Contributed By Borenius
The Constitution of Russia, dated 12 December 1993, contains basic rules on data protection and cyber-security. Under the Constitution, everyone has a right to personal privacy and privacy of correspondence. The Constitution prohibits the collection, storage, use, and distribution of information about the private life of a person without his or her consent. The Constitution asserts the right of everyone to search, obtain, transfer, generate, and distribute information freely, by any legal means. The provisions of the Constitution are explained by the Constitutional Court of Russia in its detailed judgments.
Federal Law No 149-FZ “On Information, Information Technology, and the Protection of Information”, dated 27 July 2006, regulates the exercise of the right to search, obtain, transfer, generate, and distribute information, the use of information technology, and the protection of information. The principles of this law include a limitation of access to information by federal laws only, providing security for Russia in the creation, use and protection of information systems, and others.
Federal Law No 152-FZ “On Personal Data”, dated 27 July 2006, is the key document regulating the processing of personal data, data transfers, data localisation, automated decision-making, online and electronic marketing, and data breach incident response. Its basic principles include the processing of personal data on a legal and fair basis, the compliance of the processing of personal data with the purposes of its collection, and the accuracy of the processed personal data.
Federal Law No 187-FZ “On the Security of the Critical Information Infrastructure of the Russian Federation”, dated 26 July 2017, stipulates basic rules with regard to the provision of security for Russia’s critical information infrastructure so that it functions stably under computer attacks. The ensuring of security for critical information infrastructure is based on the following principles: the rule of law, the continuous and systematic provision of security for critical information infrastructure, and priority for the prevention of computer attacks.
Many important details of federal laws are specified by numerous regulations and non-binding explanations of various executive authorities. For example, requirements for the protection of personal data processed with the use of information systems are specified by the Russian Government in its Ruling No. 1119, dated 1 November 2012.
Big Data analytics, artificial intelligence, profiling, the Internet of Things, and some other emerging technology issues are, for now, not specifically regulated. However, different possibilities for their regulation are currently under discussion.
The key regulators in the sphere of data protection and cyber-security are the Ministry of Digital Development, Communications and Mass Media (Minsvyaz), the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), the Federal Security Service (FSB), the Federal Service for Technical and Export Control (FSTEC), and the Bank of Russia.
Minsvyaz elaborates and implements the state policy of regulation in the area of information technology, mass communications (including the development of the internet and new technologies in this field), and the processing of personal data. Minsvyaz does not itself conduct audits in this area.
Roskomnadzor controls and supervises activities in the area of mass communications, information technology, and the processing of personal data. It conducts scheduled and unscheduled audits, and also monitors websites. If Roskomnadzor detects an offence, its officials issue a report on an administrative violation (ie, initiate administrative proceedings).
The FSB is responsible for information security for Russia. It elaborates and implements state and scientific and technical policy in the area of ensuring information security, arranges cryptographic and technical security for information and telecommunications systems, and ensures the functioning of the state system for the detection, prevention and liquidation of the consequences of computer attacks on Russia’s information resources. The FSB conducts audits of the use of cryptographic tools for the protection of personal data. If the FSB uncovers a violation, it initiates administrative proceedings by issuing a report on an administrative violation.
The FSTEC exercises special and control functions in the area of ensuring the protection (by non-cryptographic means) of restricted information, the prevention of its leakage via communication channels, unauthorised access to it, and special impacts on it (its media) in terms of the acquisition, destruction, misrepresentation, and blocking of access to it within Russia. The FSTEC is also responsible for ensuring the security of critical information infrastructure, and performs audits in the area of ensuring the security for significant objects of critical information infrastructure.
The Bank of Russia is responsible for the development and reinforcement of Russia’s banking system, and ensures the stability and development of the national payment system. It enacts non-binding information security standards and recommendations. In practice, many banks find it necessary to comply with these documents.
The basic characteristics of the administrative process can be demonstrated using the example of Roskomnadzor. In most cases, Roskomnadzor initiates administrative proceedings by issuing a report on an administrative violation, and sends materials to a court that has authority to decide whether a person is liable for the offence. Administrative proceedings must comply with the principles of equality before the law, the assumption of innocence, the rule of law, and open consideration of the case. The court’s decision can be appealed in a higher court.
The Russian national personal data legal system has close ties with its European counterpart, and Russia is a party to the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data, dated 28 January 1981. Russia ratified the Convention in 2005, with several exceptions (the Convention does not apply to the processing of personal data by natural persons in the course of purely personal or household activity and to the processing of classified information; the Convention applies to the processing of personal data other than by automated means if such processing corresponds to the processing of personal data by automated means; Russia may restrict the right of access by a data subject to his or her personal data if this is required to protect the state or public policy). In October 2018, Russia signed the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the Protocol provides for an obligation to declare data breaches, a requirement that the “privacy by design” principle is applied, greater transparency of data processing, and other important rules). The Federal Law “On Personal Data”, dated 27 July 2006, is based on the principles of the Convention and of Directive 95/46/EC of the European Parliament and of the Council, dated 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Russia is also a party to the European Convention on Human Rights, dated 4 November 1950, which has been in effect for Russia since 1 September 1998. Therefore, Russia admits the jurisdiction of the European Court of Human Rights (however, under the Ruling of the Constitutional Court of Russia No 21-P, dated 14 July 2015, a ruling of the European Convention on Human Rights will not be enforced in Russia if the Constitutional Court of Russia decides that the ruling in question is based on an interpretation of the European Convention on Human Rights that contradicts the Constitution of Russia). Hence, the case law of the Court has considerable significance for the regulation of data protection and cyber-security issues in Russia.
