I. APPLICABLE LAWS AND REGULATIONS
A. Introduction —
Article 23 of the Constitution of the Russian Federation (in Russian; in English) grants every person the rights to the inviolability of private life, personal and family secrets, the protection of honor and good name, and the privacy of all means of correspondence. Article 24 further makes it illegal to collect, keep, use, or disseminate any information about an individual's private life without his consent. According to the Russian Constitutional Court (in Russian), constitutional privacy protections cannot be overridden by a user agreement. Therefore, any communications provider with control of a person's correspondence must still observe users’ privacy rights and may not access or disseminate the information therein. See “Russian Privacy Enforcement Processes Outlined in New Guidance,” Privacy Law Watch (Sept. 26, 2017).
The main data protection law in Russia is Federal Law of 27 July 2006, No. 152-FZ, On Personal Data (Data Protection Act, or DPA) (in Russian; in English). There is also a general law governing information technology, Federal Law of 27 July 2006, No. 149-FZ, On Information, Information Technology, and Protection of Information (Information Law) (in Russian).
Supplementing the DPA in the employment context is the Labor Code of the Russian Federation of 31 December 2001, specifically Chapter 14, Protection of Personal Information of an Employee (in Russian; in English from the Geneva-based International Labour Organization, to which the Library of Congress guide on Russian law links for English translations of Russian laws). The English version of the Labor Code, however, was translated prior to the passage of Federal Law No. 99-FZ of 7 May 2005 (in Russian), which repealed Article 85 of the Labor Code, defining “personal information of an employee” in deference to the definition of personal data in the DPA.
B. General Requirements Applicable to Processing Personal Data —
The DPA defines “personal data” broadly, in Article 3(1), as any information referring directly or indirectly to a particularly identified individual. Article 6 of the DPA lists the conditions under which personal data processing may occur, including with consent from the data subject or pursuant to Russian law. Article 10 of the DPA contains additional limitations on the processing of “special categories of personal data,” which include data concerning race, ethnicity, political opinions, religious ideologies, health, and sexual life.
There is no legal requirement to report data breaches to any government agency or to data subjects whose data was compromised as part of the breach. Article 22.1 of the DPA does require all organizations to appoint a person responsible for organizing the processing of personal data, often referred to in other countries as a data protection officer.
Federal Law of 21 July 2014, No. 242-FZ (in Russian; in English) amended sections of the DPA and Information Law, most notably requiring data operators to store all personal data of Russian citizens in databases located within Russia by Sept. 1, 2015.
The legislation also added a section to the Information Law setting forth procedures to create a registry of websites that violate the DPA and to block access to such websites. On Aug. 19, 2015, the Russian government issued a decree (in Russian) establishing the creation of the registry, which entered into force on Sept. 1, 2015. Federal Law No. 264-FZ, Russia's so-called “Right to Be Forgotten” law, became effective Jan. 1, 2016. It requires search engine operators to remove website links to personal information if the information is inaccurate and if the information was unlawfully released. However, the requirement does not apply to information about criminal offenses and to search engines operated by federal and municipal authorities. Federal Law 439-FZ, signed Dec. 30, 2015, sets financial penalties for search engines that fail to comply with right-to-be-forgotten requirements.
Under Decree No. 94 of May 30, 2017 (in Russian), companies that process personal data must follow specific protocols for notifying Roskomnadzor about processing operations. Specifically, they must include information regarding their safeguards for preventing breaches, declare whether and to where they intend to transfer data outside Russia, and confirm requirements with the Russia's data localization law (see Section I.C., below). Roskomnadzor has released a notification form for use in such communications.
C. Data Management —
Retention
Federal Law No. 374-FZ of 6 July 2016 (in Russian), which took effect on July 20, 2016, amended the Information Law to require telecommunications providers to store information regarding the receipt, transmission, delivery, and processing of voice, text, pictures, sounds, video, or other communications for three years, beginning at the completion of said actions. Internet service providers must store the same information for one year. The law also contains a requirement that ISPs and communications providers store the actual content of communications for up to six months, beginning at the completion of the communications. See “Russia Demands Telcos, Web Providers Retain Personal Data,” Privacy Law Watch (July 8, 2016).
