PLB Conference_Doing Business in Russia_Privacy Law Risk Update_July 5 2016
1. Doing Business in Russia:
Privacy Law Risk Update
Anastasia Zagorodnaya
Of Counsel
Dentons St. Petersburg, Russia
Privacy Laws & Business
29th Annual International Conference
July 5, 2016
Cambridge
2. 1. rather advanced (based on the 1981
Convention) and developing
2. localization (HIGH RISK!)
3. specific security measures prescribed by law
4. claims may be submitted at the data
subject’s place of residence
5. cultural aspects are of importance
2
5 key things you need to know about Russian
DP law and practice
3. 3
1981
Convention,
in force for
RU since
01.09.2013
RF
Constitution
Arts. 23&24
Special
provisions
in various
laws
Data
Protection
Law No.
152-FZ оf
27.07.2006
Law on
Information
No. 149-FZ
of
27.07.2006
Civil, Labor
and Criminal
Codes, Code
on Admin
Offences
Civil
Procedure
Code
Overview: Legal framework
rules on certain
categories of
data and data
subjects (e.g.
Labor Code on
HR data)
right to
privacy
jurisdiction
over
disputes
general
regulations,
bloggers,
open data,
RTF
liability
• Government
Resolutions
• Roscomnadzor Orders
• Orders of other
Authorities (Federal
Security Service,
Federal Service for
Tech and Export
Control, etc.)
4. Overview: Notification to Roscomnadzor
4
• Prior to processing
• Key exemptions:
• Paper or electronic, to include information on operator, data
categories, means and purposes of processing, security
measures, local database, etc.
• No fees
• Obligation to update (including in view of localization) within 10
business days
HR data
agreement
conclusion and
performance
publicly
available data
full names only
manual
processing
5. Overview: Consent
5
• required unless limited grounds for processing apply
• specific, informed and freely given
• any provable form, EXCEPT FOR:
sensitive data
data to be made
publicly available
HR data transfer to
third parties
cross-border transfer
to “unsafe” countries
automatic processing
results in legal
consequences
WRITTEN
consent subject to specific
requirements
bio data
6. Overview: Cross-border transfer
6
• Parties to the 1981
Convention
• Countries from the list
approved by the
regulator (17, including
Australia, Argentina,
Korea, New Zealand,
Canada, Mexico)
Subject to the general
provisions of the Data
Protection Law
• Everybody else: e.g.
USA
• Written consent,
EXCEPT FOR:
international treaties
federal laws (state
and personal security)
contract performance
protection of
health/life of the data
subject or third parties
vs.
7. 7
Overview: Sanctions (1)*
•ADMINISTRATIVE: fine up
to 65 EUR, disqualification
for up to 3 years
Company
CIVIL: Compensation of
damages or moral sufferings
Company officer
• ADMINISTRATIVE :
• fine up to 130 EUR
draft bill to
significantly
increase
fines
•CRIMINAL: fine of up to
4,000 EUR, imprisonment of
up to 2 years or other
punishment
Other negative consequences
• visa issues for foreign
nationals
• order to terminate allegedly illegal
processing (?)
• license suspension (?)
* Liability may vary depending on the applicable legal provision.
AND/OR
AND/OR
AND/OR
8. Website blocking
• Data subject may file a lawsuit at his/her place of residence and
based on the court’s decision to apply to Roscomnadzor in order
to promptly limit access to information processed in violation of DP
legislation on the Internet
• Roscomnadzor will notify the web owner/hosting provider. If they
fail to limit access to the information in dispute, access to the
entire website will be blocked
• Interpretation – only websites where personal data is made
publicly available, may be blocked, but risks of broader
interpretation by local courts exist
8
Overview: Sanctions (2)
9. Localization requirement
9
‘While collecting personal data, including by
means of the Internet, the operator must ensure
that recording, systemization, compilation,
storage, modification (updating, alteration), and
retrieval of personal data of the Russian citizens
is done using databases located on the territory
of the Russian Federation, except for …’
Federal Law of 21 July 2014 No. 242-FZ (aka “Localization law”) added the following
provision to the Data Protection Law:
10. Localization requirement: Exceptions
Generally NOT applicable to business:
• journalist, scientific and creative activities
• judicial and enforcement purposes
• state and municipal services
• international treaty requirements or performance of
functions imposed by Russian law
(!) General obligation to keep HR and accounting records
DOES NOT serve as grounds for exemption
10
11. Localization requirement: Ministry Guidance (1)
Ministry of Telecom and Mass Communications clarifications
http://minsvyaz.ru/ru/personaldata/#1438548328715
1. Jurisdiction
• Russian companies or representative offices registered in Russia
• Foreign companies that have no Russian presence but “target” (direct their
activities at) the Russian market. “Directed at” concept for websites:
(!) + at least one of the following in addition to the above :
• payments available in RUB
• contract performance on the territory of Russia (goods/service delivery, use of
digital content)
• ads in Russian promoting website
• other circumstances evidencing that Russian market is part of the business
strategy
UNLESS exceptions apply
11
.moscow, etc.)
Use of domain names
associated with Russia (.ru,
.moscow, etc.)
A website version (or page) in
Russianand /or
12. Localization requirement: Ministry Guidance (2)
2. Application
• Collection: “intentional” from data subject directly or via specifically
engaged third parties.
• employee/representative contact data exchanged in the course of business
not covered.
• Consent effect: none (but reduces risk of claims from a data subject)
• Cross-border transfer: not affected; Russian citizens’ data entered into a
local Russian database (“primary database”) may be further transferred to a
database abroad (“secondary database”), with applicable formalities.
• Database: initially broad concept, now favoring a narrower approach (!)
• No retroactive effect: data collected before entry into force is not covered;
yet, mentioned operations with old data (e.g. update) trigger the need to
comply.
• Citizenship: no rules, operator can define itself. If no procedure established,
amendment may be applied to all data collected in Russia.
Guidance status: non-binding, but all we have
12
13. • Roscomnadzor is mostly interested in mass processing (online
retailers, social networks, insurance companies, banks, etc.)
• Scheduled inspections:
• Over 640 companies already inspected including major online retailers
(wildberries.ru, OZON.ru, Lamoda.ru, KupiVIP.ru).
• 4 companies found non-compliant, must comply within 6 months
• Over 900 more companies are scheduled for inspection in 2016,
including: British American Tobacco, HP, Raiffeisenbank,
McDonalds.
• Unscheduled inspections possible (including at the data subject’s
request).
13
Localization requirement: Enforcement
14. Localization requirement: practical approaches
14
Main solutions depending on business features and “starting
points”:
• Changing the set of data processed
or steps to anonymize
• Delegation of processing
• “Primary database”
localization in Russia
15. •Roscomnadzor strategy paper
•Creation of a single online register of PD
submitted by data subjects via websites, when
visiting business centers and similar venues with
controlled admission
•Big data regulation
•Employee surveillance
•…
15
Latest news/initiatives/trends