There is no relevant regulation on data protection or cyber-security at the subnational level.
In Russia, data protection non-governmental organisations and industry self-regulatory organisations do not play a significant role in the data protection and cyber-security landscape. The law does not provide for special mechanisms of self-regulation in this area (codes of conduct, certification mechanisms, etc). However, Roskomnadzor is trying to develop the self-regulation of personal data protection. It has prepared a declarative code of good practice, which is open for signature by all interested parties. Roskomnadzor’s advisory council has framed guidelines for the development of industry codes of good practice.
Russian personal data law stems from European Union data protection regulation and bears many similarities to it (eg, definitions of key terms, principles of data processing, regulation of certain specific issues, etc). However, Russian personal data law is less adapted to modern technology and may be characterised as a developing system. It contains a number of tough and ambiguous requirements that can be enforced selectively. Roskomnadzor is quite active in law enforcement, but its capabilities are to a certain extent limited by the moderate penalties for violations, and by issues of transnational jurisdiction.
In the last 12 months, Russia has introduced a united identification and authentication system and a united biometric system, which allow authorities and banks to deliver state (municipal) and financial services to natural persons remotely. Further, Russia has defined the obligations of commodity aggregators, made the blocking of websites quicker, adopted rules for the identification of users of instant messaging services, and enacted several subordinate acts in furtherance of Federal Law No 187-FZ “On the Security of the Critical Information Infrastructure of the Russian Federation”.
In addition, the Government of Russia has adopted rules detailing the obligation for providers of communications services to store their clients’ messages (under the so-called Yarovaya Law).
In 2019, Russia plans to replace analogue television broadcasting with digital broadcasting.
There is currently one major court dispute on the table: in V Kontakte v Double Data, the largest Russian social network is trying to prohibit a big data financial startup from using information about the network’s users published online.
Another big court dispute – Telegram v FSB – finished in February 2019, in which Pavel Durov’s instant messaging app was contesting an order of the Federal Security Service to provide encryption keys required to decrypt the messages of Telegram users. The Supreme Court of Russia dismissed Telegram’s complaint, and thus the order of the Federal Security Service has remained in force. In October 2018 an administrative fine of approximately EUR10,800 was imposed on Telegram for non-provision of the encryption keys.
Several legislative initiatives are currently being actively discussed. There are proposals to rework Russia’s data protection and information technology legislation through the codification of obsolete and fragmented laws via the enactment of an Information and Communications Code. A government commission has prepared draft amendments to the Code of Administrative Offences, specifying fines for launching and piloting unrecorded drones. A draft law on ICOs (initial coin offerings) and cryptocurrencies that aims to bring their use in the economy under control was passed in its first reading in May 2018. Different mechanisms for the regulation of big data technologies are being actively discussed in Russian society. A draft law on big data has been developed and submitted to the State Duma. It includes a definition of big data and proposes the creation of a state register of big data operators. However, this draft law was rejected for financial reasons and may be reconsidered once it has been amended. It is also proposed to establish administrative liability for the dissemination of fake news and materials expressing disrespect for the state, authorities, the Constitution of Russia, etc. In addition, a bill on the “sovereignisation” of the Russian segment of the internet (government control over internet exchange points, management of the domain extensions .ru and the Cyrillic .рф, traffic-routing, etc) has been passed in its first reading.
Currently under active discussion is an initiative of Minsvyaz to oblige communications providers to use only Russian-originated technical means for storing the text messages of subscribers, voice data, images, audio and video information, and other messages of subscribers, as well as information about the receipt, transfer, delivery, and processing of these messages. The relevant provisions may enter into force in 2019.
In 2019 it is also planned to start testing the personal digital profile system. A personal digital profile is supposed to contain information about a citizen’s passport, Taxpayer ID Number and other documents, as well as digital consents to the processing of personal data.
Following the LinkedIn case (LinkedIn was blocked in Russia in 2016), Roskomnadzor has recently commenced administrative proceedings against Twitter regarding its non-compliance with data localisation requirements.
Requirement for appointment of Privacy or Data Protection Officers
A Data Protection Officer (a person responsible for organising data processing) must be appointed by a data operator, which is a legal entity. In practice, data operators most commonly appoint one of their staff as a Data Protection Officer, but formally it is permissible to appoint an external person. The practice of appointing external Data Protection Officers has not yet been tested by court practice in Russia.
Application of the “privacy by design” or “by default” concepts
The concepts of “privacy by design” and “privacy by default” are not articulated by Russian data protection law. However, to a certain extent, these concepts correlate with some principles of Russian data protection law: the personal data that is processed must not be excessive in relation to the declared purposes of data processing, and must comply with the purposes of data processing. Furthermore, data operators must take extensive legal, organisational and technical data protection measures specified by regulations.
Need to conduct privacy impact analyses
Data operators must assess damage that may be caused to data subjects in the event of a violation of data protection legislation. This assessment is used to determine types of actual threats to personal data information systems. In turn, the types of actual threats to personal data have an impact on the specific data protection measures that should be taken by a data operator.
Need to adopt internal or external privacy policies
Data operators must publish their policies on data processing and data protection. Roskomnadzor has issued recommendations on the content of such policies, to standardise their structure and form.
Requirement to allow a data subject access to data, and the right to correct or expunge
Data subjects have the right to receive information about the processing of their personal data and to access this data. They may also demand the adaptation, restriction or destruction of this data.
