Russia: Overhaul of publicly disseminated data processing
Written By
Partner
UK
I'm a partner and head of Bird & Bird's Russia Desk in London, offering over fifteen years of practical experience as a Russian qualified lawyer and native speaker to businesses entering and working in the Russian market and advising Russian companies in their outbound activities.
Related
Practices
Sectors
Trending Topics
Regions
On 1 March 2021, substantial amendments to the Russian Federal Law No 152-FZ dated 27 July 2006 On Personal Data came into effect (“Amendments”). The Amendments change the rules on processing of publicly disseminated personal data and affect businesses which are publishing or using personal data on the internet.
In particular, employers who publish employee personal data on a website need to examine the Amendments and implement new consent requirements. Data subjects now have wider powers to control and authorise the processing of their data in the public domain. Data subjects also have a right to request that data operators disseminating their data (and any company down the data processing chain) cease from transferring such data.
What are the key Amendments?
- The Amendments remove ‘processing of personal data the unlimited access to which is granted by the data subject or at data subject's request (publicly accessible personal data)’as a legitimate ground for data processing. This ground allowed the processing of personal data without a data subject’s consent.
- There is a new definition of ‘personal data which is permitted by the data subject for dissemination’ (“Publicly Disseminated Data” or “PDD”): PDD means personal data, which the general public can access on the basis of the data subject’s consent granted in the manner prescribed by the Amendments.
- A data subject may provide consent to PDD processing directly to the data operator wishing to disseminate the data or via the Russian DPA’s information system which records the data subjects’ consents and data processing restrictions. The Russian DPA is yet to publish the regulation on such information system.
- The data operator has an obligation to publish the terms of and prohibitions on PDD processing by the general public within three working days from obtaining the data subject’s consent.
- Where the data subject discloses his/her personal data to the general public without granting consent to the data operator, then the obligation to prove the legality of the subsequent dissemination or other processing of such personal data resides with each company and/or individual who disseminates or otherwise processes such personal data.
What are the requirements for the data subject’s consent and are they in line with the GDPR requirements?
The requirements for consent to PDD processing are generally in line with the GDPR with some deviations. The Russian DPA has also issued draft Requirements regarding the content of consent for the processing of PDD (“Draft DPA Requirements”) which are not yet in final form and which we summarise below:
| Consent to PDD processing requirements: |
Russia |
GDPR |
| specific and informed |
YES |
YES |
| unambiguous |
YES - affirmative opt-in methods via (i) information system of the data operator, OR (ii) information system of the Russian DPA, OR (iii) in writing with wet or electronic signature. |
YES – wider options to obtain consent than under the Draft DPA Requirements |
| not bundled with the other data processing consents |
YES |
YES |
| provide for the data operator’s identity and the purpose(s) of processing |
YES |
YES |
| set out the purpose of each of the processing operations for which consent is sought |
NO | YES |
| provide for the data subject’s identity |
YES |
NO |
| enable the data subject to choose the personal data for dissemination |
YES –detailed list is required |
YES - type of data is sufficient |
| terms and prohibitions of PDD processing |
YES - the data subject has the right to: (i) prohibit the dissemination to the general public and/or the provision to specific companies/individuals, (ii) prohibit processing (except for providing access) of PDD by the general public after such data publication, and/or (iii) set out the terms of the processing (except in relation to obtaining access) of personal data by the general public. The data operator shall provide the data subject with an option to introduce prohibitions on and terms of processing in relation to detailed sub-categories of personal data. |
NO |
| term of consent |
YES - precise term of the consent’s validity is required under the Draft DPA Requirements |
NO |
| internet resources for PDD |
YES - websites and/or webpages on which PDD is made publicly available to be listed under the Draft DPA Requirements |
NO |
| indicating in consent the existence of the right to withdraw consent |
NO |
YES |
Does a data subject have a right to revoke consent?
The data subject has a right to revoke consent to the processing of PDD at any time, which is in line with the consent revocation right available prior to the Amendments coming into effect.
A data subject request to revoke consent should include the full name of the data subject, contact details and the list of personal data being processed which should be ceased. The data operator should cease the transfer of the PDD, including disseminating it, providing the data and any access to it after receiving the data subject’s request.
What are the sanctions for non-compliance with the Amendments?
The Amendments do not introduce new sanctions for non-compliance. This means that the general data protection offences will apply. Non-compliance with the new requirements on PDD processing may amount to administrative fines for personal data processing without a legitimate ground envisaged by the Russian privacy legislation. An explanatory note to the draft Amendments which was provided by the legislator also refers to the above data protection offence.
