Recent Amendments to the Procedure of Personal Data Processing in Russia
Federal Law No. 242-FZ "On Amendments to Certain Legislative Acts of the Russian Federation for Clarification of the Procedure of Personal Data Processing in Information and Telecommunication Networks" (the "Federal Law No. 242") was adopted on 21 July 2014.
Federal Law No. 242 introduces the following changes: to Federal Law No. 152-FZ "On personal data" dated 27 July 2006 (as amended) by establishing localization requirement for personal data processing; and to Federal Law No. 149-FZ "On information, information technologies and protection of information" dated 27 July 2006 (as amended) by establishing procedure for blocking access to information resources on which unlawful processing of personal data takes place.
Federal Law No. 242 comes into force on 1 September 2016. The acceleration of the entry into force and change of the effective date of the Federal Law No. 242 to 1 January 2015 is however proposed by a draft law which was submitted to the State Duma (lower chamber of the Russian Parliament) on 1 September 2014. In order to become a law, the draft amendments shall be adopted through the usual law-making procedure, which duration is difficult to predict (it involves adoption by the State Duma in three readings, approval by the Federation Council (upper chamber of the Russian Parliament), signing by the President of the Russian Federation and official publication).
Localization requirement for personal data processing
Under Federal Law No. 242 so called "operators" or "personal data operators" are required to carry out certain types of "processing" of Russian citizens' "personal data" by using "databases", located in Russia.
In this context: Personal data means any information directly or indirectly related to any identified or potentially identifiable person. It includes, among other things, first name and family name, date and place of birth, address, information about family status, education, profession, income; Personal data operator means a state or municipal authority, legal entity or individual that solely or jointly organize(s)and/or perform(s) the processing of personal data and determine(s) the purposes and scope of such processing; Localization requirement applies not to all but only to the following types of personal data processing: recording, systematization, accumulation, storage, specification (updating and amending), and extracting; Personal data processing means any action or combination of actions performed with regard to / with any personal data, including collection, recording, systematization, accumulation, storage, use, transfer (distributing, providing or authorizing access to), blocking, deleting and destroying of any personal data; Database means set of independent materials systematized in such a way that these materials can be retrieved and processed using the computer; and Before starting personal data processing operators are required to notify the Federal Service for Supervision in the Area of Telecoms, Information Technologies and Mass Communications, which is the state authority responsible for the enforcement of the Personal Data Law ("Roskomnadzor") on the location of the database(s) containing personal data of Russian citizens.
The requirement of using databases "located in Russia" is not entirely clear, especially given that location of certain databases (e.g. clouds) is difficult to ascertain, but most likely this requirement implies that personal data operators are required to use local facilities (server(s) / data center(s)) located in Russia either owned or provided by third parties; each potential option requires proper legal and tax consideration.
It is not yet clear from Federal Law No. 242 whether Russian citizens' personal data may be processed with the use of the databases located outside of Russia in addition to being processed using databases located in Russia (e.g. for the purposes of back-up or duplicate storage).
Procedure for blocking access to infringing information resources
Procedure for blocking information resources on which unlawful processing of personal data takes place, introduced by Federal Law No. 242, includes the following stages:
Stage 1: The "personal data subject" (any individual identified or potentially identifiable on the basis of the personal data) whose personal data is being processed unlawfully shall obtain the relevant court decision acknowledging the unlawful processing of his/her personal data.
Stage 2: After entry of the relevant court decision into force the personal data subject may apply to Roskomnadzor with the request to limit access to his/her personal data.
Stage 3: Roskomnadzor within 3 (three) business days from the date of the relevant court decision's entry to force shall determine the hosting provider or any other person ensuring the processing of the personal data (the "Hosting Provider"), serve the Hosting Provider with a notification requesting the Hosting Provider to take measures to terminate unlawful processing of personal data and include information on the unlawful processing of personal data (including domain name, webpage, web address identifying websites on which personal data has been unlawfully processed, etc.) into the Register of Infringers of Rights of the Personal Data Subjects.
Stage 4: The Hosting Provider within 1 (one) business day from the date of receipt by the Hosting Provider of Roskomnadzor's notification shall liaise with the operator of the information resource, serviced by the Hosting Operator, requesting the operator of the information resource to terminate unlawful processing of personal data or restrict access to unlawfully processed information.
Stage 5: The operator of the information resource shall terminate unlawful processing of personal data within 1 (one) business day from the date of receipt of the request from the Hosting Operator. If the unlawful processing of personal data is not terminated by the operator of the information resource, the Hosting Provider, must restrict access to the information resource on which that personal data has been unlawfully processed not later than within 3 (three) business days from the date of receipt by the Hosting Provider of Roskomnadzor's notification.
Stage 6: Failure of the Hosting Provider or the operator of the information resource to undertake measures, described in Stages 4 and 5 above, entails submission of the information about unlawful processing of personal data to the telecommunication companies, which shall restrict access to the information resource on which that personal data has been unlawfully processed (including blocking of the relevant domain name or website). If the measures described in Stages 4 and 5 above are properly undertaken or if the court decision acknowledging the unlawful processing of personal data is overruled, Roskomnadzor or the entity keeping and maintaining the Register of Infringers of Rights of the Personal Data Subjects removes the information on the unlawful processing of personal data from such register.
 - Excluding personal data processing: (i) to achieve objectives stipulated by the international treaties of the Russian Federation or law, and for the performance of functions, powers or obligations of the personal data operators, imposed by law; (ii) for the performance of justice, enforcement of a judicial act, act of another authority or official, as provided by the laws on enforcement of judicial decisions; (iii) for the performance of powers imposed on the federal and municipal authorities, non-budgetary funds and organizations rendering state and municipal services, including registration in the unified and regional portals of state and municipal services; or (iv) for the professional activities of a journalist or mass media or for scientific, literature or other artistic activities, provided that rights and legal interests of the personal data subjects are not breached.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2014 White & Case LLP