Russia: Overhaul of publicly disseminated data processing

Written By

anna shashina module
Anna Shashina

Partner
UK

I'm a partner and head of Bird & Bird's Russia Desk in London, offering over fifteen years of practical experience as a Russian qualified lawyer and native speaker to businesses entering and working in the Russian market and advising Russian companies in their outbound activities.

On 1 March 2021, substantial amendments to the Russian Federal Law No 152-FZ dated 27 July 2006 On Personal Data came into effect (“Amendments”). The Amendments change the rules on processing of publicly disseminated personal data and affect businesses which are publishing or using personal data on the internet.

In particular, employers who publish employee personal data on a website need to examine the Amendments and implement new consent requirements. Data subjects now have wider powers to control and authorise the processing of their data in the public domain. Data subjects also have a right to request that data operators disseminating their data (and any company down the data processing chain) cease from transferring such data.

What are the key Amendments?
  1. The Amendments remove ‘processing of personal data the unlimited access to which is granted by the data subject or at data subject's request (publicly accessible personal data)’as a legitimate ground for data processing. This ground allowed the processing of personal data without a data subject’s consent. 

  2. There is a new definition of ‘personal data which is permitted by the data subject for dissemination’ (“Publicly Disseminated Data” or “PDD”): PDD means personal data, which the general public can access on the basis of the data subject’s consent granted in the manner prescribed by the Amendments. 

  3. A data subject may provide consent to PDD processing directly to the data operator wishing to disseminate the data or via the Russian DPA’s information system which records the data subjects’ consents and data processing restrictions. The Russian DPA is yet to publish the regulation on such information system. 

  4. The data operator has an obligation to publish the terms of and prohibitions on PDD processing by the general public within three working days from obtaining the data subject’s consent. 

  5. Where the data subject discloses his/her personal data to the general public without granting consent to the data operator, then the obligation to prove the legality of the subsequent dissemination or other processing of such personal data resides with each company and/or individual who disseminates or otherwise processes such personal data. 
What are the requirements for the data subject’s consent and are they in line with the GDPR requirements?

The requirements for consent to PDD processing are generally in line with the GDPR with some deviations. The Russian DPA has also issued draft Requirements regarding the content of consent for the processing of PDD (“Draft DPA Requirements”) which are not yet in final form and which we summarise below:

Consent to PDD processing requirements:
Russia
GDPR
specific and informed
YES
YES
unambiguous
YES - affirmative opt-in methods via (i) information system of the data operator, OR (ii) information system of the Russian DPA, OR (iii) in writing with wet or electronic signature.
YES – wider options to obtain consent than under the Draft DPA Requirements
not bundled with the other data processing consents
YES
YES
provide for the data operator’s identity and the purpose(s) of processing
YES
YES
set out the purpose of each of the processing operations for which consent is sought
NO YES
provide for the data subject’s identity
YES
NO
enable the data subject to choose the personal data for dissemination
YES –detailed list is required
YES - type of data is sufficient
terms and prohibitions of PDD processing
YES - the data subject has the right to: (i) prohibit the dissemination to the general public and/or the provision to specific companies/individuals, (ii) prohibit processing (except for providing access) of PDD by the general public after such data publication, and/or (iii) set out the terms of the processing (except in relation to obtaining access) of personal data by the general public. The data operator shall provide the data subject with an option to introduce prohibitions on and terms of processing in relation to detailed sub-categories of personal data.
NO
term of consent
YES - precise term of the consent’s validity is required under the Draft DPA Requirements
NO
internet resources for PDD
YES - websites and/or webpages on which PDD is made publicly available to be listed under the Draft DPA Requirements
NO
indicating in consent the existence of the right to withdraw consent
NO

YES

Does a data subject have a right to revoke consent?

The data subject has a right to revoke consent to the processing of PDD at any time, which is in line with the consent revocation right available prior to the Amendments coming into effect. 

A data subject request to revoke consent should include the full name of the data subject, contact details and the list of personal data being processed which should be ceased. The data operator should cease the transfer of the PDD, including disseminating it, providing the data and any access to it after receiving the data subject’s request.

What are the sanctions for non-compliance with the Amendments?

The Amendments do not introduce new sanctions for non-compliance. This means that the general data protection offences will apply. Non-compliance with the new requirements on PDD processing may amount to administrative fines for personal data processing without a legitimate ground envisaged by the Russian privacy legislation. An explanatory note to the draft Amendments which was provided by the legislator also refers to the above data protection offence. 

Latest insights

More Insights
Curiosity line teal background

Talent Wars: The Impact of Artificial Intelligence on Human Resource Practices Across Asia

Dec 27 2024

Read More
Curiosity line yellow background

China Cybersecurity and Data Protection: Monthly Update - December 2024 Issue

17 minutes Dec 23 2024

Read More
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More