personal data processing

Processing of personal data in Russia in 2017: actual rules.

20.11.2016

(a) General rules.

In view of recent changes in the profile legislation in Russia, as well as it’s practice of implementation, the main law which should be considered is a Federal law of Russia «On personal data» from 27^th of July, 2006 # 152-FZ which regulates the relationship in connection with processing of personal data. Article 3 of the mentioned law (hereinafter referred to as the «Law # 152-FZ») states for the basic definitions being used there in:

— “personal data” — any information relating to directly or indirectly defined or able to be defined natural person (personal data subject);

— “operator” – governmental authority, municipal authority, legal entity or natural person, solely or jointly with others organizing and (or) performing the processing of personal data, and also defining the purposes of personal data processing, scope of personal data to be processed, actions (operations) being performed with personal data;

— “processing of personal data” – any action (operation) or combination of actions (operations), being performed with the use of automation means or without the use of such means, with the personal data, including collection, recording, systemizing, storage, retention, refinement (update, change), extraction, usage, transfer (distribution, provision, access), anonymization, blocking, deleting, destruction the personal data;

— “trans-border transfer of personal data” – transfer of personal data to the territory of foreign state to governmental authority of foreign state, to foreign natural person or to foreign legal entity.

Section 1 of part 1 of article 6 of the Law # 152-FZ states that processing of personal data is allowed if it is performed with the consent of personal data subject for his personal data processing.

Part 5 of the article 18 of the Law # 152-FZ states that while collecting the personal data, including collection by the mean of information-telecommunication network “Internet”, the operator is obliged to secure the recording, systemizing, storage, retention, refinement (update, change), extraction of personal data of Russian citizens with the use of data bases situated on the territory of Russian Federation, excluding the cases stated in p. 2, 3, 4, 8 of part 6 of the mentioned Federal law. This provision is in force since 1^st of September, 2015.

Article 12 of the Law # 152-FZ states for the rules of trans-border transfer of personal data. Such transfer is allowed to the territory of the country being the member of Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe, 28^th of January, 1981), or other country which secures for the “adequate protection of personal data subjects’ rights” (authorized government authority has issued a list of such countries). In case of data transfer to the territory of the state which doesn’t secure for the “adequate protection”, such transfer may be performed in case of written consent of a personal data subject to such transfer, and in case of performance of a contract where personal data subject is a party to it.

Part 2 of the article 22 of the Law # 152-FZ states that the operator before the processing of personal data is obliged to notify the authorized government authority on protection of personal data subjects’ rights about the intention on performance of personal data processing, excluding the cases stated in part 2 of the mentioned article. Part 2 of this article states that the operator is entitled to data processing without the notification of the authorized governmental authority in case if personal data is received by the operator in connection with conclusion of a contract where personal data subject is a party to it, provided that the personal data shall not be distributed and shall not be provided to third parties without a consent of personal data subject and shall be used by the operator exclusively for the performance of the contract and it’s conclusion with personal data subject.

The authorized authority on protection of personal data subjects’ rights is the Federal service on supervision in the sphere of connection, information technologies and mass communications – “Roscomnadzor”.

(b) Implementation

Federal law of Russia “On information, information technologies and information protection” from 27^th of July, 2006 # 149-FZ regulates the relationship arising out of execution of right for the search, gaining, transfer, production and distribution of information, application of information technologies and securing of protection of information.

Article 15.1 of the mentioned federal law (herein after referred to as the “Law # 149-FZ”) states that in order to limit the access to the Internet websites containing information which is forbidden to be distributed in Russia, it is created the unified automation information system – the joint register of domain names, Internet page indexes and network addresses allowing to identify the Internet websites and containing information which is forbidden to be distributed in Russia (the “register”).

The procedure of access limitation to the websites containing information which is forbidden to be distributed in Russia is regulated by the provisions of art. 15.1 of the Law # 149-FZ and other applicable provisions.

Part 1 of the article 15.5 of the Law # 149-FZ states that in order to limit the access to the information in Internet network which is being processed in contravention of Russian legislation in the sphere of personal data, it is created the automation information system – the register of violators of personal data subjects’ rights (the “register of violators”). The legitimate ground for inclusion of relevant information into the register of violators is an effective act of court.

According to the provisions of part 7 of article 15.5 of the Law # 149-FZ, within 3 working days since the receipt of an effective act of court Roscomnadzor shall undertake the measures stated in this article (such as contacting hosting provider) in order to limit the access to the website included in the register of violators.

The procedure of access limitation to the websites included into above register of violators is regulated by the provisions of art. 15.5 of the Law # 149-FZ and other applicable provisions.

(c) Court case

Civil court case # 2-3491/2016 was initiated by Roscomnadzor in it’s statement of claim against LinkedIn Corporation in order to declare the activity of it’s websites violating the requirements of the Law # 152-FZ and the privacy right of Russian citizens.

On the 4^th of August, 2016 Moscow district court had granted a judgement in favor of Roscomnadzor based on the fact that the personal data of third parties (non-registered users) had been processed without their consent and on the fact of the absence of notification on localization of the servers in Russia.

On the 10^th of November, 2016 Moscow City court has rejected an appeal of LinkedIn for the above judgement of Moscow district court, so this judgement got the effect within the meaning of article 15.5 of the Law # 149-FZ. The Court’s judgement includes references to the articles of Russian Laws mentioned in p. 1-2 above (General rules and Implementation). The details are as follows:

— the website (LinkedIn) collects, uses and transfers the personal data of Russian citizens being the registered users and non-registered users (violation of p. 5 art. 18 of Law # 152-FZ for localization of databases in Russia and of p. 1 art. 6 of the same law for the consent of non-registered users);

— the Confidentiality Policy of the website confirms the processing of such personal data in contravention with Russian law;

— according to art. 15.1 and 15.5 of the Law # 149-FZ the activity of the website shall be declared as being in contravention of Russian law.

In such a way current Russian legislation contains the means aimed at the control for the operation of personal data in Russia, and the tendencies of it’s future implementation are focused on it’s further increase.