Use of data pursuant to anonymisation, de-identification or pseudonymisation
“Personal data” means any information relating directly or indirectly to an identified or identifiable natural person. Anonymous information will not be considered to be personal data since such information does not relate to an identified or identifiable person, but information which has undergone pseudonymisation (which could be attributed to a natural person by the use of additional information) constitutes personal data since such information relates to an identifiable person. Thus, Russian personal data legislation does not apply to the use of anonymous information but does apply to information that has undergone pseudonymisation.
How is the concept of “injury” or “harm” relevant to national privacy and data protection law?
A violation of Russian privacy and data protection law may entail an obligation to compensate moral harm and pecuniary damages.
“Sensitive personal data (special categories of personal data)” means personal data concerning race, nationality, political views, religious or philosophical beliefs, health condition, sexual life, or criminal convictions. The processing of special categories of personal data is prohibited, unless there are special legal grounds for the processing of this data (the relevant data subject has given written consent or has made such personal data publicly available himself or herself, etc). Personal data concerning criminal convictions may be processed only when doing so is expressly allowed by federal laws.
Credit institutions guarantee the secrecy of the accounts, deposits and transactions of their clients. However, this information may be disclosed to courts, tax authorities, investigative authorities and other persons as provided by applicable law.
Operators of payment systems, operating centres and payment clearing centres are not allowed to disclose information to third parties about transactions and accounts belonging to participants of payment systems unless the law provides otherwise.
Tax secrets cannot be disclosed by tax, internal affairs, investigative, customs or other authorities, unless the law provides otherwise.
Information concerning the fact that an individual resorted to medical help, or the health condition and diagnosis of an individual, as well as other information received via a medical examination and via medical treatment are protected by medical secrecy.
It is prohibited to disclose information covered by medical secrecy, with the exception of cases specified by law (with a patient’s written consent to his or her examination or treatment, in the face of the spread of an infectious disease, etc).
Health data may be regarded as personal data and, in appropriate cases, must be processed in compliance with personal data legislation.
Voice telephony: communications providers must maintain the confidentiality of information about subscribers and communications services provided to them. Communications providers are obliged to store within Russia text messages of subscribers, voice data, images, audio and video information, and other messages of subscribers as well as information about the receipt, transfer, delivery and processing of these messages. The provision on data storage came into force on 1 July 2018, but rules for storage were pending until October 2018. In practical terms, fulfilling this obligation requires significant financial and technical input; therefore, communications providers are still preparing infrastructure to ensure compliance. Communications providers must disclose information about subscribers and communications services provided to them to government authorities when this is required by law (see 3.1 Laws and Standards for Access to Data for Serious Crimes, below).
Text messaging: communications providers must send recipients the mobile phone numbers of senders of text messages, unchanged. This allows recipients to blacklist senders who send them unwanted messages (for example, advertisements from various shops, banks, etc).
A data operator who uses the internet to collect personal data is obliged to publish online its policy on the processing of personal data and personal data protection.
If a website contains personal data that has been processed in violation of Russian personal data legislation, access to this website may be restricted in Russia based on a court decision.
Behavioural advertising itself does not require the consent of a data subject. However, the processing of personal data used for behavioural advertising (information about consumers’ browsing behaviour) must have a sufficient legal basis – for example, the consent of a data subject.
Video and television
Owners of video streaming services with more than 100,000 users daily must prevent the use of their services for the disclosure of restricted information, and must rank videos to protect children from harmful information. Video streaming services may be owned only by Russian citizens or Russian legal entities. Such services may be blocked by a court at the request of Roskomnadzor if their owners do not comply with legal requirements.
Social media, search engines and large online platforms
Russian law uses the concept of an “organiser of dissemination of information via the internet”, which means a person that provides the functioning of information systems or computer programs designed or used for the receipt, transfer, delivery or processing of electronic messages of internet users. The concept encompasses social networks, messengers, email services and other similar services.
Owners of these services are obliged to notify Roskomnadzor of the commencement of their activity. They must also store within Russia text messages, voice data, images, audio and video information, and other messages of their users as well as information about the receipt, transfer, delivery and processing of them. These messages, encryption keys required for their decryption, and other information about the users must be provided to security authorities in cases prescribed by law (see 3.1 Laws and Standards for Access to Data for Serious Crimes, below).
The organisers of instant messaging services are obliged to identify their users by their mobile phone numbers. The rules for the identification of users of instant messaging services were adopted in 2018 and will fully apply as of May 2019.
Upon the request of Roskomnadzor, operators of search engines must stop providing search results containing domain names and addresses of websites that have repeatedly and illegally published copyrighted material. Operators of search engines must also remove information about resources and networks from search results if access to these resources and networks is restricted in Russia.
In June 2018, Russia specified administrative liability for a search engine’s non-performance of the obligation to join the register of prohibited websites and stop displaying links to prohibited websites. An administrative fine of approximately EUR6,750 was imposed on Google in December 2018 for refusing to join the register.
Owners of online news aggregators with more than one million users daily must check the accuracy of disseminated information, store disseminated information for six months, and prevent the use of their resources for the dissemination of extremist materials. News aggregators may be owned only by Russian citizens or Russian legal entities.
Owners of commodity aggregators are subject to state supervision in the field of consumer protection. Owners of commodity aggregators must make information about their and the seller’s name, address, business hours and state registration number available on a website. Owners of commodity aggregators are liable for losses caused to a consumer as a result of him or her being provided with inaccurate or incomplete information about a product or a seller. A consumer may demand that an owner of commodity aggregator return an advance payment for a product that was not delivered on time.
