The Privacy, Data Protection and Cybersecurity Law Review: Russia
The Russian legal system is based on a continental civil law, code-based system. Both federal and regional legislation exist; however, federal legislation takes priority in cases of conflict. Generally, issues of data privacy are regulated at federal level, and the regions of Russia do not issue any specific laws or regulations in this respect.
The latest Constitution of Russia, which provides that each individual has a right to privacy and personal and family secrets, was adopted in 1993. Each individual has a right to keep his or her communication secret, and restriction of this right is allowed only subject to a court decision. Collection, storage, use and dissemination of information about an individual's private life are allowed only with the individual's consent. The protection of these basic rights is regulated by special laws (e.g., on communications) and also by specific regulations enacted in relation to these laws.
In 2007, Russia adopted a major law regulating data privacy issues, Federal Law No. 152-FZ on Personal Data dated 27 July 2006 (the Personal Data Law). The Personal Data Law covers almost all aspects of data protection: what is considered personal data, what types of data can be collected and processed, how and in what cases can data be collected and processed, and what technical and organisational measures must be applied by companies or individuals that collect data. Unlike European law, the Personal Data Law does not distinguish between data controllers and data processors. Therefore, any individual or entity working with personal data is considered a personal data operator and is thus governed by the Personal Data Law. There are also several specific regulations, mainly covering the technical side of data processing and to a certain extent clarifying the provisions of the Personal Data Law. Such regulations are issued by the Russian government, the Russian data protection authority (the Federal Service for Supervision in the Sphere of Communication, Information Technology and Mass Communications (DPA)) or the authorities responsible for various security issues in Russia, such as the Federal Service for Technical and Export Control (FSTEK) or the Federal Security Service (FSB).
Since 2007, data privacy has never been a topic of intense discussion or major enforcement. However, this changed rather dramatically in 2014. The general approach of the government to privacy became fairly protectionist. In 2014, the Russian parliament adopted amendments to the Personal Data Law (that then became known as the Data Localisation Law) that require data operators that collect Russian citizens' personal data to store and process such personal data using databases located in Russia. The Data Localisation Law was highly criticised by business and the media but nevertheless came into force on 1 September 2015. While this law generated a great deal of profit for Russian data centres, it also created high costs for ordinary businesses, which needed to redesign their data storage infrastructure.
In addition to the Data Localisation Law, Russia adopted amendments to the Russian Federal Law on Information, Information Technology and Protection of Information. These amendments require companies that provide video, audio or text communication services (usually 'messengers') to register with the authorities, to store users' messages or audio or video calls for up to six months and to provide the security authorities with decryption keys if the messages are encrypted. These rules have resulted in the blocking of Blackberry Messenger and a few other messenger apps in Russia and in a campaign to block the Telegram messenger.
The year in review
Recent years have been very intense in Russian data protection law. The first step was Federal Law No. 97-FZ of 5 May 2014 (the Yarovaya Law), which directly affects Russia's telecoms and internet industries. In particular, mobile operators need to store the recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs, while internet companies (e.g., messenger apps) need to store the recordings of all phone calls and the content of all text messages for six months and the related metadata for one year.
In addition, the law requires such operators to provide any such communications to Russian police and intelligence on their request and to install special systems used for investigation purposes or to 'reconcile the use of software and hardware with the authorities' as well as to provide the security authorities with decryption keys if the messages are encrypted.
Non-compliance may result in fines or blocked access to the non-compliant service. The parts of the Yarovaya Law that are already effective are actively enforced by the DPA, and several messengers, including Blackberry Messenger, Imo and Vchat, have been blocked in Russia. The relevant enforcement also resulted in a major case against the Telegram messenger app, described in more detail below.
As a second step in data protection legislation, the Russian authorities adopted the Data Localisation Law and created a new procedure restricting access to websites that violate Russian laws on personal data.
In particular, based on the Data Localisation Law, the DPA created a register of infringing websites. The law provides for a detailed 'notice and take down' procedure. Most importantly, the Data Localisation Law requires that all personal data of Russian citizens be stored and processed in Russia. The location of databases with personal data of Russian citizens must be reported to the DPA. In 2019, lawmakers adopted amendments that dramatically increased the fines for non-compliance with the data localisation requirement up to 18 million roubles.
