Cross-Border Transfer of Personal Data in Russia: Legal Guide and Compliance

 

July 9, 2023

BRACE Law Firm ©

 

Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Personal Data Law" or "Law No. 152-FZ") is subject to regular amendments. On March 1, 2023, the requirements for personal data processing changed once again. These changes specifically affected the cross-border transfer of personal data outside the Russian Federation.

This article examines the new rules for transferring personal data to foreign states, the procedure for prohibiting or restricting such transfers, and specific cases of liability for violating established regulations.

What is Cross-Border Data Transfer?

Pursuant to Clause 11 of Article 3 of the Personal Data Law, cross-border transfer of personal data (the "cross-border transfer of PD") is the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity.

Under Article 3 of the Law, personal data means any information relating directly or indirectly to an identified or identifiable individual (the data subject). Consequently, personal data includes any information about a person that allows for their direct or indirect identification, such as full name, date and place of birth, address and telephone number, passport details, information regarding family, social, and property status, education, profession, and position held, information concerning racial or national origin, political views, religious or philosophical beliefs, health status, physiological data (fingerprints, iris, voice, DNA analyses, etc.), and a person's image (photographs and video recordings).

The following cases qualify as cross-border personal data transfers:

• Transferring employee personal data to foreign companies to organize international business trips or training;
• Providing personal data to foreign counterparties to execute contracts or issue powers of attorney;
• Processing or storing personal data using a third-party service located abroad, or using foreign CRM systems for client database management;
• Granting a foreign person access to databases containing personal data located within the Russian Federation.

Conversely, the use of Russian citizens' personal data by a foreign company is not a cross-border transfer if the data is not transferred abroad or if access is granted to one's own employee located abroad.

Thus, to qualify the transfer of personal data of Russian citizens as "cross-border", two conditions must be met: the transfer must be made to a foreign PD operator and to the territory of a foreign state.

Countries Providing Adequate Protection of Personal Data

According to Part 2 of Article 12 of the Personal Data Law, the authority authorized to protect the rights of personal data subjects (Roskomnadzor) approves the list of foreign states that provide adequate protection for the rights of data subjects (the "countries providing adequate protection"). The list of such countries is set forth in Roskomnadzor Order No. 128 dated August 5, 2022 (the "Order No. 128"), and includes:

• States that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the "Convention"). This includes 54 countries, such as France, Germany, the UK, Turkey, Italy, etc.;
• States that are not parties to the Convention but apply security measures for personal data processing that correspond to the provisions of the Convention. This includes 34 countries, such as Japan, China, India, Vietnam, etc.

Previously, personal data could be freely transferred to countries providing adequate protection, provided the data subject was informed of the intended transfer. Since March 1, 2023, cross-border transfer to any country requires notification to Roskomnadzor. For countries providing adequate protection, the Operator may commence cross-border transfer after filing a notification with Roskomnadzor of the intent to carry out cross-border transfer of personal data (the "notification").

If the destination country is not included in the list of countries providing adequate protection under Order No. 128, the Operator may not transfer data until the expiration of the Roskomnadzor review period (10 business days). An exception applies if the cross-border transfer is necessary to protect the life, health, or other vital interests of the data subject or other persons (Part 11 of Article 12 of Law No. 152-FZ). During this period, Roskomnadzor may decide to prohibit or restrict the cross-border transfer.

Procedure for Filing a Notification of Cross-Border Personal Data Transfer

As noted above, starting March 1, 2023, the PD Operator must notify Roskomnadzor of its intent to carry out cross-border transfer of personal data before commencing such transfer (Part 3 of Article 12 of Law No. 152-FZ).

The filing procedure and notification form are uniform regardless of whether the transfer is intended for countries providing adequate protection. Before filing such notification, the PD Operator should perform the following:

• Submit the general notification of personal data processing to Roskomnadzor as provided by Article 22 of Law No. 152-FZ, if not previously filed;
• Obtain information from the receiving party regarding the persons to whom the transfer is planned (name or full name, postal addresses, telephone numbers, email addresses), the measures taken to protect the transferred personal data, the conditions for terminating their processing, and the legal regulations in the field of personal data if the receiving party is not a participant in the Convention;
• Assess the reliability of the information provided.

Roskomnadzor may request the aforementioned information after receiving the notification. The notification of intent may be submitted as a hard-copy document or as an electronic document via the Roskomnadzor website. To file electronically, the Operator must authenticate through the Public Services Portal (Gosuslugi), fill out the form on the Roskomnadzor website, and submit it.