Right to be forgotten (or of erasure)
An operator of a search engine, at the request of an individual, must remove from search results links to information about this individual that is disseminated in violation of Russian law, or is false or outdated. This requirement does not apply to certain information about crimes an individual has committed.
Owners of news aggregators and owners of video streaming services must prevent the use of their resources for the dissemination of extremist materials, materials that propagandise pornography, the cult of violence and atrocities, and materials containing obscenities. Owners of news aggregators must also respect the honour, dignity and reputation of others, and must prevent the use of their resources for the concealment or falsification of information of public importance, the dissemination of false news of public importance under the guise of veracious news, the dissemination of news intended to defame a citizen or a group of citizens (on the grounds of sex, age, race, nationality, language, religion, profession, place of residence, place of work or political views), and the dissemination of news about an individual’s private life in violation of the law.
Russian law makes no provision for data portability requirements.
On behalf of individuals aged under 18 (on behalf of children), consent to the processing of their personal data is given by their lawful representatives.
There are no special legal requirements in respect of the processing of educational or school data.
The processing of personal data for the promotion of goods, works or services in the market through direct contacts with potential consumers via means of communication is permitted only if the data subject has given prior consent.
The dissemination of advertising via telecommunications networks (including telephone, fax and mobile telephone communications) is permitted only if a subscriber or addressee has given prior consent to receiving advertising from a specific advertising distributor. It is prohibited to use telecommunications networks to disseminate advertising if a subscriber number is selected and dialled without the participation of a human being (automated calling, messaging).
Information required for behavioural advertising may be regarded as personal data. In this case, such information must be processed on the condition that there are sufficient legal grounds for processing it (the data subject has consented, there is an agreement with a data subject that requires the processing of this data, etc).
Workplace privacy is not specially regulated by any laws. However, the Labour Code of Russia does cover certain issues related to workplace privacy. For example, an employee cannot waive his or her right to the protection of privacy.
An employer may monitor workplace communications if doing so is required for control over the quantity and quality of work performed by an employee, and for the protection of property. The employee must be notified against his or her signature of the monitoring of his or her communications.
Labour organisations and work councils do not play any significant role when it comes to workplace privacy.
Russian law does not provide for special rules regarding whistle-blower hotlines or anonymous reporting. Limited regulation exists only with regard to the anti-corruption obligations of public officials. For example, a public official who notifies the competent authorities of corruption-related offences committed by other public officials must be legally protected according to the laws of Russia.
To restrict access in Russia to a website used for the processing of personal data, Roskomnadzor must prove in court that the processing of personal data using this website violates the requirements of Russian personal data law.
Administrative liability can be and is imposed on persons (invariably legal entities) guilty of violations of personal data law. For this to happen, Roskomnadzor must show in court that the accused entity is guilty. The entity is not obliged to prove its innocence.
For a criminal prosecution of a person for a violation of privacy or data protection requirements, his or her guilt must be proven in court. An accused person is not obliged to prove his or her innocence. The prosecution bears the burden of proof.
Potential enforcement penalties
The blocking of a website used for the illegal processing of personal data does not fall under any traditional kinds of legal liabilities. However, it may impede the commercial activity of the infringer in the Russian segment of the internet and may cause serious damage to its reputation.
Administrative liability for violations of data protection requirements usually takes the form of a fine. A fine for a separate violation cannot exceed approximately EUR1,000. However, if a person commits several data protection violations, fines for these violations may be aggregated and the total sum may be quite significant.
A data subject may demand that a data processor reimburse losses or compensate moral harm caused to him or her by illegal data processing. However, Russian court practice shows that it is very difficult to prove the amount of losses caused by a personal data violation. At the same time, Russian courts do not award high compensation sums for moral harm caused by personal data infringements: the average amount of such compensation is EUR5-50.
The most common crimes related to personal data processing may entail imprisonment for up to two years (for example, a breach of privacy or unauthorised access to computer information).
Leading enforcement cases
In the last 12 months, there were no enforcement cases comparable to the blocking in Russia of the LinkedIn website in 2016 for refusing to comply with a request to localise the processing of Russian citizens' personal data in Russia.
However, Roskomnadzor has recently commenced administrative proceedings against Twitter regarding its non-compliance with the data localisation requirements. This may potentially lead to the blocking of Twitter’s website in Russia.
The main laws regulating the access of law enforcement bodies to private information include the following:
The law enforcement bodies – the Federal Security Service (FSB) and internal affairs bodies (ie, the police) – access private information during special investigative activities, which include:
Organisers of the dissemination of information via the internet and communications providers must provide the Federal Security Service (FSB) and internal affairs bodies (ie, the police) with text messages, voice information, pictures, sounds, videos, and other messages of their customers, information about the receipt, sending, delivery, or processing of these messages, and information about their customers when so required by Federal Law No 144-FZ “On Operational Search Activity”, dated 12 August 1995.
Authorisation for access
The respective special investigative activities can be performed only based on a court decision and when information is available about the commission of serious crimes, about individuals who are preparing serious crimes, or on facts or actions (inaction) creating a threat to the state, military, economic, information or ecological security of Russia. In urgent cases, law enforcement bodies may perform these special investigative activities without the sanction of a court. However, they must inform a court of their actions within 24 hours, and obtain a court decision permitting these actions within 48 hours, or, in the absence of this, cease the activities in question.
What safeguards protect privacy?
