft law to allow having a number of purposes for processing listed in one consent form enabling a data subject to actively grant consent in relation to each listed purpose.