On June 26, 2018, Russia issued Decree No. 728 (in Russian) approving rules for the storage of communications information in accordance with the Information Law. The rules took effect July 1, 2018. Under the rules, providers of internet telecommunications services must store information belonging to users registered under a network address in Russia, users logged in via a network address in Russia, users who registered using an identity document or telephone number issued by Russia, users transmitting metadata from a location inside Russia, or users identified by certain state bodies as located within the territory of Russia. Telecommunications services must store that information in full for six months following the end of the messages’ reception, transmission, delivery, or processing.
On Dec. 18, 2018, Russia issued Federal Law No. 472-FZ (in Russian), which amended the registry of prohibited information to include information aimed at inducing or otherwise involving minors in unlawful acts.
On March 18, 2019, Russia issued draft law No. 31-FZ (in Russian), which grants authorities the power to block websites if they fail to comply with requests to remove information that the state deems to be factually inaccurate. Companies can be fined if they show “blatant disrespect” online for the state, the authorities, the public, the Russian flag or the constitution.
Localization
Russia's data localization law, Federal Law No. 242-FZ, requires companies that collect personal data on Russian citizens to store such data in databases located inside Russia. Local databases must be used for any data recording, systemization, accumulation, storage, extraction, and specification (updating or amending data), except in limited circumstances specified in Article 6(2)-(4), (8) of the DPA. The law does not apply to data gathered before Sept. 1, 2015, unless the data has been updated after that date. The localization requirement applies not only to companies operating in Russia, but also to foreign entities who have branches or representative offices in Russia or who orient their business activities towards Russia through the internet. According to guidance (in Russian) provided by the Ministry of Communications and Mass Media (Minsvyaz), in order to be considered an organization orienting business towards Russia, an organization must either use a domain name associated with Russia (e.g., “.ru” or “.moscow”) or provide a Russian-language version of its website. Additionally, the organization must meet one or more of the following criteria: the availability of conducting transactions in Russian rubles, the possibility of executing an agreement (e.g., delivery of goods or use of content) in Russian territory, the use of Russian advertising, or a clear indication of intent to include the Russian market in its business strategy. See “Russia Clarifies Looming Data Localization Law,” Privacy Law Watch (Aug. 6, 2015).
Disposal
Russia does not have a data disposal law, but Article 5(7) of the DPA requires that personal data be destroyed or depersonalized upon the achievement of the goals for which the data was originally gathered or when such goals cease to be relevant.
II. REGULATORY AUTHORITIES AND ENFORCEMENT
The Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) is the agency given primary responsibility under Article 23 of the DPA. Specifically, within Roskomnadzor, there is a Department for Protecting the Rights of Personal Data Subjects. Data processors are required to register with Roskomnadzor pursuant to Article 23(5). Roskomnadzor allows individuals to search its listing of data processors (in Russian). More information on the powers of Roskomnadzor is available on the organization's website.
If a data subject feels his rights have been violated, he can bring a claim to Roskomnadzor. Pursuant to Article 23(3) of the DPA, Roskomnadzor can order a data controller to rectify, destroy, or block inaccurate or unlawfully obtained data; suspend or terminate data processing that is not carried out pursuant to the DPA; or bring a case and represent the interests of the data subject in court. It can also send any relevant materials or information to competent authorities to help decide whether to bring criminal proceedings based on a violation of the DPA. Roskomnadzor also has the right to take administrative action against persons who are found guilty of violating the DPA and to consider appeals from citizens and legal entities on matters relating to personal data processing, including the authority to issue decisions on appeals within the limits of the power granted to the organization by the DPA. On July 1, 2017, Federal Law No. 13-FZ (in Russian) raised the maximum administrative penalty for breaches of the DPA from RUB 10,000 to RUB 50,000 in cases of illegal or improper processing of personal data and to RUB 75,000 in cases of nonconsensual processing of personal data. Under Federal Law No. 18-FZ (in Russian), effective March 25, 2017, Roskomnadzor also has the ability to impose fines of up to RUB 100,000 for failure to comply with an order to block data.