Currently, Russia is planning to require foreign technology companies to set up representative offices in Russia. There is a draft bill under consideration in the Russian parliament and it is very likely to be adopted this year. The bill would mainly affect foreign companies who are owners of websites, information systems, software and apps with a daily audience of at least 500,000 users in Russia and who provide information in Russian, distribute advertising targeted at a Russian audience, process personal data of Russian users, or receive money from Russian individuals or legal entities.
Technology companies would also need to register accounts in a special system run by the DPA and respond to queries from the authority (e.g., to delete certain prohibited or unwanted content). The bill also provides for a range of sanctions for non-compliance: prohibitions on advertising, restrictions of money transfers, prohibitions on the collection and transfer of personal data, etc. It remains to be seen how these sanctions and the law as such would be enforced, though.
i Privacy and data protection legislation and standards
According to the Personal Data Law 'personal data' means any information referring directly or indirectly to a particular individual or that can be used to verify an individual identity. The law does not specifically define any types of sensitive data, but lists special categories of personal data such as 'race; nationality; political, religious, or philosophical views; health; and private life'. The purpose of the Personal Data Law is to regulate the processing of personal data by state authorities, private entities and individuals. Thus, the law establishes the rights of individuals, and sets out the obligations for legal and natural persons when processing personal data.
Any individual or company that collects and processes personal data is considered a personal data operator and is thus subject to the regulations of the Personal Data Law and state control. The Personal Data Law and other related regulations do not make any distinction between data controllers and data processors. Therefore, the law applies in its entirety to anyone dealing with personal data except where explicitly stated otherwise in the Personal Data Law.
There are also several specific regulations that primarily cover the technical side of data processing and to a certain extent clarify the provisions of the Personal Data Law. Among such regulations are Decree No. 1119 of the government of Russia (dated 1 January 2012 and enacted pursuant to Article 19 of the Personal Data Law) (Decree No. 1119). Decree No. 1119 provides for four general levels of protection to be applied by personal data operators depending on the quantity and types of data processed in the information systems. The detailed technical requirements placed on personal data processing are defined by FSTEK.
Although there has been steady growth in monitoring and the DPA is working more and more actively, the overall level of compliance with the Personal Data Law still appears to be low in Russia for various reasons, including (1) relatively low fines; (2) slow work by the DPA; and (3) ambiguous provisions of the Personal Data Law that make compliance difficult.
ii General obligations for data handlers
Certain organisational and technical steps need to be taken to ensure compliance with the Personal Data Law. Data handlers must:
- collect the consent of personal data subjects: consent is required to be collected and in certain cases be in writing (ink on paper) unless certain exemptions are clearly applicable;
- check the country of the data recipient in the event of cross-border transfers, since an additional authorisation for transfers to certain countries may be necessary;
- have a data transfer agreement for any third-party transfers;
- have a primary database in Russia for personal data of Russian citizens;
- comply with technical requirements of the FSB and FSTEK, as well as Decree No. 1119;
- perform an internal data protection audit once every three years;
- appoint a data privacy officer;
- handle requests of individuals;
- define potential threats to personal data subjects;
- acquaint their employees with the internal data protection processes and regulations, and conduct training sessions on personal data security; and
- register with the DPA (unless subject to exemptions).
The above list of steps is fairly standard and may apply to most data operators; however, it is not exhaustive and the relevant measures may vary depending on the types of data collected and the means of collection and processing. The exact list of measures must be defined on a case-by-case basis.
iii Data subject rights
Data operators are required to handle requests by individuals with respect to the access, correction and deletion of personal data and are generally required to comply with requests by individuals relating to their personal data, unless there is an overriding mandatory statutory provision allowing the operator to continue processing the personal data.
As part of the Personal Data Law, operators are obliged to notify individuals and the DPA of a resolved breach if a breach was found by an individual or the DPA and they requested that the breach be resolved. Data operators must notify individuals whose data was breached if the request to resolve the breach comes from them. The wording of the Personal Data Law assumes that such notification needs to be personal and thus publishing a post or notice may not suffice. Furthermore, if the post or notice contains the personal data of the individuals affected, this would constitute a separate data breach.
iv Specific regulatory areas
The Personal Data Law applies to all types of operators and data subjects. However, certain industry-specific aspects should also be noted. The Central Bank of Russia represents itself as a super regulator, for instance, requiring banks to report cybersecurity incidents.
Russian labour laws require employers to obtain the written consent of employees to transfer their personal data to third parties, for instance when such a transfer is necessary to share data with group companies. However, when the employer has a legitimate interest or when required by law, the transfer can be made without such consent.
