The Russian legal system is based on a continental civil law, code-based system. Both federal and regional legislation exist; however, federal legislation takes priority in cases of conflict. Generally, the issues of data privacy are regulated at federal level, and the regions of Russia do not issue any specific laws or regulations in this respect.
The latest Constitution of Russia, which provides that each individual has a right to privacy and personal and family secrets, was adopted in 1993. Each individual has a right to keep his or her communication secret, and restriction of this right is allowed only subject to a court decision. Collection, storage, use and dissemination of information about an individual's private life are allowed only with the individual's consent. The protection of these basic rights is regulated by special laws (e.g., on communications) and also specific regulations enacted in relation to these laws.
In 2007, Russia adopted a major law regulating data privacy issues, Federal Law No. 152-FZ on Personal Data dated 27 July 2006 (the Personal Data Law). The Personal Data Law covers almost all aspects of data protection, for example, what is considered personal data, what types of data can be collected and processed, how and in what cases data can be collected and processed, and what technical and organisational measures must be applied by companies or individuals that collect data. Unlike European law, the Personal Data Law does not distinguish between data controllers and data processors. Therefore, any individual or entity working with personal data is considered a personal data operator and thus falls under the regulation of the Personal Data Law. There are also several specific regulations, mainly covering the technical side of data processing and to a certain extent clarifying the provisions of the Personal Data Law. Such regulations are issued by the Russian government, the Russian data protection authority (i.e., the Federal Service for Supervision in the Sphere of Communication, Information Technology and Mass Communications (DPA)) or the authorities responsible for various security issues in Russia, such as the Federal Service for Technical and Export Control (FSTEK) or the Federal Security Service (FSB).
Since 2007, data privacy has never been a topic of intense discussion or major enforcement. However, this changed rather dramatically in 2014. The general approach of the government to privacy became fairly protectionist. Even though the officials usually make statements to the media that free data flows and the development of worldwide interconnected technologies is the real present and they do not want to impede the development of technologies, in reality the new laws adopted during the last four years are creating artificial barriers and thus harming Russian business. In 2014, the Russian parliament adopted amendments to the Personal Data Law (that then became known as the Data Localisation Law) that require data operators that collect Russian citizens' personal data to store and process such personal data using databases located in Russia. The Data Localisation Law was highly criticised by business and the media but nevertheless came into force on 1 September 2015. While this law generated a great deal of profit for Russian data centres, it also created high costs for ordinary businesses, which needed to redesign their data storage infrastructure.
In addition to the Data Localisation Law, Russia adopted amendments to the Russian Federal Law on Information, Information Technology and Protection of Information. These amendments require companies that provide video, audio or text communication services (usually 'messengers') to register with the authorities, to store users' messages or audio or video calls for up to six months and to provide the security authorities with decryption keys if the messages are encrypted. These rules have resulted in the blocking of Blackberry Messenger and a few other messengers in Russia and in a campaign to block the Telegram messenger.
II THE YEAR IN REVIEW
Recent years have been very intense for Russian data protection law. The first step was Federal Law No. 97-FZ of 5 May 2014, which significantly amended Federal Law No. 149-FZ dated 27 July 2006 on Information, Information Technologies and Protection of Information (the Information Law) and some other Russian regulations. The Information Law was later substantially strengthened with a few additional amendments finally coming into force on 1 July 2018. Authored by conservative lawmaker Irina Yarovaya and nicknamed by Edward Snowden the 'Big Brother law', the amendments (the Yarovaya Law) will also directly affect Russia's telecom and internet industries. In particular, mobile operators will need to store the recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs, while internet companies (e.g., messengers) need to store the recordings of all phone calls and the content of all text messages for six months and the related metadata for one year.
In addition, the Yarovaya Law requires such operators to provide any such communications to Russian police and intelligence at their request and to install special systems used for investigation purposes or 'reconcile the use of software and hardware with the authorities' as well as to provide the security authorities with decryption keys if the messages are encrypted.
Non-compliance may result in fines or blocked access to the non-compliant service. The parts of Yarovaya Law that are already effective are actively enforced by the DPA, and several messengers, including Blackberry Messenger, Imo and Vchat, have been blocked in Russia. In May 2017, the DPA also blocked WeChat and unblocked it once it had registered with the DPA. The relevant enforcement also resulted in a major case against Telegram messenger described in more detail below.
As a second step in data protection-related legislation, the Russian authorities adopted the Data Localisation Law and created a new procedure restricting access to websites that violate Russian laws on personal data.
