Recent Amendments to Russian Data Protection Law Further Clarify International Data Transfer Rules


[author: Jeremy Mittman]
On July 25, Russian President Dmitry Medvedev signed into law an amendment to the Russian data protection law, "On Personal Data".  The new amendments are effective as of July 1, 2011.  Of special significance, the amendments provide further clarification regarding the transfer of personal data to individuals or entities located outside of Russia.  Prior to the recent amendments, before transferring personal data from Russia to, for example, the United States, in the absence of obtaining prior written consent, a company needed to determine whether the United States (or another country, as the case may be) possessed data protection laws that provided an "adequate" level of protection.  However, the old Russian law provided little clarification as to which countries qualified under that standard, or how a company should go about deciding which countries qualified.

The new amendments provide some additional guidance on how a company might make such a determination.  First, the amendments specify that any country that has ratified the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (also known as "Convention 108”) provides an adequate level of protection. According to the Council (now an advisory body), Convention 108, which has been ratified by 43 countries, "remains the only binding international legal instrument in the field, with a potential worldwide scope of application."  Second, the recently enacted amendments specify that the Russian data protection agency ("Roscomnadzor") also has the ability to designate countries whom it believes possess adequate data protection laws.  Third, the amendments specify that personal data may be transferred if required under Russian law or because Russia is a signatory to an applicable treaty.  Finally, it is clear that an international transfer may also take place if the data subject consents to the transfer.

The amendments also provide that not only may the Russian Data Protection Agency issue data protection regulations, but other Russian agencies (including local ones) may do so as well.

While the law provides some additional clarification on cross-border data transfers, it remains to be seen whether the Roscomnadzor will actively enforce the new amendments, and if it will specify what additional countries, if any, possess "adequate" data protection laws other than the signatories to Convention 108. 


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:


Proskauer - Privacy & Data Security on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.