Special requirements for processing publicly available personal data
Russia’s Personal Data Law was amended with new requirements for the processing of publicly available personal data. The amendments came into force on 1 March 2021, except for one provision related to a new information system maintained by the Russian data protection authority (discussed below). According to Russian data protection authority there is no need to re-execute consents for personal data dissemination obtained in compliance with law before 1 March 2021.
The new requirements are intended to protect published personal data against uncontrolled distribution by creating a default presumption that publicly available personal data cannot be further disseminated by third-party readers. They also give data subjects the possibility to indicate which of their personal data may become publicly available and how the published data may be processed by third-party “readers.”
Under the previous version of the Russian Personal Data Law, data operators (i.e., data controllers) could process personal data without a data subject's consent if the data was made available to an unlimited number of persons (i.e., published) by the respective data subject or upon the data subject’s instruction. Effectively, this meant that published personal data, including personal data on the internet, could be collected and disseminated further by any business.
The amendments have changed this approach significantly. First, they introduced a new category of personal data – "personal data made publicly available" – defined as personal data to which an unlimited number of persons may have access based on a data subject's specific consent for dissemination of the data ("dissemination consent"). Second, the amendments establish special rules for processing of personal data made publicly available, in particular:
(a) A data operator cannot disseminate publicly available personal data without consent. In order to be effective, the dissemination consent must be obtained separately from other types of consents and contain a clear statement that dissemination is allowed by data subject. Under no circumstances may a data subject's silence or inaction be considered as dissemination consent.
(b) Data subjects may provide dissemination consent directly to the data operator or via an information system maintained by the Russian data protection authority (such system should start operating in July 2021).
(c) Data subjects may, at their discretion, establish certain restrictions or conditions for processing of their personal data made publicly available, and data operators must comply with such restrictions and conditions. The dissemination consent shall clearly show whether data subjects have or have not established such restrictions and conditions; otherwise, such personal data should be processed with no right of dissemination.
(d) A data operator is obliged to publish information on applicable processing conditions and restrictions at any platform open to “readers” (online or offline) within 3 days after receiving dissemination consent.
(e) If a data subject publishes his or her personal data without dissemination consent, the obligation to prove the lawfulness of any subsequent dissemination or other processing of such personal data will lie with each person who disseminated or processed these data.
(f) The personal data dissemination by the data operator (e.g. distribution, provision, or access) may be stopped at any time at the data subject's request. The data subject's dissemination consent terminates as soon as the data operator receives the request.
(g) In case of a data operator's non-compliance, the data subject may send a request to the data operator or file a claim in court. The data operator must stop its dissemination of any such personal data within 3 working days from the request's receipt or the court ruling's entrance in force, or within the period specified in a court ruling.
The Russian data protection authority had developed requirements about the standard dissemination consent form which must be strictly followed by data operators. These requirements enter into force on 1 September 2021 and require that the dissemination consent include the following details:
(i) full name and contact details of the data subject;
(ii) full name and address, registration number, TIN of the data operator;
(iii) details of the web-site where personal data of the data subject will be disseminated or processed in another way;
(iv) purpose(s) of data processing;
(v) categories (general, biometric, sensitive) and list of personal data processed;
(vi) categories and list of personal data with respect to which the data subject sets restrictions and conditions of processing with a list of such restrictions (data subjects are expected to fill in these details at their discretion; the data operator cannot offer multiple choices of such restrictions);
(vii) conditions of personal data transfer via the data operator’s internal corporate network, internet, or other prohibition on the of transfer personal data (to be filled in at the discretion of the data subject); and
term of consent.
The most direct impact of this law will be on businesses that rely on the collection and processing of publicly available personal data, who will be prevented from disseminating data collected from publicly available sources without a dissemination consent. But in addition, the new requirements affected all social networks, web portals, and marketplaces operating in Russia, as well as all companies maintaining public profiles of their Russian employees, as any publication of data in a context not specifically consented to by the data subject may be deemed unlawful. In general, all businesses should revisit their processing activities with respect to published personal data.
Increased Fines
On 24 February 2021, the Russian Code of Administrative Offences was amended with increased fines for noncompliance with Russian data protection laws. These amendments came into force on 27 March 2021.
Most of the administrative fines were doubled. Also, the amendments introduced multiplied fines for certain repeated violations. Here is the list of new fines:
(a) processing personal data in ways not permitted by Russia’s Personal Data Law or processing personal data that is incompatible with the purposes of collecting personal data may entail a fine up to RUB 100,000 (approx. EUR 1,120) for legal entities and up to RUB 20,000 (approx. EUR 220) for officials;
(b) repeated violation under point (a) above may entail a warning or a fine up to RUB 300,000 (approx. EUR 3,400) for legal entities and up to RUB 50,000 (approx. EUR 560) for officials;
(c) processing personal data without the data subject’s written consent when it is necessary under the law, or processing personal data without including required information into a written consent may entail a fine up to RUB 150,000 (approx. EUR 1,680) for legal entities and up to RUB 40,000 (approx. EUR 450) for officials;
(d) repeated violation under point (c) above may entail a fine up to RUB 500,000 (approx. EUR 5,590) for legal entities and up to RUB 100,000 (approx. EUR 1,120) for officials;
(e) failure to publish a privacy policy or otherwise ensure unlimited access to such privacy policy or required information on a data operator’s data security measures may entail a fine up to RUB 60,000 (approx. EUR 1,010) for legal entities and up to RUB 12,000 (approx. EUR 130) for officials;
(f) failure to provide data subjects with information about of their personal data processing may entail a fine up to RUB 80,000 (approx. EUR 670) for legal entities and up to RUB 12,000 (approx. EUR 130) for officials;
(g) failure to timely satisfy a data subject’s request to detail, block, or delete personal data when personal data is incomplete, out of date, incorrect, illegally received, or not needed for the stated purpose of processing may entail a fine up to RUB 90,000 (approx. EUR 1,010) for legal entities and up to RUB 20,000 (approx. EUR 220) for officials;
(h) repeated violation under point (g) above may entail a fine up to RUB 500,000 (approx. EUR 5,590) for legal entities and up to RUB 50,000 (approx. EUR 560) for officials;
(i) failure to comply with the requirement to keep personal data secure and to prevent unauthorized access to such personal data while storing physical copies (i.e. when no automated means of processing are used), if this has led to illegal or accidental unauthorized access to or destruction, modification, blocking, copying, provision, or distribution of personal data or other illegal actions, unless such offence constitutes a crime, may entail a fine up to RUB 100,000 (approx. EUR 1,120) for legal entities and up to RUB 20,000 (approx. EUR 220) for officials.
The administrative fines for noncompliance with the data localization requirement remain the same (link).
Other developments
In separate developments, on 16 February 2021 a bill softening requirements for a written data subject's consent was adopted by the State Duma (the Lower House of the Russian Parliament) in the first reading. Under current law, data operators must obtain a written consent in certain circumstances, in particular for processing of sensitive data, transfers of employees' data to third parties, and cross-border transfers of personal data to the United States and other countries which do not provide for an adequate protection of personal data subjects’ rights under Russian law. Current law technically requires such consents to be presented and obtained separately in strict compliance with law requirements with respect to their content and how they must be signed.
The bill changes this, envisaging the possibility to obtain a single written consent where separate consents may otherwise be required for multiple data uses or disclosures, what contradicts the current enforcement practice.
To become binding, the bill must pass two readings in the State Duma, be adopted by the Federation Council (the Higher House of the Russian Parliament), and signed into law by the Russian President.
Natalia Spitsyna, an Intern in our Moscow office contributed to this entry.