In April 2015, the Russian Ministry of Communication issued a decree (in Russian) expanding Roskomnadzor's authority to conduct audits of online companies to monitor their handling of user data. The decree allows Roskomnadzor to check how online businesses process, store, and transmit text, voice, and other electronic messages of internet users. The audits may be undertaken if requested by law enforcement or if information distribution organizers fail to comply with an earlier written request to conform to legislative requirements. Companies must be informed of audits at least 24 hours in advance, and Roskomnadzor is limited to 60 days to conduct an audit. See “Ministry Adopts Rules Expanding Online Data Processing Audit Authority,” World Data Protection Report (Apr. 23, 2015).
Federal Law No. 18-FZ (in Russian) also allows Roskomnadzor to fine telecommunications service providers up to RUB 100,000 for failing to comply with orders to block certain information. The law also provides for fines of up to RUB 5,000 for executives.
According to guidance published by Roskomnadzor in September 2017, websites may only be blocked in Russia for data protection violations if a court determines that the company responsible has violated the data protection law or relevant regulations. Such violators will be added to the registry of infringing websites. Companies may ask the court to remove websites that later come into compliance. See “Russian Privacy Enforcement Processes Outlined in New Guidance,” Privacy Law Watch (Sept. 26, 2017).
III. RISK ENVIRONMENT
During the past few years, Roskomnadzor has been very active in exercising control over observance of data protection rules by operators. According to the official report for 2016 (in Russian), Roskomnadzor conducted 1,307 scheduled and 99 unscheduled audits of legal entities, along with 333 audits of federal and municipal authorities. Based on these audits, Roskomnadzor issued 619 prescriptions requiring operators to eliminate certain violations related to processing of personal data. As for fines, Roskomnadzor imposed administrative fines in aggregate of RUB 3,713,814. Recently, however, Roskomnadzor's planned compliance audits have decreased as the agency has shifted focus from compliance assessment to risk-oversight procedures.
The current enforcement focus of Roskomnadzor is addressed to the internet industry and, in particular, social media services such as Facebook and Twitter. Notably, Roskomnadzor continues to pursue violations of Federal Law No. 242-FZ and its data localization requirements. In February 2018, Roskomnadzor announced that Facebook would be subject to an audit by the end of the year. See “Facebook Faces Russia Data Protection Audit in 2018,” Privacy Law Watch (Feb. 9, 2018). On Dec. 18, 2018, Roskomnadzor head Alexander Zharov announced that he had sent compliance notices to both Facebook and Twitter seeking responses by Jan. 17, 2019 regarding each company's intentions to meet the requirements of the localization law. On Jan. 21, 2019, following the receipt of those responses, Roskomnadzor announced the start of administrative proceedings against the two companies on the grounds that they failed to submit detailed plans with deadlines for meeting localization requirements.
Both Google and the messaging service Telegram have been subject to similar notable enforcement actions. On June 22, 2017, Roskomnadzor confirmed that access to Google had been blocked because Google had redirected users to websites containing illegally stored personal information. Access was restored once Google removed the links. See “Google Need Not Restore Deleted Links, Russian Court Rules,” Privacy Law Watch (June 23, 2017). However, Russia subsequently fined Google 500,000 rubles in December 2018 and 700,00 rubles in June 2019 for failing to remove all search links to banned information.
Similarly, Telegram agreed in June 2017 to register the information it maintains with the state register of information services in order to avoid a ban. Roskomnadzor had threatened Telegram over allegations that terrorists had used the service to plan attacks, but backed off once Telegram agreed to provide “all legally required” information. See “Telegram Chief Concedes to Russia's Demand to Register Service,” Privacy Law Watch (June 29, 2017). Telegram ran into trouble again, however, in March 2018, when it refused to provide encryption keys to the Federal Security Service. As a result of Telegram's refusal, Roskomnadzor obtained a court order to add the service to Russia's registry of blocked websites. See “Moscow Court Blocks Telegram Chat App After $1.7 Billion ICO,” Privacy Law Watch (April 16, 2018); “Russia Blocks Telegram, Forcing Kremlin to Switch Service,” Privacy Law Watch (April 17, 2018). Roskomnadzor has since blocked multiple Google Networks that Telegram has used to bypass blocking measures. See “Russia's War on Telegram Expands to Google, Amazon Battlefields,” Privacy Law Watch (April 19, 2018).
