Recent Amendments to Russian Data Protection Law Further Clarify International Data Transfer Rules

[author: Jeremy Mittman]
On July 25, Russian President Dmitry Medvedev signed into law an amendment to the Russian data protection law, "On Personal Data".  The new amendments are effective as of July 1, 2011.  Of special significance, the amendments provide further clarification regarding the transfer of personal data to individuals or entities located outside of Russia.  Prior to the recent amendments, before transferring personal data from Russia to, for example, the United States, in the absence of obtaining prior written consent, a company needed to determine whether the United States (or another country, as the case may be) possessed data protection laws that provided an "adequate" level of protection.  However, the old Russian law provided little clarification as to which countries qualified under that standard, or how a company should go about deciding which countries qualified.

The new amendments provide some additional guidance on how a company might make such a determination.  First, the amendments specify that any country that has ratified the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (also known as "Convention 108”) provides an adequate level of protection. According to the Council (now an advisory body), Convention 108, which has been ratified by 43 countries, "remains the only binding international legal instrument in the field, with a potential worldwide scope of application."  Second, the recently enacted amendments specify that the Russian data protection agency ("Roscomnadzor") also has the ability to designate countries whom it believes possess adequate data protection laws.  Third, the amendments specify that personal data may be transferred if required under Russian law or because Russia is a signatory to an applicable treaty.  Finally, it is clear that an international transfer may also take place if the data subject consents to the transfer.

The amendments also provide that not only may the Russian Data Protection Agency issue data protection regulations, but other Russian agencies (including local ones) may do so as well.

While the law provides some additional clarification on cross-border data transfers, it remains to be seen whether the Roscomnadzor will actively enforce the new amendments, and if it will specify what additional countries, if any, possess "adequate" data protection laws other than the signatories to Convention 108.