[author: Olga Novinskaya]

Personal data (PD) protection is becoming the main topic of the recent days, so the Russian legislation in this sphere changes rapidly. The article represents an overview of updates on personal data regulation for the 3rd quarter of 2020.

ATTEMPTS TO COUNTER THE CONSUMERS’ PERSONAL DATA COLLECTION

Russian Agency for Health and Consumer Rights has developed amendments to the Law of 07.02.1992 No. 2300-1 “On Protection of Consumer Rights”, hindering unfair behavior of business entities, which collect customers’ PD for purposes not related to the conclusion and execution of contracts.

The bill prohibits rejection to conclude, amend, terminate or execute an agreement with a customer, if he (she) refuse to provide personal data for seller. Exception from this rule applies in cases where the provision of personal data is prescribed by law or necessary for settlement of a transaction.

Besides that, the project grants to consumers a right to demand explanation if the seller rejects to complete the transaction due to his (her) refusal of granting personal data.

Adoption of the law may affect PD usage practices of business entities that interact with Russian customers. In particular, the seller needs to identify accurately the data necessary for the contract and be ready to give motivated explanations to customers.

Please be informed that mentioned earlier new version of the Code of Administrative Offences complements this draft law with fines for business entities that redundantly process personal data. You can find our review here.

Draft Law “On Amendments to Article 16 of the Law of the Russian Federation ‘On Protection of Consumer Rights’” (prepared by Russian Agency for Health and Consumer Rights, project ID 02/04/09-20/00108592)

THE NUMBER OF PERSONAL DATA PROCESSING CONSENTS MIGHT BE REDUCED

The State Duma is considering in the first reading a bill, which introduces the possibility of obtaining personal data processing consent for several purposes at once or by several persons processing data on behalf of the operator.

The authors of the bill are convinced that the proposed changes will reduce the number of written consents provided by individuals and may optimize digital interaction in various areas.

The following information should be indicated for each purpose of data processing:

• The list of personal data;
• The person who will process personal data on behalf of the operator;
• Description of the methods of processing;
• The period of validity of the consent;
• The way of withdrawal of the consent.

The bill also attempts to resolve the issue of personal data anonymization. It is proposed to entrust Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) with determining the requirements for anonymization and its methods.

There is the Order of Roskomnadzor dated 05.09.2013 No. 996 concerning personal data anonymization, which applies to operators who are state or municipal bodies. It should be noted that according to the comments of Roskomnadzor’s officials private entities are not entitled to anonymize personal data. The practical implication is that the operator is obliged to destroy personal data in cases when the purpose of processing is achieved.

Bill No. 992331-7 “On Amendments to the Federal Law ‘On Personal Data’”

PENALTIES FOR DISCLOSURE OF SENSITIVE INFORMATION MIGHT BE INCREASED BY 10 TIMES

The draft law creating greater penalty for disclosure of restricted-access information is at the first reading stage in Russian State Duma. Restricted information includes personal data.

The current edition of article 13.14 of the Russian Code of Administrative Offenses provides for fines up to 1,000 RUB (approx. 13 USD) for individuals and up to 5,000 RUB (approx. 65 USD) for officials, if they got access to restricted information due to performance of official or professional duties. As been noted by law drafters, such fines are insignificant and do not achieve the goal of preventing data security offenses.

In this respect, the offered provisions have significantly increased the amount of fines:

• Up to 10,000 RUB (approx. 129 USD) for individuals,
• Up to 50,000 RUB (approx. 646 USD) for officials.

It should be noted that work on new version of the Code of Administrative Offences is still in progress. The draft establishes new types of data security offenses, including breach of PD confidentiality, infringement of the PD anonymization rules, etc. We already wrote about this draft earlier.

Bill No. 1023005-7 “On Amendments to the Code of the Russian Federation on Administrative Offenses”

SUPREME COURT CLARIFIED JURISDICTION RULES WITH REGARD TO PD PROTECTION CLAIMS

14 July, 2020 the Supreme Court of the Russian Federation adjudicated on a case initiated by Roskomnadzor in the interest of a Russian citizen. The company Whois Privacy Corp. (Bahama Islands) posted on its website personal data of the Russian citizen without his consent.

Court of the first instance and court of appeal concluded that stated claims are related to the regulation of the Internet resource as a mass media and should be considered under administrative procedure.

Supreme Court did not agree with such decision and stated that claims for the personal data protection should be resolved through civil proceedings due to reference in Russian Civil Procedure Code. Besides that, the Federal Law of 27.07.2006 № 152-FZ “On Personal Data” (Personal Data Law) allows Roskomnadzor to bring claims and represent individuals’ interests in court.

In spite of the fact that Personal Data Law does not provide any clear provisions regarding its territorial scope, the Supreme Court’s interpretation demonstrates extraterritorial principle regarding the scope of Personal Data Law. Foreign companies should take into account jurisdiction issues while processing of personal data of Russian citizens.

Ruling of the Judicial Collegium for Civil Cases of the Supreme Court of the Russian Federation dated July 14, 2020 No. 58-KG20-2