Roskomnadzor has also been active in blocking websites that offer access to others’ personal information. In January 2018, it blocked two websites for allowing access to personal data and users of social media networks. See “Russia Bans Websites for Sharing Photos, Data Without Consent,” Privacy Law Watch (Jan. 25, 2019). On Jan. 29, 2018, the Supreme Court confirmed Roskomnadzor's ruling that a credit bureau unlawfully captured social media data for use in big data processing services. See “Russia High Court Nixes Capture, Processing of Social Media Data,” Privacy Law Watch (Feb. 2, 2018).
Russian law provides administrative, civil, and criminal liability for the unauthorized collection, disclosure, transfer, and/or use of legally protected personal data. On Dec. 3, 2019, a new law came into force that significantly increases fines for violations of Russia's data protection law. The law sets the maximum fine for legal entities under the law to 6 million rubles. Repeated violations of the data localization law could incur increasing fines with a maximum penalty of 18 million rubles. Executives can face fines of up to 200,000 rubles and, for repeated violations, as much as 800,000 rubles. The law also introduces increased fines for repeated violations of Russia's Federal law No. 149-FZ of July 27, 2006 “on information, information technology and protection of information”. Roskomnadzor has identified companies it plans to inspect but may initiate unplanned inspections based on data subject complaints or its online monitoring of company activity.
Based on the current enforcement practice, if in the course of investigation several similar violations relating to personal data have occurred, Roskomnadzor will likely initiate multiple administrative cases for each violation against the company or a particular officer rather than only one administrative case. In particular, such tendency is typical for administrative cases connected with labor and competition law. In terms of civil liability, the individual whose rights were violated may make a claim for compensation of damages and moral harm from any person who breached his rights. Criminal liability for breach of personal data laws can be imposed only on individuals (Criminal Code art. 137 “Invasion of Personal Privacy” and art. 272 “Illegal Access to Computer Information” (unofficial English translation posted by the World Intellectual Property Organization)). To date, there are a number of court sentences where an individual has been found criminally liable for a violation of arts. 137 or 272 of the Criminal Code.
Shortly after the enactment of Law 13-FZ, Roskomnadzor released new guidance (in Russian) encouraging online services to implement policies that fully comply with the law. Such policies should fully describe the types, conditions, and time frames for data processing and storage. Those policies should also be available to the public. See “Russian Privacy Office Schools Web Companies on Privacy Policies,” Privacy Law Watch (Aug. 1, 2017).
IV. EMERGING ISSUES AND OUTLOOK
A. Data Retention Laws —
Federal Law No. 374-FZ of 6 July 2016 (in Russian) requires telecommunications operators and ISPs to store customers’ text, voice, image, sound, video, and other messages for six months. Additionally, ISPs must store message logs for one year, while telecommunications operators must store call logs for three years. The law also requires ISPs using encryption to provide authorities with decryption keys. Failure to comply with the law may result in administrative fines of up to RUB 1,000,000 for businesses and up to RUB 50,000 for company executives. The law took effect on July 20, 2016, but the law's requirements regarding storage of customers' messages (text, voice, image, video, etc.) did not take effect until July 1, 2018. See “Russia Demands Telcos, Web Providers Retain Personal Data,” Privacy Law Watch (July 8, 2016). In June 2018, Russia issued Decree No. 728, establishing rules for the storage of electronic communications, which took effect July 1, 2018. See Section I.C., above.
B. Consent Withdrawal Portal —
On May 18, 2017, Roskomnadzor announced plans in Russian to develop an online portal that would allow individuals in the country to disallow use of their personal information. Planned for 2019, the portal would include information from companies regarding the data the companies collect, and it would allow users to simply revoke consent for data processing. Related legislation would impose penalties on businesses that fail to provide information for the portal or comply with user requests. See “Russia Plans to Ease Withdrawal of Data Use Consent,” Privacy Law Watch (May 19, 2017).
C. Regulation of Messenger Services —
Russia has continued to expand its regulation of online communications through the enactment of a series of laws. Federal Law No. 276-FZ (in Russian), which was signed on July 29, 2017, requires internet service providers to block access to technologies, including VPNs, that allow users to bypass restrictions on illegal content. The law entered into force on Nov. 1, 2017. Federal Law No. 241-FZ (in Russian), also signed on July 29, 2017, requires providers of instant messaging services to identify users by telephone numbers. Law No. 241-FZ entered into force on Jan. 1, 2018. For more information, see “Russia Requires Messaging Apps to Identify Users,” Privacy & Security Law Report (Aug. 7, 2017).