Protection of children and their privacy as well as financial, health and communications privacy are also regulated by specific laws, such as the Federal Law on Communication. However, the rules contained in these laws are mostly declarative, requiring the protection of the privacy and confidentiality of communications data, prohibiting mention of the names of children who have been the victims of criminal actions in mass media, etc.
v Technological innovation
Developments in Russian privacy legislation and the Personal Data Law used to be very slow, and they obviously do not yet meet the demands of the rapid changes in technological innovation. Issues such as location tracking, big data, data portability, employee monitoring, facial recognition technology, behavioural advertising and electronic marketing remain, to a certain extent, grey areas without adequate regulation.
However, the situation is changing. For instance, the DPA and the courts currently support the idea that technological measures such as cookies constitute personal data. This definitely makes business operations even more complicated. In addition, the lawmakers intend to adopt a law on big data with a potential requirement to localise all data in Russia.
International data transfer and data localisation
International data transfers in Russia are regulated by the Personal Data Law. The Personal Data Law distinguishes between countries that provide adequate protection for personal data and those that do not. In the event of cross-border transfers, a data operator needs to check whether the country of the data recipient is deemed a provider of adequate protection to personal data, since if not, the consent of the data subject needs to be in writing (ink on paper) and contain a specific authorisation to transfer personal data to such country. The Personal Data Law provides for only three categories of lawful cross-border transfer of Personal Data:
- transfer to countries that are signatories to the Council of Europe Convention 1981 (the Personal Data Convention);
- transfer to countries that are not signatories to the Personal Data Convention but are on the list of additional countries adopted by the DPA. The current version of the list (as amended on 14 January 2019) includes Angola, Argentina, Australia, Benin, Canada, Chile, Costa Rica, Gabon, Israel, Japan, Kazakhstan, Malaysia, Mali, Mongolia, Morocco, New Zealand, Peru, Qatar, Singapore, South Africa, South Korea and Tunisia; and
- transfers to any other countries (e.g., the United States) that are neither on the list of additional countries nor signatories to the Personal Data Convention, provided that there is explicit handwritten (ink on paper) consent of the data subject to such a transfer.
In most cases, obtaining consent is necessary in order to transfer personal data to a third party. The Personal Data Law also requires that the data exporter and the data importer enter into an agreement (or at least add a provision to their agreement in the event of a cross-border transaction) stipulating that the data importer will ensure at least the same level of data protection as applied by the data exporter and certain other obligations laid down in the Personal Data Law.
Company policies and practices
As already noted above, all companies must appoint an internal data privacy officer. The Personal Data Law does not provide much detail with respect to data privacy officers, their role in the company and detailed regulation of their rights. Therefore, these are normally covered in privacy policies as well.
Companies are also obliged to have internal documents covering various aspects of information security, including technical and organisational measures to be taken by the companies. Normally, such documents are developed by external service providers that have a state licence to provide information security services. These documents are of a technical nature and normally cover the types of software and hardware a company should use to protect its information systems that contain personal data.
Discovery and disclosure
Generally, Russian law presumes a high degree of cooperation with state authorities in the event of investigations conducted by state authorities. Disclosure of data (including personal data) is required under various statutes, so a business is required to provide data to state authorities upon their request, which must be based on a statute. For instance, the provision of personal data to the police for criminal investigations must be based on a request by the police that must comply with Russian laws on operative investigation activities. Normally, the disclosure request must be approved by a court; however, Russian courts are very cooperative with investigation authorities; therefore, the possibilities for refusing to disclose the data to the authorities are very limited.
For instance, Russian laws provide that organisers of internet messaging must provide the message data to the authorities and the authorities are even entitled to require that organisers install special systems used for investigation purposes.
It is very difficult, and in most cases even prohibited, to disclose data in response to requests from foreign governments. The data can be provided on the basis of international treaties on legal assistance between the countries. However, in this case, a foreign government agency should request the data through the Russian authorities.
There is still an option to disclose data directly with the data subjects' written consent; however, this may be complicated from a practical perspective.
Public and private enforcement
i Enforcement agencies
The primary agency dealing with personal data breaches is the DPA. The DPA is entitled to perform scheduled and unscheduled audits. The schedule of all planned compliance audits for the next year is usually published on the websites of the territorial subdivisions of the DPA. However, the DPA can also perform unscheduled checks and is required to notify the individual or company at least 24 hours before the check.