The notification must contain the following information:

• The name and address of the Operator, the full name of the person responsible for organizing personal data processing, contact telephone numbers, postal addresses, and email addresses;
• The date and number of the general notification of personal data processing;
• The legal basis and purpose of the cross-border transfer and subsequent processing of the transferred data;
• The categories and list of personal data being transferred;
• The categories of data subjects whose personal data is being transferred;
• The list of foreign states to which the cross-border transfer is planned;
• The date of the assessment regarding the compliance of foreign authorities with confidentiality and security requirements during processing.

As clarified by Roskomnadzor on its official website, PD Operators who filed a notification of cross-border transfer prior to March 1, 2023, are not required to file a new notification unless changes occur in their activities involving new cross-border data flows (to new countries or for new purposes).

The review period for the notification is 10 business days from the date of receipt, after which the regulatory body may decide to prohibit or restrict the transfer. The grounds for such decisions are discussed below.

Furthermore, if the notification contains incomplete or inconsistent information, Roskomnadzor will stay the review for up to 10 business days and request the missing data or explanations. The Operator must respond within 5 business days of receiving the request. Upon remediation of the causes for the stay, the review resumes within 3 business days. If the causes are not remedied within the established timeframe, the notification will not be considered. Roskomnadzor notifies the Operator of the resumption or termination of the review via any method that confirms receipt.

Roskomnadzor also has the right to request additional information from the Operator based on:

• The absence of information regarding a competent data protection authority in the destination foreign state;
• Plans to transfer specific categories of PD: biometric, special categories, data obtained through anonymization, or data of minors;
• The existence of a recognized valid complaint regarding the data processing activities of the intended foreign recipient.

The deadline for providing additional information is 10 business days from the date of receipt of the request. If necessary, the Operator may submit a reasoned notice to extend this deadline. The consequence of providing or failing to provide such information is the resumption or termination of the notification review.

Government Decree No. 2526 dated December 29, 2022, approved the list of cases where state and municipal authorities may carry out cross-border transfers without notifying Roskomnadzor to perform functions, powers, and duties assigned to them by international treaties and Russian law. These cases include:

• Execution and facilitation of international air, sea, rail, and road transport;
• Provision of postal services by a Russian postal operator;
• Prevention and elimination of emergency situations;
• Facilitation of diplomatic relations;
• Ensuring national defense;
• Facilitation of consular relations;
• Cooperation in law enforcement, extradition for criminal prosecution and execution of sentences, and the transfer of convicted persons or persons with mental disorders for compulsory treatment;
• Ensuring representation and protection of Russian interests in intergovernmental bodies, foreign and international courts, and arbitration tribunals.

Requirements for Cross-Border PD Transfer

Legislation does not establish any specific requirements for cross-border transfers. Operators should follow the general principles and conditions set by the Personal Data Law, such as:

• Personal data processing must be carried out on a lawful and fair basis.
• Processing must be limited to specific, predetermined, and lawful purposes. Processing incompatible with the purposes of collection is prohibited.
• The merging of databases containing personal data processed for incompatible purposes is prohibited. Furthermore, pursuant to Part 5 of Article 18 of the Personal Data Law, the recording, systematization, accumulation, storage, clarification, and extraction of personal data of Russian citizens must be performed using databases located within the territory of the Russian Federation. Violation of this obligation carries a risk of liability under Part 8 of Article 13.11 of the CAO RF, with fines up to 200,000 rubles for officials and up to 6,000,000 rubles for legal entities.
• Only personal data meeting the purposes of processing may be processed.
• The content and volume of processed data must correspond to the stated purposes and must not be excessive.
• Processing must ensure the accuracy, sufficiency, and relevance of the data in relation to the purposes of processing.

As a general rule, personal data processing requires the consent of the data subject. Processing without consent is permitted only in cases expressly provided for in the Personal Data Law.

Prior to March 1, 2023, Law No. 152-FZ required separate consent for cross-border transfer if the data was sent to countries not providing adequate protection. Currently, this requirement is no longer in effect. However, this does not mean transfers are unrestricted. The data subject has the right to know about any completed or intended cross-border transfer of their data (Clause 8, Part 7, Article 14 of Law No. 152-FZ). The consent for personal data processing must specify that personal data will be transferred to third parties in other countries.

Prohibition or Restriction of Cross-Border Transfer

Pursuant to Parts 9 and 12 of Article 12 of the Personal Data Law, Roskomnadzor may prohibit or restrict cross-border transfer of personal data for the following purposes:

• Protecting morality, health, and the rights and lawful interests of citizens—following the review of a filed notification of intent;
• Protecting the foundations of the constitutional order of the Russian Federation and state security — upon a submission from the Federal Security Service (FSB);
• Ensuring national defense — upon a submission from the Ministry of Defense;
• Protecting the economic and financial interests of the Russian Federation — upon a submission from federal executive bodies authorized by the President or the Government;
• Ensuring the protection of citizens' rights, freedoms, and interests, as well as the sovereignty, security, and territorial integrity of the Russian Federation through diplomatic and international legal means — upon a submission from the Ministry of Foreign Affairs.