In particular, based on the Data Localisation Law, the DPA created a register of infringing websites. The law provides for a detailed 'notice and take down' procedure. Most importantly, the Data Localisation Law requires that all personal data of Russian citizens must be stored and processed in Russia. The location of databases with personal data of Russian citizens must be reported to the DPA.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
According to the Personal Data Law 'personal data' means any information referring directly or indirectly to a particular individual or which can be used to verify an individual identity. The law does not specifically define any types of sensitive data, but lists special categories of personal data such as 'race; nationality; political, religious, or philosophical views; health; and private life'. The purpose of the Personal Data Law is to regulate the processing of personal data by state authorities, private entities and individuals. Thus, the law establishes the rights of individuals, and sets out the obligations for legal and natural persons when processing personal data.
Any individual or company that collects and processes personal data is considered a personal data operator and thus is subject to the regulations of the Personal Data Law and state control. The Personal Data Law and other related regulations do not make any distinction between data controllers and data processors. Therefore, the law applies in its entirety to anyone dealing with personal data except where explicitly provided otherwise in the Personal Data Law.
There are also several specific regulations that primarily cover the technical side of data processing and to a certain extent clarify the provisions of the Personal Data Law. Among such regulations are Decree No. 1119 of the government of Russia (dated 1 January 2012 and enacted pursuant to Article 19 of the Personal Data Law) (Decree No. 1119). Decree No. 1119 provides for four general levels of protection to be applied by personal data operators depending on the quantity and types of data processed in the information systems. The detailed technical requirements placed on personal data processing are defined by FSTEK.
Although there has been steady growth in monitoring and the DPA is working more and more actively, the overall level of compliance with the Personal Data Law still appears to be low in Russia for various reasons, including (1) low fines; (2) slow work by the DPA; and (3) ambiguous provisions of the Personal Data Law that make compliance difficult.
ii General obligations for data handlers
Certain organisational and technical steps need to be taken to ensure compliance with the Personal Data Law. Data handlers must:
- collect the consent of personal data subjects: consent is required to be collected and in certain cases be in writing (ink on paper) unless certain exemptions are clearly applicable;
- check the country of the data recipient: in the event of cross-border transfers, the transferring entity needs to check whether the country of the data recipient is deemed to provide adequate protection to personal data, since if not, the consent needs to be in writing and contain a specific authorisation to transfer personal data to such country.
- have a data transfer agreement: the Personal Data Law requires that the transferring entity and the data recipient enter into an agreement that must stipulate that the data recipient will ensure at least the same level of data protection as applied by the transferring entity;
- have a primary database in Russia: it must be ensured that the primary database with the personal data of any Russian citizens is located in Russia (e.g., in a Russian data centre or on any other server);
- comply with technical requirements: data operators must ensure that their systems are compliant with the technical requirements of the FSB and FSTEK, as well as Decree No. 1119;
- perform a data protection audit: every three years, data operators must perform an internal data protection audit and as a result of such audit adopt a document confirming that the data protection processes are in compliance with the Personal Data Law;
- appoint a data privacy officer (i.e., an employee who will be in charge of implementation and control of clients' personal data protection);
- handle requests of individuals: data operators must comply with the requests of individuals related to their personal data. Such requests must be answered (e.g., access to personal data granted; personal data deleted at the request of the individual, etc.);
- define potential threats to personal data subjects: data operators must adopt an internal document that assesses the potential threat to data subjects in the event of, for example, unauthorised disclosure of their personal data and what measures are implemented in order to avoid damage to data subjects;
- acquaint its employees with the internal data protection processes and regulations, and conduct training sessions on personal data security; and
- register with the DPA (unless subject to exemptions).
The above list of steps is rather standard and may apply to most data operators; however, it is not exhaustive and the relevant measures may vary depending on the types of data collected and the means of collection and processing. The exact list of measures must be defined on a case-by-case basis.
iii Specific regulatory areas
The Personal Data Law applies to all types of operators and data subjects. However, certain industry-specific aspects should also be noted. The Central Bank of Russia represents itself as a super regulator, for instance, requiring banks to report cybersecurity incidents.
Russian labour laws require employers to obtain the written consent of employees to transfer their personal data to third parties, for instance when such transfer is necessary to share data with group companies. However, when the employer has a legitimate interest or when required by law, the transfer can be made without such consent.