The DPA performs its own monitoring of data breaches (including monitoring of the internet and the relevant news). The DPA also responds quite actively to complaints, which in practice can be filed by data subjects, prosecutors or competitors. Following a complaint or based on the results of its own monitoring, the DPA performs a non-scheduled check, informing the company 24 hours beforehand.
As a result of such a check, the DPA can issue an order to resolve the breach or institute administrative proceedings in a local court. Based on the statistics, the DPA does not initiate proceedings very frequently. This means that in most cases breaches can be resolved based on the DPA's order.
Data operators may be subject to criminal, civil and administrative liability. The individuals whose personal data has been compromised have a private right to sue, with the right to demand compensation for losses or compensation for 'moral harm'.
The DPA is entitled to initiate administrative proceedings in the event of a data breach and impose administrative sanctions (fines) if the breach is proven. In addition, the DPA may, subject to a court decision, block infringing websites or mobile applications from being accessed in Russia.
The current maximum administrative fine is 18 million roubles for a repeated breach of the data localisation requirement. However, data localisation fines are substantially higher than the other administrative fines for breaching personal data protection laws. For instance, the next highest fine is 500,000 roubles for failure to obtain an individual's consent to process their personal data. In practice, the administrative fines are not multiplied by, for example, the number of emails or employees whose data was compromised or by the number of specific data breaches, but instead applied only once for a particular type of breach. However, this practice may change in the near future.
Criminal sanctions can only be applied against natural persons and can never be applied against companies. However, even those Articles of the Russian Criminal Code that could theoretically apply to personal data breaches are never applied to such cases as far as we know.
ii Recent enforcement cases
The Data Localisation Law was rarely enforced for some time. However, in 2016, a major case involving LinkedIn attracted a great deal of attention from the public. A Russian district court upheld a claim by the DPA seeking restriction of access to LinkedIn on Russian territory. The judgment was handed down on 4 August 2016. The information on the case, however, was not disclosed to the media until 25 October 2016.
The court found LinkedIn to be liable for a violation of the Personal Data Law, in particular of its provisions requiring Russian citizens' personal data to be stored and processed on servers located in Russia. The court found that LinkedIn does not operate a server in Russia. Furthermore, in the court's view, LinkedIn processed the personal data of third parties who were not covered by a user agreement. On this basis, the court declared LinkedIn to be in violation of the Personal Data Law and ordered the DPA to take steps to restrict access to LinkedIn. Currently, LinkedIn remains blocked in Russia.
In 2020 both Facebook and Twitter were fined 4 million roubles each for breach of the Data Localisation Law. Currently, according to the DPA, both companies still do not comply with the Data Localisation Law and thus the DPA intends either to issue new fines or block the social networks in Russia.
The same lack of enforcement accompanied the Yarovaya Law. There were occasional blockings (such as Blackberry Messenger); however, due to the limited popularity of such messaging services, the enforcement cases did not attract much attention. Everything changed with a case regarding one of the most popular messengers in Russia – Telegram. On 20 March 2018, the Supreme Court of Russia dismissed the claim by a representative of the Telegram messaging service to set aside the FSB order dated 19 July 2016 requiring messaging services to provide decryption keys to the FSB, which allow the security authorities to read correspondence by Telegram's users.
Telegram has frequently commented in the press that it is unable to provide the decryption keys due to the nature of end-to-end encryption technology, while the FSB believes this is technically possible. Telegram finally refused to provide the FSB with any decryption keys and, therefore, on 13 April 2018, the Taganskyi District Court of Moscow upheld the DPA's claim to block access to Telegram. On 16 April 2018, the DPA reached out to telecoms operators, requesting that they commence blocking the messenger. All Russian telecoms operators are obliged to block access to the relevant resources.
Telegram's lawyers appealed this decision without success. Since April 2018, the DPA has tried to block Telegram from using its IP address, which has proven to be an ineffectual strategy because Telegram was available to its users in Russia even during blocking. Surprisingly, on 18 June 2020, the DPA announced that it would withdraw its claims against Telegram, as the owner of Telegram, Mr Durov, apparently agreed to cooperate with the authorities on anti-terrorism and anti-extremism requests. It is unclear, though, whether Telegram has agreed to provide the decryption keys, since there have been no official comments on this. Since 18 June 2020, the DPA has also removed all IP addresses related (or allegedly related) to Telegram from the blocked list.
iii Private litigation
Individuals whose personal data is processed in a manner not in compliance with the Personal Data Law are entitled to claim damages or compensation for moral harm from the infringing company. Such claims can only be adjudicated in a court trial between the affected data subject and the infringer. Generally, the cases where the data subjects use this option (i.e., raise such compensation or damage claims before courts) are fairly rare, and it is unlikely that the number of civil law lawsuits will increase in the near future. The main reason for this is that claimants must go through the cumbersome court procedure and provide evidence of the damage (including moral harm) caused to them. In addition, the competent Russian courts do not award large sums for the data breaches (usually only a few thousand roubles). In practice, individuals prefer to submit complaints to the DPA or the Russian prosecutor's office, which can initiate a compliance audit of the infringing entity by the DPA.