D. Critical Infrastructure Regulation —
In July 2017, Russia enacted Federal Law No.187-FZ (in Russian), which focuses on increasing security related to telecommunication and IT systems deemed to be part of the Russia's critical information infrastructure network. The law, which entered into effect on Jan. 1, 2018, requires businesses and government authorities that own and operate critical infrastructure networks to notify regulatory authorities of cyberattacks. Regulatory authorities may access such systems via both scheduled and unscheduled inspections. Federal Law No. 194-FZ (in Russian), enacted at the same time, amends the Criminal Code to make unauthorized access to critical information or failure to protect confidential information punishable by up to six years in prison. Violations resulting in “grave consequences” are punishable by up to ten years in prison. See “Russia Enacts Critical Infrastructure Cybersecurity Law,” Privacy Law Watch (July 28, 2017).
In February 2018, the government issued Decree No. 127 of Feb. 8, 2018 (in Russian). The decree identifies cybersecurity criteria for companies conducting critical infrastructure operations. It also requires the CEO of each company to establish a critical infrastructure cybersecurity commission made up of five categories of specialists, including the CEO or a trustee of the CEO, in order to identify facilities whose protection should be prioritized. See “Russia Adopts Critical Infrastructure Cybersecurity Regulation,” Privacy Law Watch (Feb. 14, 2018).
E. Biometric Database —
In December 2017, the Central Bank of the Russian Federation (CBR) announced the creation of a new biometric database for financial services. Under the new system, banks may register Russian citizens in the Unified Identification and Authentication System (ESIA) by collecting biometric information in person and transmitting it to the Unified Biometric System. Citizens registered in the ESIA may then remotely open accounts by confirming their biometric data using any phone or computer with a microphone and a camera. Russian Banks began implementing the system in June 2018. According to the CBR, all Russian banks must provide a biometric collection service by the end of 2019. For more information, see “Russia Plans National Biometric Database Starting Next Year,” Privacy & Security Law Report (Jan. 8, 2018).
In response to the new identification system, Russia enacted Federal Law No. 482-FZ of Dec. 31, 2017 (in Russian) in order to allow credit institutions to confirm clients’ identities by processing biometric data. In June 2018, the government published a series of resolutions (in Russian) establishing procedures for authenticating the recording of biometric identifiers in a database, determining the composition of data placed in the database, and establishing a form for obtaining consent from a citizen in order to process the data necessary for registration in the ESIA. For more information, see “Russia Moves to Regulate Biometric Data Processing,” Privacy Law Watch (July 6, 2018).
In March 2018, Russia also issued a regulation (in Russian) appointing the Ministry of Communications and Mass Media as the regulatory authority in charge of overseeing the collection, processing, and storage of biometric data. The regulation took effect on June 30, 2018. See “Russia Taps Telecom Ministry as Biometric Data Regulator,” Privacy Law Watch (April 30, 2018).
F. Draft Social Media Law —
In April 2018, Russia renewed a draft law (in Russian) that would amend the Information Law and impose new restrictions on social networks. Under the law, any social network with more than 100,000 daily users in Russia would be required to establish a local representative office in Russia, identify users by mobile phone numbers, and delete certain content.
On April 12, 2018, the draft law was accepted by the lower chamber of Russian Parliament (State Duma) in its first reading (in Russian).
G. Convention 108+ —
On Oct. 10, 2018, Russia joined 20 other countries in signing the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+). The protocol seeks to modernize the Strasbourg Convention on Data Protection in order to account for the new challenges for privacy that have arisen since the Convention's adoption in 1980. The Protocol will also serve as a binding international agreement that mirrors many of the requirements of the EU General Data Protection Regulation. Under the Protocol, countries will need to expand data protection provisions, which include the implementation of stronger requirements for proportionality and data minimization principles, a broader definition of “sensitive data,” and a breach notification obligation. The Protocol will enter into force after a three month period beginning once all parties to the protocol have signed it. If not all parties have signed the protocol by Oct. 10, 2023, it will immediately enter into force for each country which has signed it. As of Jan. 9, 2019, 24 of the 53 parties to the Protocol had signed it.