A person who considers that actions by law enforcement bodies have led to a violation of his or her rights and freedoms is entitled to appeal these actions to a superior body, prosecutor’s office, or court. An individual found not guilty may require access to materials concerning himself or herself that were received during special investigative activities. Sound recordings and other similar materials must be destroyed within six months of the end of the special investigative activities in question, unless the purposes of justice require otherwise. The Prosecutor General of Russia and other authorised prosecutors supervise the legitimacy of special investigative activities.
In practice, law enforcement bodies may perform special investigative activities illegally without court sanction, and use the information obtained to acquire evidence subsequently by legal means. Furthermore, individuals are often not able to detect special investigative activities performed in respect of them, and thereby cannot appeal these actions. Also, supervision over the legitimacy of special investigative activities by the prosecutor’s office may be ineffective owing to the respective authorities having common interests. In addition, courts may sometimes be inclined to sanction special investigative activities even when there is a lack of clear legal grounds for them.
Government access to data for intelligence, anti-terrorism and other national security purposes takes place under the procedure for law enforcement access to data relating to serious crimes (see 3.1 Laws and Standards for Access to Data for Serious Crimes, above).
An independent judicial sanction or approval is required to authorise government access to data for intelligence, anti-terrorism or other national security purposes (see 3.1 Laws and Standards for Access to Data for Serious Crimes, above).
The possibility of appeal against the government’s actions to court, to a higher level authority or to the prosecution office, serves as a safeguard, protecting privacy from illegal government access to data for intelligence, anti-terrorism or other national security purposes (see 3.1 Laws and Standards for Access to Data for Serious Crimes, above).
An organisation may not invoke a foreign government access request as a legitimate basis to collect and transfer personal data, unless an international treaty signed by Russia provides otherwise.
Russian law provides a list of available legitimate grounds for the processing of personal data. The list does not include grounds that explicitly embrace a foreign government access request, but the need to process data to achieve purposes provided for by Russia’s international treaties is regarded as a legal ground for data processing. Thus, a request by a foreign government cannot be an independent legal ground for data processing unless Russia has a relevant international agreement with the respective country.
The key issue arising in connection with the Russian government’s access to personal data is how to protect an individual from abusive use of his or her personal data by the government. One of the most discussed court cases in this area concerns an appeal by Telegram Messenger LLP against an order of the Federal Security Service (FSB) requiring the instant messaging service to provide a special service with encryption keys required to decrypt messages by Telegram users. In February 2019, the Supreme Court of Russia dismissed Telegram’s complaint, and thus the order of the Federal Security Service remained in force. In October 2018, Telegram had an administrative fine of approximately EUR10,800 imposed on it for non-provision of encryption keys.
Cross-border transfers of personal data to countries that provide adequate protection of personal data are allowed, and are performed on a regular basis. The countries that are parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981 (see 1.4 Multilateral and Subnational Issues, above) and the countries included in a special list compiled by Roskomnadzor (see the Order of Roskomnadzor No 274, dated 15 March 2013) are considered to provide adequate protection of personal data. Cross-border transfers of personal data to these countries are performed on general legal grounds for the processing of personal data. Cross-border transfers of personal data to other countries may be performed only based on special legal grounds (see below).
Russia does not use such mechanisms as Privacy Shield, other multilateral frameworks, or corporate rules.
However, cross-border transfers of personal data to countries that do not provide adequate protection of personal data can be performed if:
The first and the fourth grounds are the most appropriate grounds for use in business practice.
In Russia, government notifications or approvals are not required for data to be transferred internationally. However, a data operator must notify Roskomnadzor of its intention to process personal data before it commences data processing, unless certain legal exceptions apply. The notification to Roskomnadzor must specify whether data processing implies the cross-border transfer of personal data.
When collecting personal data, a data operator must ensure that the recording, arrangement, accumulation, storage, rectification (renewal, alteration) and retrieval of Russian citizens' personal data uses databases located in Russia, unless the law provides otherwise.
Russian citizens' personal data that is to be processed within Russia may be transferred outside Russia if there are sufficient legal grounds for the transfer. However, personal data must initially be added to – and updated within – a database located in Russia and only afterwards can such personal data be transferred to a database located outside Russia.
If an “organiser of the dissemination of information via the internet” uses additional encryption of electronic messages, said organiser must provide the Federal Security Service (FSB) with the information required for the decryption of these messages.
A foreign government data request itself does not constitute a sufficient legal ground for the processing of personal data under Russian law. However, Russia might have an international treaty that authorises such processing of personal data.
Foreign litigation proceedings may justify the processing of personal data if there is a decision of a foreign court to this effect that can be enforced under Russian legislation on enforcement proceedings.
An organisation may process personal data for the purposes of internal investigations if it can clearly show that this data processing is required for the exercise of the rights and legitimate interests of the relevant organisation or of third parties, and that this data processing does not violate the rights and freedoms of data subjects.
Under Federal Law No 481-FZ, dated 31 December 2017, the Russian Government is entitled to determine cases when companies are allowed not to disclose information about their transactions, when companies’ financial reports must not be published on the internet, and when certain other information must not be put online. The purpose of this federal law is to complicate the application of foreign sanctions against Russia and thus it can be characterised as a “blocking” statute.
Big data analytics
Big data analytics are not currently addressed by Russian law, although several draft laws on big data technologies are being prepared by different institutions. The latest draft law on big data includes a definition of big data, underlining that it is not personal data. It also proposes the creation of a state register of the big data operators. However, this draft law was rejected for financial reasons, and may be reconsidered once it is amended.