Considerations for foreign organisations
Having a representative office in Russia or even working through a Russian subsidiary automatically triggers the necessity of compliance with Russian data protection regulations. Sometimes the DPA attempts to interpret Russian data protection laws as having jurisdiction over foreign companies. Requests by the DPA to foreign companies to provide internal documents on personal data compliance and give explanations for the alleged data breaches are not unusual. However, in the absence of any substantial cooperation between the DPA and foreign data protection authorities as well as the lack of relevant treaties on legal assistance, the prospects of enforcement against a purely foreign legal entity are doubtful. In any event, the issues described in this chapter, in particular data-localisation requirements, must be taken into consideration by any foreign companies intending to expand their business to the Russian market. The LinkedIn, Facebook and Twitter cases also confirm that even the lack of a presence in Russia does not release foreign data operators from the obligation to comply with certain requirements of the Personal Data Law. Further, as noted above, Russia is planning to require foreign technology companies to set up representative offices in Russia which, if the draft bill is adopted, would also require additional attention to compliance with Russian law.
Cybersecurity and data breaches
Critical information infrastructure remains a hot topic on the Russian cybersecurity agenda. The relevant regulations apply to information systems, telecommunications networks of state authorities as well as systems and networks for managing technological processes that are used in the state defence, healthcare, transport, communication, finance, energy, fuel, nuclear, aerospace, mining, metalworking and chemical industries. The law requires the implementation of protection measures, assigning the category of protection (in accordance with the by-laws) and then registering with FSTEK.
The potential abuse of information systems for illicit purposes poses new security risks to the government and to businesses. As a result, Russian authorities have introduced rules requiring foreign software producers to allow the agencies certified by Russian state authorities to review the source code of the software (in most cases security products such as firewalls, anti-virus applications and software containing encryption) before permitting the products to be imported and sold in the country. This is done to ensure that there are no 'backdoors' in the software that could be used by foreign intelligence services.
On 16 April 2019, Russia adopted the Runet Isolation Law, which came into force on 1 November 2019. Under this law, the DPA received broad powers to control the internet. Furthermore, communications operators are now obliged to use traffic exchange points from a specially created registry run by the DPA, which should be physically located only in the territory of Russia. In addition, communications operators are obliged to provide the DPA with all information about their network addresses, telecommunications message routes, software and hardware tools used to resolve domain names and communications network infrastructure.
Such a closed environment would make it easier to block any prohibited or unwanted services. The general idea of this law is to keep the Russian segment of the internet technically live even if it is switched off from the rest of the worldwide web (irrespective of who decides to do this – an external force or the Russian government itself).
So far the law does not seem to have had any significant effect on business. However, in the event of a doomsday scenario where the Russian segment is switched off from the rest of the web, it would certainly affect everyone working with Russia.
Owing to the outbreak of covid-19, it has become apparent to the authorities, businesses and society in general that the market should move even more quickly towards total digitalisation. Currently, there are intensified initiatives to create a proper legal basis for remote working, electronic paperwork and digital passports for individuals, for example. It appears that the next few years will change the Russian privacy landscape significantly.
In 2019, Russia signed the Protocol to the Council of Europe Convention No. 108. We expected new amendments to the Personal Data Law that would harmonise the law with Convention No. 108. However, the introduction of amendments was delayed by the covid-19 outbreak. We still expect the introduction of the rules for breach notification and depersonalisation of personal data owned by commercial entities (up to now, the DPA was of the opinion that only governmental entities were allowed to perform depersonalisation).
As noted above, Russia is planning to require foreign technology companies to set up representative offices in Russia. It will be interesting to see the enforcement of this new law and whether any multinational companies without presence in Russia will either open offices in Russia or will stop working on the market.
It is also expected that more court practice will appear. The number of court cases related to data privacy is already increasing, and we expect even more enforcement actions and court clarifications in this field.
1 Vyacheslav Khayryuzov is a counsel at Noerr.