On October 29, in the first reading, the State Duma of the Russian Federation adopted Bill No. 679980-8 "On Amendments to Article 9 of the Federal Law "On Personal Data" ("Law on Personal Data") and Article 10 of the Law of the Russian Federation "On Consumer Protection" ("Law on Consumer Protection") (hereinafter - the "Bill").
The initiative of the Senators of the Russian Federation and deputies of the State Duma was aimed at preventing cases of excessive processing of personal data ("PD") of PD subjects, as well as the realizing of consumer rights to information about goods (works, services). The Bill proposes to fix in the Law on Consumer Protection a prohibition on the restriction by sellers/owners of aggregators of consumer access to information about goods (works, services) in case of unwillingness of the consumer to provide PD to the seller /owner of the aggregator (except in cases when the obligation to provide such data is fixed at the legislative level).
According to the explanatory note, the need to introduce changes is caused by the fact that currently providing the user consent to the processing of his personal data is often a mandatory condition for access to information about goods (works, services), regardless of whether they are purchased by the subject, which entails excessive collection of personal data of citizens for the purpose of follow-up spam mailings.
To implement the basic principles and requirements of Law on Personal Data for consent to the processing of personal data, the Draft Law proposes to fix the requirement that consent to the processing of personal data should be issued separately from other documents, including contracts and other consents for the processing of personal data provided for other purposes.
The provision not only duplicates the previously formed principle of "one purpose - one consent", but also means the prohibition of Privacy clauses in contracts, user agreements and other legal documents. According to the explanations to the draft, the practice of expressing the will of an individual by performing conclave actions (putting a "tick" on the resource) is recognized as violating the principles Law on Personal Data imposed on consent to the processing of personal data in cases where consent is included in the text of the user / browser agreement. Thus, a citizen who has visited an information resource or consented the terms of the user agreement by putting a "checkmark" automatically provides access to PD, which in the future can be used by a virtually unlimited number of people, increasing the risks of leaks and subsequent illegal use of PD.
The authors of the Bill believe that the implementation of this proposal will eliminate the legal uncertainty that allows unscrupulous PD operators to "disorient" citizens in matters of providing consent to the processing of PD, determining the conditions and purposes of their processing.
If adopted, the Bill will enter into force on March 1, 2025.