At the same time, some experts are of the opinion that the existing personal data legislation (with limited amendments) may be enough to deal with big data issues.
Based exclusively on the processing of personal data by automated means, it is prohibited for decisions to be made that entail legal consequences in respect of a data subject, or that otherwise affect his or her rights and legitimate interests. However, such a decision can be made if a data subject gives written consent, or if federal law expressly so allows.
A data operator must explain to a data subject the procedure for making a decision based exclusively on the processing of his or her personal data by automated means, and the potential legal consequences of such a decision. Furthermore, the data operator must provide the data subject with the opportunity to object to such a decision, and must explain to the data subject the procedure for the protection of his or her rights and legitimate interests.
“Biometric data” is data that characterises the physiological and biological traits of a human being, based on which it is possible to determine his or her identity. If a data operator uses biometric data to determine the identity of a data subject, said data operator is allowed to process this data only based on the written consent of a data subject. However, the processing of biometric data may be performed without the written consent of a data subject in cases provided for by Russia’s international treaties or by special laws (on defence, on security, countering terrorism, etc).
As of 30 June 2018, banks are able to use data contained in the united biometric system to conclude agreements with individuals without their physical presence in branches of banks. This system contains voice records and facial images of data subjects.
Flights by drones (unmanned aerial vehicles) are regarded as the use of airspace. Prior to a flight, an owner of a drone must provide air transport authorities with a flight plan, and must obtain their permission to use airspace. To use airspace over a populated locality, an owner of a drone must also obtain the permission of the relevant local governing body. To use airspace over forbidden or restricted zones, permission from the beneficiaries of these zones is required.
To take photos or videos with the use of a drone, the owner of the drone must comply with special certification requirements.
A breach of the rules on airspace use may entail an administrative fine of up to approximately EUR4,300 being imposed on a drone user.
Drones with a maximum take-off weight of 30 kg or more are subject to state registration. Those with a maximum take-off weight of 0.25 kg to 30 kg are subject to state recording.
The need for amendments to regulation of the use of drones is currently under discussion. For example, there are proposals to give authorities the right to shoot down drones flying over forbidden or restricted zones.
The key cyber-security law in Russia is Federal Law No 187-FZ “On the Security of the Critical Information Infrastructure of the Russian Federation”, dated 26 July 2017.
According to Decree No 1085 of the President of Russia “Matters of the Federal Service for Technical and Export Control”, dated 16 August 2004, the Federal Service for Technical and Export Control (FSTEC) is the national executive authority responsible for the provision of security for Russia’s critical information infrastructure.
Under Decree No 620 of the President of Russia “On the Development of a State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks on Information Resources of the Russian Federation”, dated 22 December 2017, the Federal Security Service (FSB) operates and controls the state system for the detection, prevention and elimination of the consequences of computer attacks on Russia’s information resources.
In 2018, the Government of Russia adopted several regulations concerning critical infrastructure, including the Rules for State Control in the field of Ensuring the Security of Significant Objects of Critical Information Infrastructure (Resolution No 162 of the Government of Russia dated 17 February 2018), the Rules for Categorising the Objects of the Critical Information Infrastructure and the List of Indicators of Criteria for the Significance of the Objects of the Critical Information Infrastructure (Resolution No 127 of the Government of Russia, dated 8 February 2018).
Furthermore, the FSB has defined the requirements to ensure the security of significant objects of the critical information infrastructure (Order No 239, dated 25 December 2017), and has provided for a procedure for the exchange of information about computer incidents and the procedure for the subjects of critical information infrastructure to obtain information about the means and methods by which computer attacks are conducted and about methods of preventing and detecting them (Order No 368, dated 24 July 2018).
Federal Law No 152-FZ “On Personal Data”, dated 27 July 2006, provides for basic requirements for the protection of personal data, which are elaborated by regulations set by the Russian Government and other executive authorities.
Applications and definitions
Federal Law No 187-FZ “On the Security of the Critical Information Infrastructure of the Russian Federation”, dated 26 July 2017, applies to Russia’s critical information infrastructure.
“Critical information infrastructure” means objects of critical information infrastructure and electric communication networks used to arrange the interaction of these objects.
“Objects of critical information infrastructure” means information systems, information and telecommunication networks, and the automatic control systems of subjects of critical information infrastructure.
“Subjects of critical information infrastructure” means state bodies, state institutions, Russian legal entities and/or individual entrepreneurs who lawfully own information systems, information and telecommunications networks, and automatic control systems that function in the fields of healthcare, science, transport, communications, power generation, banking and other sectors of the financial market, fuel and energy, atomic power, defence, the rocket and space sector, mining, metals, and the chemical industry, as well as Russian legal entities and individual entrepreneurs who ensure the interaction of these systems and networks.
Federal Law No 152-FZ “On Personal Data”, dated 27 July 2006, applies to personal data, which is defined as any information relating directly or indirectly to an identified or identifiable natural person.
In Russia, there is no overarching cyber-security agency. In practice, a strong cyber-security force is retained by the FSB.
Roskomnadzor checks whether data operators adopt documents on the protection of personal data, but does not focus directly on the technical aspects of the protection of personal data.
The FSB conducts audits of the use of cryptographic means for the protection of personal data. FSTEC determines the composition and content of organisational and technical measures that ensure security for personal data. In principle, FSTEC should support Roskomnadzor in respect of technical issues linked to the protection of personal data.
