Recent Amendments to Russian Data Protection Law Further Clarify International Data Transfer Rules

[author: Jeremy Mittman]
On July 25, Russian President Dmitry Medvedev signed into law an amendment to the Russian data protection law, "On Personal Data".  The new amendments are effective as of July 1, 2011.  Of special significance, the amendments provide further clarification regarding the transfer of personal data to individuals or entities located outside of Russia.  Prior to the recent amendments, before transferring personal data from Russia to, for example, the United States, in the absence of obtaining prior written consent, a company needed to determine whether the United States (or another country, as the case may be) possessed data protection laws that provided an "adequate" level of protection.  However, the old Russian law provided little clarification as to which countries qualified under that standard, or how a company should go about deciding which countries qualified.

The new amendments provide some additional guidance on how a company might make such a determination.  First, the amendments specify that any country that has ratified the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (also known as "Convention 108”) provides an adequate level of protection. According to the Council (now an advisory body), Convention 108, which has been ratified by 43 countries, "remains the only binding international legal instrument in the field, with a potential worldwide scope of application."  Second, the recently enacted amendments specify that the Russian data protection agency ("Roscomnadzor") also has the ability to designate countries whom it believes possess adequate data protection laws.  Third, the amendments specify that personal data may be transferred if required under Russian law or because Russia is a signatory to an applicable treaty.  Finally, it is clear that an international transfer may also take place if the data subject consents to the transfer.

The amendments also provide that not only may the Russian Data Protection Agency issue data protection regulations, but other Russian agencies (including local ones) may do so as well.

While the law provides some additional clarification on cross-border data transfers, it remains to be seen whether the Roscomnadzor will actively enforce the new amendments, and if it will specify what additional countries, if any, possess "adequate" data protection laws other than the signatories to Convention 108. 

 

Published In: Administrative Agency Updates, General Business Updates, International Trade Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »