Recently, the Russian Data Privacy Authority (Roskomnadzor) organized an Open Doors Day in honor of the International Data Privacy Day. During the occasion, Roskomnadzor officers presented on the authority’s 2017 enforcement activities. They followed this presentation with an open question and answer period, during which they responded to numerous questions raised by attendees. We summarize the key takeaways below.
2017 Roskomnadzor Enforcement Highlights
Data operators continue to register with the Roskomnadzor, with approximately 33,000 new data operators registering with the Roskomnadzor in 2017, bringing the total to just over 400,000 data operators registered with the authority.
Of the industries represented by the data operators, the majority of data subject complaints emanated from or related to consumers’ relationships with banks, housing services providers, and debt collection agencies. This will come as little surprise to those operating in the data protection industry, where the personal data processed in connection with these activities is generally subject to additional protections. Also of note is the volume of complaints that related to general website operators, including social media providers. The Roskomnadzor looked into the data subjects’ complaints and found violations of applicable data protection laws in 5.4% of cases.
In general, in 2017, the Roskomnadzor placed a greater emphasis on the systematic monitoring of entities and decreased the total number of planned inspections that it carried out. Specifically, the Roskomnadzor’s total number of planned inspections decreased by approximately 20% year-over-year; the amount of systematic monitoring increased by approximately 37%.
The Roskomnadzor also continued to review websites’ abilities to respect data subjects’ rights. As in 2016, the Roskomnadzor added websites to a register of websites that violate data subjects rights and also exercised its ability to block websites. In 2017, 453 websites were added to the register, with 176 websites blocked (in 2016, 219 were added to the register with 84 blocked). The Roskomnadzor’s 2017 activities in this regard demonstrate a marked increase in such activities.
The Roskomnadzor also utilized new enforcement mechanisms available to it under the administrative liability provision that came into force on July 1, 2017. From July 1, 2017 until 2018, the Roskomnadzor issued 65 administrative protocols, with approximately half such protocols relating to scenarios where personal data was processed without a lawful ground to do so. Other reasons for the administrative protocols included failure to publish a privacy policy (11 cases), failure to provide lawful consent (7 cases), and failure to delete personal data upon request of the Roskomnadzor (7 cases).
Guidance from the Roskomnadzor
As noted above, following the overview of its 2017 enforcement activities, the Roskomnadzor officers took questions from attendees of the Open Door session. Among the items discussed were the scope of personal data and the consent mechanism.
Consent. The Roskomnadzor clarified that data operators should obtain separate written consent for each purpose of processing. Further, the Roskomnadzor stated that data operators should not indicate an indefinite processing period in their consent forms.
Personal Data. The Roskomnadzor made clear that meta data, including information such as Internet Protocol addresses, should be considered personal data. Further, the Roskomnadzor clarified that, although data subjects may make their personal data available to the public via social media, the personal data of social media users should not be considered publicly available data and use of the personal data of social media users is only permitted if processed on the basis of a lawful ground.
Finally, the Roskomnadzor noted that a draft resolution was in development, which would address the risk-oriented approach to be used in connection with future Roskomnadzor inspections. More information on the resolution is expected to be forthcoming.