On 24 July 2018, the National Computer Incident Coordination Centre (NCICC) was established. NCICC co-ordinates the activities of subjects of critical information infrastructure that involve detecting, preventing and eliminating the consequences of computer attacks and reacting to computer incidents.
The Bank of Russia enacts non-binding information security standards and recommendations for institutions in Russia’s banking system. It has also developed a number of binding information security regulations, primarily in the area of money transfers, and has also established the Financial Sector Computer Emergency Response Team (FinCERT). Its purpose is to facilitate information exchange between the Bank of Russia, credit and non-credit financial institutions, integrator companies, developers of virus protection software, communications providers, law enforcement and other authorities supervising information security.
In Russia, there is a system of non-binding national standards concerning data protection. The standard “Safety of Information. System of Standards. Basic Principles” (GOST R 52069.0-2013) is a primary national standard in the field of data protection (by non-cryptographic means).
The standard “Protection of Information. Basic Terms and Definitions” (GOST R 50922-2006) contains definitions of key terms in the field of information protection, including “information protection”, “means of information protection”, “information protection system”, etc.
Other standards in the area of data protection include, for example, the following:
Written information security plan or programme
Under Order No 235 of the Federal Service for Technical and Export Control (FSTEC), dated 21 December 2017, a subject of critical information infrastructure must adopt regulatory documents on security for significant objects of critical information infrastructure. These documents must specify the rules for the functioning of a security system for significant objects of critical information infrastructure. A subject of critical information infrastructure must have an annual plan of action for the provision of security for significant objects of critical information infrastructure.
A personal data operator must make its policy on the protection of personal data publicly available.
An information security policy must be enacted by a credit institution under Regulation No 242-P of the Bank of Russia, dated 16 December 2003. Under the Standard of the Bank of Russia (STO BR IBBS-1.0-2014), an institution belonging to Russia’s banking system must enact a general information security policy, special policies information security, documents regulating specific activities related to the ensuring of information security, and documents applicable to particular procedures for the ensuring of information security. The recommendations for provisions of these policies and documents are specified by separate recommendations of the Bank of Russia (RS BR IBBS-2.0-2007).
Incident response plan
Subjects of critical information infrastructure must react to computer incidents according to the procedure determined by the Federal Security Service (FSB). Such a procedure has not yet been determined by the FSB.
Data operators must have policies for the protection of personal data, which must address the response to incidents that may pose a threat to the security of personal data.
Under the Standard of the Bank of Russia (STO BR IBBS-1.0-2014), an institution belonging to Russia’s banking system must enact requirements for the procedure for responding to information security incidents. The recommendations of the Bank of Russia (RS BR IBBS-2.5-2014) contain advice on the content of such requirements.
Appointment of Chief Information Security Officer (or equivalent)
The security system for a significant object of critical information infrastructure is created, organised and controlled by the head of the relevant subject of critical information infrastructure. However, these functions may be delegated to a special officer.
Some levels of personal data protection do require the appointment of an officer responsible for the provision of security for the information system used for the processing of personal data.
The standards and recommendations of the Bank of Russia do not require the appointment of a Chief Information Security Officer, or the equivalent. However, they provide that an organisation belonging to the banking system must specify the roles of its employees in relation to the ensuring of information security.
Involvement of board of directors (or equivalent)
The board of directors (or the equivalent) is not involved in the cyber-security framework for subjects of critical information infrastructure.
The rules on personal data protection do not provide for the involvement of the board of directors (or the equivalent) of a data operator in the arrangement of personal data protection.
The standards and recommendations of the Bank of Russia do not provide for the involvement of a board of directors (or the equivalent) in cyber-security processes. However, decisions concerning the implementation and use of the information security system of a banking institution must be ratified by its management body.
Conducting internal risk assessments, vulnerability scanning, penetration tests, etc
Subjects of critical information infrastructure must perform internal control over the arrangement of the ensuring of security for significant objects of critical information infrastructure and over the effectiveness of the organisational and technical measures implemented.
A data operator must test the measures implemented for personal data protection at least once every three years. The data operator may perform a test by itself, or may retain a third party that has a licence for the technical protection of confidential information.
Under the Standard of the Bank of Russia (STO BR IBBS-1.0-2014), a banking organisation must adopt a programme of self-assessment. Self-assessment includes the assessment of the current information security level, of information security management, and of the level of information security awareness (the Standard of the Bank of Russia STO BR IBBS-1.2-2014).
Insider threat programme
Subjects of critical information infrastructure might be obliged to take special measures to address insider threats under the requirements of FSTEC for the ensuring of security for significant objects of critical information infrastructure. However, under Decree No 98 of the President of Russia, dated 2 March 2018, the requirements in question are classified and are not available to the public.
The regulations on the protection of personal data provide for certain specific measures to address insider threats. For example, a data operator must approve a list of persons who need access to personal data information systems to perform their employment duties.
Under recommendations of the Bank of Russia (RS BR IBBS-2.9-2016), banking institutions must determine categories of internal violators and actual threats related to their actions. The recommendations also provide for certain specific measures to address threats related to the actions of internal violators.
Vendor and service-provider due diligence, oversight and monitoring
Subjects of critical information infrastructure might be obliged to perform vendor and service provider due diligence, oversight and monitoring under requirements for the ensuring of security for significant objects of critical information infrastructure prepared by FSTEC. However, under Decree No 98 of the President of Russia, dated 2 March 2018, the requirements in question are classified and are not available to the public.
The regulations on the security of personal data do not provide for special rules on vendor and service provider due diligence, oversight and monitoring.