Protection of children and their privacy as well as financial, health and communications privacy are also regulated by specific laws, such as the Federal Law on Communication. However, the rules contained in these laws are mostly declarative, requiring the protection of the privacy and confidentiality of communications data, prohibiting mention of the names of children who have been the victims of criminal actions in mass media, etc.
iii Technological innovation
Developments in Russian privacy legislation and Personal Data Law used to be very slow, and they obviously do not yet meet the demands of the rapid changes in technological innovation. Issues such as location tracking, Big Data, data portability, employee monitoring, facial recognition technology, behavioural advertising and electronic marketing remain, to a certain extent, grey areas without adequate regulation.
However, the situation is changing. For instance, the DPA and the courts currently support the idea that technological measures such as cookies constitute personal data. This definitely makes business operations even more complicated. In addition, the lawmakers intend to adopt a law on big data with a potential requirement to localize all data in Russia.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
International data transfers in Russia are regulated by the Personal Data Law. The Personal Data Law distinguishes between countries that provide adequate protection for personal data and those that do not. In the event of cross-border transfers, a data operator needs to check whether the country of the data recipient is deemed a provider of adequate protection to personal data, since if not, the consent of the data subject needs to be in writing (ink on paper) and contain a specific authorisation to transfer personal data to such country. The Personal Data Law provides for only three categories of lawful cross-border transfer of Personal Data:
- transfer to countries that are signatories to the Council of Europe Convention 1981 (the Personal Data Convention);
- transfer to countries that are not signatories to the Personal Data Convention but are on the list of additional countries adopted by the DPA. The current version of the list (as amended on 15 June 2017) includes Angola, Argentina, Australia, Benin, Canada, Cape Verde, Chile, Costa Rica, Gabon, Israel, Kazakhstan, Malaysia, Mali, Mexico, Mongolia, Morocco, New Zealand, Peru, Qatar, Singapore, South Africa, South Korea and Tunisia; and
- transfers to any other countries (e.g., the United States) that are neither on the list of additional countries nor signatories to the Personal Data Convention, provided that there is explicit handwritten (ink on paper) consent of the data subject to such transfer.
Obtaining written consent is in many cases a core element of Russian data protection law. However, this may become a burdensome procedure, especially for companies that do business on the internet. The main problem is that the only alternative to a wet signature is a qualified enhanced electronic signature. Under Russian law, only a qualified enhanced e-signature has the legal force of a handwritten signature. Such signatures must be created using certified encryption software and are obtained at special certification centres. It is very uncommon for an individual to have this tool.
The Personal Data Law also requires that the data exporter and the data importer enter into an agreement (or at least add a provision to their agreement in the event of a cross-border transaction) that must stipulate that the data importer will ensure at least the same level of data protection as applied by the data exporter and certain other obligations provided under the Personal Data Law.
V COMPANY POLICIES AND PRACTICES
As already noted above, all companies must appoint an internal data privacy officer. The Personal Data Law does not provide much detail with respect to data privacy officers, their role in the company and detailed regulation of their rights. Therefore, these are normally covered in privacy policies as well.
Companies are obliged to have internal documents covering various aspects of information security, including technical and organisational measures to be taken by the companies. Normally, such documents are developed by external service providers that have a state licence to provide information security services. These documents are of a technical nature and normally cover the types of software and hardware a company should use to protect its information systems that contain personal data.
VI DISCOVERY AND DISCLOSURE
Generally, Russian law presumes a high degree of cooperation with state authorities in the event of investigations conducted by state authorities. Disclosure of data (including personal data) is required under various statutes, so that a business is required to provide data to state authorities upon their request, which must be based on a statute. For instance, the provision of personal data to the police for criminal investigations must be based on the request by the police that must comply with Russian laws on operative investigation activities. Normally, the disclosure request must be approved by a court; however, Russian courts are very cooperative with investigation authorities; therefore, the possibilities to refuse to disclose the data to the authorities are very limited.
The degree to which the authorities expect cooperation on data disclosure was evident in the example mentioned in Section II above, the Yarovaya Law. This law provides that organisers of internet messaging must provide the message data to the authorities and the authorities are even entitled to require that organisers install special systems used for investigation purposes.
It is very difficult, and in most cases even prohibited, to disclose data in response to requests from foreign governments. The data can be provided on the basis of international treaties on legal assistance between the countries. However, in this case, a foreign government agency should request the data through the Russian authorities.
There is still a possibility to disclose data directly with the data subjects' written consent; however, this could become very problematic from a practical perspective.
