On 6 June 2022 in the third hearing State Duma approved a Federal Law “On amendments to the Federal Law “On amendments to certain legislative acts of the Russian Federation “On personal data” and other legislative acts of Russian Federation and on the declaration of voidance of section fourteen article 30 of the Federal Law “On banks and banking operations”, which concerns, among other things, issues related to the processing of personal data.
The key changes introduced by the Federal Law:
- The introduction of extraterritoriality of the application of Russian legislation on personal data1.
- The establishment of a direct ban on the processing of personal data in connection with inaction of a person2, namely: a contract, which might act as the basis for the personal data processing, cannot be concluded in connection with the person’s inaction to deny a conclusion of such contract. Furthermore, such contract cannot contain any provisions that limit the rights and liberties of subjects of personal data.
- The requirements to an agency contract are amended. From now on a person, processing personal data on behalf of an operator, must confirm the fulfillment of all the requirements for the processing of personal data that the operator is obliged to fulfill (art. art. 18, 18.1 and 19 FL)3.
- The liability of foreign bodies is increased. From now on, if the delegated processing is being done by a foreign body, then it is responsible to the subject for the enabling of the violation on the same level as the operator4. Such a change in the subjects’ liability for Russian processors is not provided.
- The requirements for a data processing agreement are amended. Such a document must be not only concrete, informed, but also thematic and unambiguous.
- The requirements for the provision of biometrical data are amended. The provision of the biometrical personal data cannot be obligatory, except in the cases, specified by law5.
- The process of cross-border data transmission is amended and gets more restrictions. It is specified that in the cross-border data transmission the determining factor is the location of the receiver of the data on the territory of a foreign country. Federal Law introduces an obligation of the operators to inform competent authorities about an intention to transmit personal data across the borders. In extraordinal cases, if there are any threats to the protection of civilians’ rights and legal interests, the protection of constitutional order or the provision of national security, such a transmission might be restricted by a decision of the competent authority6.
- The new obligation for the cross-border data transmission operators is implemented. The operators, which conducted a cross-border data transmission before the enforcement of the amendments and continue to conduct such a transmission after the enforcement of the Federal Law, must provide a notice on the conduction of the cross-border data transmission to the authority competent in protection of the rights of subjects of personal data no later than 1 March 2023.
- The deadline of the response period to a request of a subject is amended. The deadline of the response period to the questions about personal data processing is shortened from 30 days to 10 days but can be prolonged by 5 days in case of sufficient reasoning.
- Federal Law introduces an obligation of the operators to instantly inform competent authorities about the incidents with the owned personal data bases, and also the obligation to provide continuous cooperation with the accredited government system centers of detection, prevention and liquidation of cyberattack consequences of Russian Federation.
It is noteworthy that the provisions of the Federal Law will be enforced on 1 September 2022, except the following provisions that will be enforced on 1 March 2023:
- On the cross-border personal data transmission.
- On the obligation of the operators to inform competent authorities about an intention to transmit personal data across the borders.
- On the obligation of the operators to instantly inform competent authorities about the incidents with the owned personal data bases.
1 sec. 11 art. 1 FZ “On personal data” (From now on – «FZ»)
2 para. 5 sec. 1 art. 6 FZ
3 sec. 3 art. 6 FZ
4 sec. 6 art. 6 FZ
5 sec. 3 art. 11 FZ
6 art. 12 FZ