News from the Russian DPA Conference

Written By

mila navitskaya module
Mila Navitskaya

Senior Associate
UK

I am a member of the Russia Desk based in London and I am a Belarussian qualified lawyer who is admitted to practice Russian law. I have also qualified as an English solicitor by completing a training contract with Bird & Bird in April 2016.

anna shashina module
Anna Shashina

Partner
UK

I'm a partner and head of Bird & Bird's Russia Desk in London, offering over fifteen years of practical experience as a Russian qualified lawyer and native speaker to businesses entering and working in the Russian market and advising Russian companies in their outbound activities.

On 7 November 2019, 10th annual International Data Protection Conference in association with the Russian DPA (Roskomnadzor) and the Ministry of Communications took place in Moscow. The conference is a helpful platform for the business to communicate with the regulators.

This time some of the data protection issues arising in the commercial activities discussed during the conference were as follows:


Personal data
: is defined in the Russian Law On Personal Data as 'any information related to a directly or indirectly identified or identifiable individual' which is in line with the respective definition in the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Having said this, there are still questions from the business community which arise in relation to the data which may be deemed personal, in particular, whether telephone number on its own may be considered personal data. Previously, the DPA clarified that the telephone number identified the end user equipment and did not identify an individual data subject. Now, the DPA commented that the DPA is drafting clarifications in relation to the categories and scope of personal data which the DPA aims to publish until the end of 2019. The DPA also commented that there is no intention to amend the statutory definition of personal data and it will remain wide.

Legitimate interest: Under the Russian Law On Personal Data, legitimate interest is one of the statutory grounds for the processing of personal data. Having said this, it is not common in the Russian market to rely on this ground due to limited information on the views of the regulator and enforcement practice. Now the DPA commented that it intends to consider this ground further but it is unlikely to be interpreted widely. The latter alludes to a conclusion that the future interpretation by the Russian DPA of the legitimate interest is unlikely to enable the Russian data operators to rely on legitimate interest as widely as the data controllers under the GDPR under which legitimate interest remains the most flexible legal basis for processing.

Written consent: there are stringent statutory requirements to written consent which the DPA interprets narrowly as requesting a separate consent form for each purpose of processing. As this is cumbersome to comply with in commercial context the Russian Ministry of Communications has initiated a draft law to allow having a number of purposes for processing listed in one consent form enabling a data subject to actively grant consent in relation to each listed purpose.


Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line green background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
Curiosity line teal background

The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

7 minutes Dec 10 2024

Read More