VII PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
The primary agency dealing with personal data breaches is the DPA. The DPA is entitled to perform scheduled and unscheduled audits. The schedule of all planned compliance audits for the next year is usually published on the websites of the territorial subdivisions of the DPA. However, the DPA can also perform unscheduled checks and is required to notify the individual or company at least 24 hours before the check.
The DPA performs its own monitoring of data breaches (including monitoring of the internet and the relevant news). The DPA also quite actively reacts to complaints, which in practice can be filed by data subjects, prosecutors or competitors. Following a complaint or based on the results of its own monitoring, the DPA performs a non-scheduled check, informing the company 24 hours before.
As a result of such a check, the DPA can issue an order to resolve the breach or institute administrative proceedings in a local court. Based on the statistics, the DPA does not initiate proceedings very frequently. This means that in most cases breaches can be resolved based on the DPA's order.
Data operators may be subject to criminal, civil and administrative liability. The individuals whose personal data has been compromised have a private right to sue, with the right to demand compensation for losses or compensation for 'moral harm'.
The DPA is entitled to initiate administrative proceedings in the event of a data breach and impose administrative sanctions (fines) if the breach is proven. In addition, the DPA may, subject to a court decision, block infringing websites or mobile applications from being accessed in Russia.
The current maximum administrative fine is 75,000 roubles. In practice, the administrative fines are not multiplied by, for example, the number of emails or employees whose data was compromised or by the number of specific data breaches, but instead applied only once for a particular type of breach. However, this practice may change in the near future.
Criminal sanctions can be applied only against natural persons and can never be applied against companies. However, even those Articles of the Russian Criminal Code that could theoretically apply to personal data breaches are never applied to such cases as far as we know.
ii Recent enforcement cases
The Data Localisation Law was hardly enforced for some time. However, in 2016, a major case involving LinkedIn attracted a great deal of attention from the public. A Russian district court upheld a claim by the DPA seeking restriction of access to LinkedIn in Russian territory. The judgment was handed down on 4 August 2016. The information on the case, however, was not disclosed to the media until 25 October 2016.
The court found LinkedIn to be liable of a violation of the Personal Data Law, in particular of its provisions requiring Russian citizens' personal data to be stored and processed on servers located in Russia. The court found that LinkedIn does not operate a server in Russia. Furthermore, in the court's view, LinkedIn processed the personal data of third parties who were not covered by a user agreement. On this basis, the court declared LinkedIn to be in violation of the Personal Data Law and ordered the DPA to take steps to restrict access to LinkedIn. Currently, LinkedIn still remains blocked in Russia.
The same lack of enforcement accompanied the Yarovaya Law. There were occasional blockings (such as Blackberry Messenger); however, due to the limited popularity of such messaging services, the enforcement cases did not attract much attention. Everything changed with a case regarding one of the most popular messengers in Russia – Telegram. On 20 March 2018, the Supreme Court of Russia dismissed the claim by a representative of the Telegram messaging service to abolish the order of FSB dated 19 July 2016 requiring messaging services to provide decryption keys to the FSB, which allow the security authorities to read correspondence by Telegram's users.
Telegram has frequently commented in the press that it is unable to provide the decryption keys due to the nature of end-to-end encryption technology, while the FSB believes this is technically possible. Telegram finally refused to provide the FSB with any decryption keys and, therefore, on 13 April 2018, the Taganskyi District Court of Moscow upheld the DPA's claim to block access to Telegram. On 16 April 2018, the DPA reached out to telecom operators, requesting that they commence blocking the messenger. All Russian telecom operators are obliged to block access to the relevant resources.
Telegram's lawyers appealed this decision without success. Since April 2018, the DPA has been trying to block Telegram using its IP address, which seems to be an ineffectual strategy. Telegram decided to contend with the DPA (luckily they have no actual presence in Russia) and started jumping from one IP address to another. At one time, the DPA was blocking millions of IP addresses, which caused interruptions in many internet services (including those hosted on the Amazon and Google networks) and caused negative criticism of the DPA by other authorities, the internet ombudsman and businesses. There was at least one court case where a company that suffered from blocking (even though they are not related to Telegram) sued the DPA. The case is to be tried this year. So far, the chase continues and Telegram is still available despite the DPA's actions.