H. Expanding Regulatory Powers —
On Feb. 13, 2019, Russia adopted a resolution (in Russian ) that expands the information available to Roskomnadzor during compliance audits, allowing it full access to personal data held by companies. Previously, Roskomnadzor could only inspect software and services used for processing. The resolution allows Roskomnadzor to perform scheduled audits of certain operators more frequently. It also clarifies and expands the list of grounds for extending the timeframe of an audit.
I. Planned Regulation of Big Data —
On Nov. 8, 2016, Roskomnadzor released a statement in which it criticized the data protection policies of multinational technology companies. In response to those policies, Roskomnadzor head Alexander Zharov pledged to adopt “big data” legislation, in conjunction with the establishment of a domestic big data operator, which would better protect consumer data. The pledge came as Zharov called on public, private, and state organizations to implement their own security projects to create a safe digital environment for customers. On the same day, the head of Roskomnadzor also oversaw the signing of a “Code of good-faith online practices,” which was developed by nearly 30 organizations, including telecommunications, banks, and insurance businesses. A draft of the big data legislation was submitted to the State Duma on Oct. 23, 2018 and is currently pending.
J. Draft Law on Regulation of the Internet —
In November 2016, the Ministry of Communications and Mass Media (Minsvyaz) announced a draft Law on Amendments to the Federal Law on Telecommunications. The law would regulate the internet and critical infrastructure in order to bring the internet in Russia entirely under control of a single regulator, meaning Russia's internet could function autonomously.
K. Covid-19 Impact on Privacy Law —
Compared to other areas of law (e.g. public administration, private law, bankruptcy proceedings, etc.) which have been amended by the government on an urgent basis in order to adapt to the Coronavirus pandemic, data protection regulations remain untouched and continue to apply. Article 6 of the DPA specifies that processing of personal data may only occur if data subjects provide their consent or it is required to protect their life, health or other vital interests in cases where it is not possible to obtain their consent. Article 10 of the DPA contains additional limitations on the processing of “special categories of personal data”, which include data concerning a person's health status, and mirrors provisions of Article 6, specifying that processing of special categories of personal data is allowed without the written consent of the data subject if processing is necessary to protect the life, health or other vital interests of the personal data subject or the life, health or other vital interests of other persons, and it is impossible to obtain the consent of the personal data subject. Therefore, processing of personal data, including information regarding a person's symptoms, contacts, and health status, is allowed during this pandemic without the person's consent if obtaining such consent is impossible.
Supplementing the DPA in the employment context is the Labor Code of the Russian Federation of December 30, 2001, specifically Chapter 14, Protection of Personal Information of an Employee. In March 2020, employers were obliged to begin measuring employees' temperature and suspending those whose temperatures were “high”. The measures were implemented not at the federal level, but in the form of regulatory acts issued by Russian constituent entities' authorities. The Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) is the agency given primary responsibility under Article 23 of the DPA.
On March 10, 2020, Roskomnadzor published on its website a clarification regarding numerous inquires it had received from employers seeking to use thermal cameras at the entrance of their buildings to process the personal data of employees and visitors. Roskomnadzor clarified that measuring employees' temperature without their consent is allowed subject to Article 88 of the Labor Code (according to this Article, an employer is not allowed to demand data regarding employee's state of health except for information which reflects the employee's ability to perform his/her job functions). As for measuring the temperature of other visitors, Roskomnadzor clarified that their consent could be implied from their wish to enter the building. According to these clarifications, all employees and visitors must be informed that thermal cameras will be used to measure their temperature (it is recommended that a special notice be placed at the entrance to the building) and any data collected by these cameras must be destroyed within 24 hours of when the data was collected.
In order to combat the spread of Coronavirus in Moscow, the authorities intended to implement a “quarantine” regime which would oblige all residents to receive QR Codes on their smartphones for every time they wish to leave their homes. It was intended that in order to receive a QR Code (which would be a legal ground for being outdoors and which would be valid for a limited time period) each person would be required to register their personal data and specify the goal of leaving home. Authorities faced numerous objections related to privacy and personal data protection issues and the plan was temporarily put on hold by the Moscow mayor's office.
