Russia recently amended Federal Law No. 152 – FZ as of 27.07.2006 (Personal Data). The amendment is governed by Federal Law 242 – FZ of 21.07.2014 which became effective September 01, 2015. The amendment relates to the procedure for personal data processing in telecommunication networks.
New in the law:
- Entities (data operators) collecting and processing personal data of the Russian citizens are mandated to record, classify, accumulate, store, update and modify, extract the mentioned personal data only in databases located in Russia. There are exceptions concerning databases which may be located abroad: execution of international contracts (for instance, hotel booking, e-commerce, bank services etc.), justice matters and implementation of enforcement proceedings, provision of public and municipal services, journalist professional and legal mass media activities, scientific, literary and other cultural activities under the condition that the rights and legitimate interests of the personal data subject are not violated.
- The data operator is obliged to notify the Federal Service for Supervision in the sphere of Telecommunications, Information Technologies and Mass Communications (Roskomnadzor) in writing of its intention to process the personal data and of the location of the databases before the start of processing.
- Register of violators of the personal data subject rights* is established and is assigned to contain particularly the following data about internet page owners (violators): domain names, web page indexes; IP addresses allowing to identify the web sites in the global web; effective court records date when the Federal Service for Supervision has sent to the Internet Service Provider the data about the Internet resource (violator) to authorize the ISP to limit the access; information about the authorization to limit the access to the webpage.
The objective of the law is to protect personal data from unauthorized disclosure and/or unexpected access restriction. The legislator felt that the privacy of Russian citizens was not sufficiently safeguarded when their private data was maintained on foreign servers. Perceived lax protection evidenced by numerous scandal cases, connected with unauthorized personal data disclosure of ordinary citizens as well as high-level officials was given as the main reasons for the amendment. Furthermore there is the threat of surprise limitation of legal access to personal data stored on foreign servers.
The Russian legislator assumes that the personal data is now completely under the state protection. However many questions of a technical nature remain, particularly in regard to cross-border data transfer, and thus the recent amendments of law may have to be revised further.
*Commentary: Since the Federal Law came into effect as of 1 September 2015 over 260 internet resources of .ru domain were blocked by the Federal Service for Supervision due to their illegal activities in the personal data processing. There are also over 100 blocked web resources from .com, .net, .info and .org domain zones, mainly registered in the USA, India and Bahamas.