iii Private litigation
The individuals whose personal data is processed in a manner not in compliance with the Personal Data Law are entitled to claim damages or compensation for moral harm from the infringing company. Such claims can only be adjudicated in a court trial between the affected data subject and the infringer. Generally, the cases where the data subjects use this option (i.e., raise such compensation or damage claims before courts) are fairly rare, and it is unlikely that the number of civil law lawsuits will increase in the near future. The main reason for this is that claimants must go through the cumbersome court procedure and provide evidence of the damage (including moral harm) caused to them. In addition, the competent Russian courts do not award large sums for the data breaches (usually only a few thousand roubles). In practice, individuals prefer submitting complaints to the DPA or the Russian prosecutor's office, which can initiate a compliance audit of the infringing entity by the DPA.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
Having a representative office in Russia or even working through a Russian subsidiary automatically triggers the necessity of compliance with Russian data protection regulations. Sometimes the DPA attempts to interpret Russian data protection laws as having jurisdiction over foreign companies. Requests by the DPA to foreign companies to provide internal documents on personal data compliance and give explanations on the alleged data breaches are not unusual. However, in the absence of any substantial cooperation between the DPA and foreign data protection authorities as well as the lack of relevant treaties on legal assistance, the prospects of enforcement against a purely foreign legal entity are doubtful. In any event, the issues described in this chapter, in particular data-localisation requirements, must be taken into consideration by any foreign companies intending to expand their business to the Russian market. The LinkedIn case also confirms that even the lack of a presence in Russia does not release foreign data operators from the obligation to comply with certain requirements of the Personal Data Law.
IX CYBERSECURITY AND DATA BREACHES
The topic of cybersecurity is becoming more and more important in Russian discussions. The first issues that come to mind are certainly the alleged Russian hacking of the US presidential elections. The US media reported that the US administration was contemplating an unprecedented covert cyber action against Russia in retaliation for alleged Russian interference in the American presidential election. At least according to the media, the CIA has been asked to deliver options to the White House for a cyber-operation designed to harass and 'embarrass' the Kremlin leadership.
Another infamous cybersecurity issue was the ransomware attacks WannaCry and Petrwrap/Petya. Major Russian and Western companies working in Russia were paralysed by the attacks for several days.
All these security issues have prompted calls for Russia's internet infrastructure to be protected. As a consequence, on 26 July 2017, Russia adopted Federal Law No. 187-FZ on the Security of Critical Information Infrastructure of the Russian Federation. The law sets out the basic principles for ensuring the security of critical information infrastructure, the powers of the state bodies of Russia to ensure the security of the critical information infrastructure, as well as the rights, obligations and responsibilities of persons holding rights of ownership or other legal rights to the facilities for critical information infrastructure, communications providers and information systems providing interaction with these facilities.
The elements of the critical information infrastructure are understood to be information systems, telecommunication networks of state authorities as well as such systems and networks for the management of technological processes that are used in state defence, healthcare, transport, communication, finance, energy, fuel, nuclear, aerospace, mining, metalworking and chemical industries. All these industries are considered critical for the economy and should be protected against any cyberthreats. The law requires such industries to implement protection measures, assign the category of protection (in accordance with the statutes) and then register with FSTEK, which is now the supervisory authority in this field. So far, businesses have many questions to the authorities with respect to this law, which is very broadly drafted. The usual question is whether the law applies to a particular business or not, since even internal LAN networks may be considered critical information infrastructure under such general rules of the law. However, the authorities usually reply that this is an incorrect interpretation. The lack of enforcement practice does not help to clarify the situation.
The potential abuse of information systems for illicit purposes poses new security risks to the government and to businesses. As a result, Russian authorities have introduced rules requiring foreign software producers to allow the agencies certified by Russian state authorities to review the source code of the software (in most cases security products such as firewalls, anti-virus applications and software containing encryption) before permitting the products to be imported and sold in the country. This is done to ensure that there are no 'backdoors' in the software that could be used by foreign intelligence services.
The major issues for the upcoming years are still the Data Localisation Law and Yarovaya Law. Generally, there is a strong feeling that Russian data protection law and internet regulations as such will move towards more formalisation and less room for flexibility because the authorities welcome additional control over the internet and personal data flows.
Furthermore, there are various initiatives related to regulation of Big Data, various comparatively minor amendments to the Personal Data Law (e.g., new fines for failure to ensure proper data processing by data recipients under data transfer agreements), etc.
It is also expected that more court practice will appear. The number of court cases related to data privacy is already increasing and we expect even more enforcement actions and court clarifications in this field.
1 Vyacheslav Khayryuzov is a counsel at Noerr.