The Standard of the Bank of Russia (STO BR IBBS-1.0-2014) specifies general requirements for the ensuring of information security for automated banking systems. Under the Standard, a banking institution must analyse whether developers of automated banking systems take protective measures designed to ensure security in the development and supply of these systems.
Under Order No 235 of FSTEC, dated 21 December 2017, subjects of critical information infrastructure must arrange information security training sessions for their employees at least once a year.
According to Federal Law No 152-FZ “On Personal Data”, dated 27 July 2007, a data operator may arrange training sessions for its employees, to improve their knowledge concerning the protection of personal data.
Under the Standard of the Bank of Russia (STO BR IBBS-1.0-2014), a banking institution must enhance the awareness of personnel and clients regarding information security, and must arrange training sessions on this subject.
Russia is a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, dated 28 January 1981. In October 2018, Russia signed the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the Protocol provides for an obligation to declare data breaches, a requirement that the “privacy by design” principle is applied, greater transparency of data processing, and other important rules). Russia is trying to induce foreign companies to comply with its data localisation requirements. In that context, Roskomnadzor restricted access in Russia to the LinkedIn website in 2016.
Russia actively took part in the preparation of the Convention on Cybercrime, dated 23 November 2001. However, Russia is not a party to this convention since Russia does not agree with Article 32(b), which allows a party to receive computer data located in the territory of another party without the authorisation of that other party.
Before it commences the processing of personal data, a data operator must inform Roskomnadzor of its intention to process personal data, unless statutory exceptions apply. The data operator must notify Roskomnadzor of measures taken to eliminate a violation of personal data legislation if the data operator is informed of this violation by Roskomnadzor. If required, operators of personal data must use properly certified information security tools.
Russian law does not provide for affirmative security requirements applicable to material business data, networks or systems.
Subjects of critical information infrastructure must immediately inform the Federal Security Service (FSB) of computer incidents, and must co-operate with its officers in the detection, prevention and elimination of the consequences of computer attacks, as well as in the determination of the causes and conditions of the origin of computer incidents. They are obliged to react to computer incidents according to the procedure established by the FSB and to take measures to eliminate the consequences of computer attacks on significant objects of critical information infrastructure.
Under the Standard of the Bank of Russia “Collection and analyses of technical data while reacting to incidents of information security in the process of money transfers” (STO BR IBBS-1.3-2016), institutions belonging to Russia’s banking system are recommended to collect and analyse information regarding DDoS (distributed denial-of-service) attacks on their information systems.
A data operator must report the elimination of a violation of personal data legislation to Roskomnadzor if said data operator identifies a violation as a result of a request by Roskomnadzor.
Russian law does not specify the data elements or systems covered by the obligation of a data operator to inform Roskomnadzor of the elimination of a violation of personal data legislation identified as a result of a request by Roskomnadzor. Roskomnadzor is entitled to request from the data operator such information as it requires to exercise its powers.
Software itself or software together with hardware may constitute a medical device. Medical devices are subject to registration by Roszdravnadzor (the Federal Service for Surveillance in Healthcare). To be registered by Roszdravnadzor, a medical device must be of high quality, effective and secure. An applicant must provide evidence that the medical device is secure. A special committee of experts evaluates the evidence presented and decides whether the medical device is secure.
Russian law does not provide for special security requirements for Industrial Control Systems (and SCADA) unless they are significant objects of critical information infrastructure. The Federal Service for Technical and Export Control (FSTEC) determines the requirements for the provision of security for significant objects of critical information infrastructure. However, under Decree No 98 of the President of Russia, dated 2 March 2018, the requirements in question are classified and are not available to the public.
Russian law does not provide for special security requirements for IoT (the Internet of things).
Subjects of critical information infrastructure must immediately notify the Federal Security Service (FSB) of computer incidents. A “computer incident” means the interruption and/or breakdown of an object of critical information infrastructure, an electric communications network used for the arrangement of interaction between such objects, and/or a violation of the security of processed information.
A personal data operator must notify Roskomnadzor of the elimination of a violation of personal data legislation if the violation is detected by the data operator as a result of a request by Roskomnadzor. A personal data operator must notify a data subject of the elimination of a violation of personal data legislation if the violation is detected by the data operator as a result of a request by a data subject.
Generally, an employer may monitor a network and take other cyber-security defensive measures if such measures are required to control the quantity and quality of employees’ work and ensure the security of property. Employees must be duly informed of these measures taken by the employer.
Subjects of critical information infrastructure must immediately inform the Federal Security Service (FSB) of computer incidents. They must also inform the Bank of Russia of these incidents if they are participants in the financial market.
In summer and autumn 2017, three members of the hacker group Humpty Dumpty were sentenced by a court to two to three years in custody for illegal access to computer information. The hacking group specialised in the interception of correspondence and the hacking of accounts of high-level public officials, major companies and the mass media for the subsequent resale of the data they obtained.
The Constitutional Court of Russia ruled that if an employee sends confidential information belonging to an employer to his or her private email, the employee is not held to have illegally disclosed this confidential information unless the employer explicitly prohibits its employees from sending confidential information to their private email addresses and takes other necessary measures, effectively to protect this information (Ruling No 25-P of the Constitutional Court of Russia, dated 26 October 2017).
According to Resolution No 146 of the Government of Russia, dated 13 February 2019, a data operator’s failure to eliminate a violation of personal data legislation, if this violates the rights and legitimate interests of data subjects, may lead to the suspension of the processing of personal data until such violation is eliminated.