Guest Author Bird & Bird, Anna Shashina, Partner

On March 1, 2021, substantial amendments to the Russian Federal Law on Personal Data (No. 152-FZ), implemented on July 27, 2006, came into effect (“Amendments”). The Amendments change the rules on processing of publicly disseminated personal data and affect businesses that publish or use personal data on the internet. In particular, employers who publish employee personal data on a website need to examine the Amendments and implement new consent requirements. Data subjects now have wider powers to control and authorize the processing of their data in the public domain. Data subjects also have a right to request that data operators that are disseminating their data (and any company down the data processing chain) cease transferring such data.

What Are the Key Amendments?

  1. The Amendments remove “processing of personal data the unlimited access to which is granted by the data subject or at data subject’s request (publicly accessible personal data)” as a legitimate ground for data processing. This ground had allowed the processing of personal data without a data subject’s consent.
  2. There is a new definition of “personal data which is permitted by the data subject for dissemination” (“Publicly Disseminated Data” or “PDD”). PDD means personal data that the general public can access on the basis of the data subject’s consent granted in the manner prescribed by the Amendments.
  3. A data subject may provide consent to PDD processing directly to the data operator wishing to disseminate the data or via the Russian DPA’s information system, which records the data subjects’ consents and data processing restrictions. The Russian DPA has yet to publish the regulation on such information system.
  4. The data operator has an obligation to publish the terms of and prohibitions on PDD processing by the general public within three working days of obtaining the data subject’s consent.
  5. Where the data subject discloses his or her personal data to the general public without granting consent to the data operator, then the obligation to prove the legality of the subsequent dissemination or other processing of such personal data resides with each company and/or individual who disseminates or otherwise processes such personal data.

What Are the Requirements for the Data Subject’s Consent, and Are They in Line With the GDPR Requirements?

The requirements for consent to PDD processing are generally in line with the General Data Protection Regulation (“GDPR”) with some deviations. The Russian DPA has also issued draft requirements regarding the content of consent for the processing of PDD (“Draft DPA Requirements”), which are not yet in final form and which we summarized below:

Consent to PDD Processing Requirements: Russia GDPR
Specific and informed Yes Yes
Unambiguous Yes—affirmative opt-in methods include: (i) via the information system of the data operator; (ii) information system of the Russian DPA; or (iii) in writing with wet or electronic signature.  Yes—wider options to obtain consent than under the Draft DPA Requirements
Not bundled with the other data processing consents Yes Yes
Provide for the data operator’s identity and the purpose(s) of processing Yes Yes
Set out the purpose of each of the processing operations for which consent is sought No Yes
Provide for the data subject’s identity Yes No
Enable the data subject to choose the personal data for dissemination Yes—detailed list is required Yes—type of data is sufficient
Terms and prohibitions of PDD processing Yes—the data subject has the right to: (i) prohibit the dissemination to the general public and/or the provision to specific companies/individuals; (ii) prohibit processing (except for providing access) of PDD by the general public after such data publication; and/or (iii) set out the terms of the processing (except in relation to obtaining access) of personal data by the general public. The data operator shall provide the data subject with an option to introduce prohibitions on and terms of processing in relation to detailed sub-categories of personal data. No
Term of consent Yes—precise term of the consent’s validity is required under the Draft DPA Requirements No
Internet resources for PDD Yes—websites and/or webpages on which PDD is made publicly available to be listed under the Draft DPA Requirements No
Indicate in consent the existence of the right to withdraw consent No Yes

Does a Data Subject Have a Right to Revoke Consent?

The data subject has a right to revoke consent to the processing of PDD at any time, which is in line with the consent revocation right available prior to the Amendments coming into effect.

A data subject’s request to revoke consent should include the full name of the data subject, contact details, and the list of personal data being processed that should cease being processed. The data operator should cease the transfer of the PDD, including disseminating it and providing the data and any access to it after receiving the data subject’s request.

What Are the Sanctions for Noncompliance With the Amendments?

The Amendments do not introduce new sanctions for non-compliance. This means that the general data protection offences will apply. Non-compliance with the new requirements on PDD processing may amount to administrative fines for personal data processing without a legitimate ground envisaged by the Russian privacy legislation. An explanatory note to the draft Amendments that was provided by the legislation also refers to the above data protection offence.