The decision to prohibit or restrict cross-border transfer to protect morality, health, and the rights and lawful interests of citizens is made in accordance with the procedure set by Government Decree No. 24 dated January 16, 2023 (the "Decree No. 24").

The prohibition of cross-border transfer for these purposes occurs if:

• The foreign authorities or persons intended to receive the data fail to take measures to protect it or fail to define conditions for terminating its processing;
• The foreign legal entity is an organization whose activities are prohibited in the Russian Federation by a final court judgment;
• The foreign legal entity is included in the list of foreign and international non-governmental organizations whose activities are recognized as undesirable in the Russian Federation. This list is maintained and published by the Ministry of Justice;
• The cross-border transfer and subsequent processing are incompatible with the purposes of data collection;
• The cross-border transfer occurs in cases not provided for by the Personal Data Law.

Restrictions on cross-border transfer for these purposes occur if:

• The content and volume of the personal data intended for transfer do not correspond to the purpose of the transfer;
• The categories of data subjects whose data is intended for transfer do not correspond to the purpose of the transfer.

Roskomnadzor makes the decision to prohibit or restrict transfer within 10 business days of receiving the notification from the Operator. The decision enters into force on the date of signing and is sent to the Operator no later than the following day. If the causes for the prohibition or restriction are remedied, the Operator may refile the notification, but no earlier than 10 business days after the initial decision.

According to media reports citing Roskomnadzor representatives, seven decisions to prohibit or restrict cross-border transfer have been issued since March 2023. These involved financial and logistics companies. The decisions were based on the mismatch between the transfer purposes and the purposes stated during data collection. Specifically, companies intended to transfer the personal data of job applicants and potential clients abroad to check their creditworthiness.

The procedure for prohibiting or restricting transfers upon submissions from federal executive bodies is defined in Government Decree No. 6 dated January 10, 2023 (the "Decree No. 6").

Roskomnadzor reviews such submissions within 5 business days. The decision is sent to the submitting body, the foreign state, and the Operators involved. If the causes are remedied, Roskomnadzor may lift the prohibition or restriction upon a request from the submitting executive body.

If Roskomnadzor prohibits a cross-border transfer, the Operator must ensure that the foreign recipient destroys the previously transferred information.

Procedure for Appealing Decisions to Prohibit or Restrict Cross-Border PD Transfer

A decision to prohibit or restrict cross-border transfer for the protection of morality, health, and the rights and interests of citizens may be appealed in court or to a superior Roskomnadzor official.

An appeal must be filed within one month of the Operator receiving the decision and must include:

• The surname and initials of the superior official to whom the appeal is submitted;
• Information about the person filing the appeal;
• Identification of the contested decision;
• The arguments supporting the Operator's disagreement;
• A list of attached materials.

The appeal is reviewed within 10 business days of registration. The resulting decision is sent to the Operator no later than the day following its adoption. This decision may also be appealed in court.

Decree No. 6 does not explicitly provide for a procedure to appeal decisions based on submissions from federal executive bodies. However, in our view, this does not deprive interested parties of the right to contest such decisions under Chapter 24 of the APC RF, Challenging Non-Normative Legal Acts, Decisions, and Actions (Inaction) of State Bodies. Currently, there is no established practice for such appeals, likely because these norms have only recently begun to be applied.

Liability for Violating Cross-Border PD Transfer Rules

The CAO RF does not yet provide for specific norms establishing administrative liability for violating cross-border transfer rules. Liability is imposed under the same norms that govern other personal data processing violations.

Failure to file or late filing of notifications regarding processing or intent to carry out cross-border transfer, or providing incomplete or distorted information, results in administrative liability under Article 19.7 of the CAO RF, Failure to Submit Information. Penalties include fines of 300 to 500 rubles for officials and 3,000 to 5,000 rubles for legal entities.

In one court case, Roskomnadzor, during a routine inspection, discovered that a company's notification claiming no cross-border transfer did not match its actual activities. The company was found guilty under Article 19.7 of the CAO RF, and the challenge to the penalty was unsuccessful.

Violating cross-border transfer rules also carries a risk of liability under Article 13.11 of the CAO RF, such as:

• Processing personal data in cases not provided for by law, or incompatible with the purposes of collection (Part 1, Art. 13.11). Penalties: fines of 10,000 to 20,000 rubles for officials and 60,000 to 100,000 rubles for legal entities.
• Processing personal data without written consent where required, or with violations of consent requirements (Part 2, Art. 13.11). Penalties: fines of 20,000 to 45,000 rubles for officials and 30,000 to 150,000 rubles for legal entities.
• Failure to fulfill the obligation to provide the data subject with information regarding the processing of their data. Penalties: fines of 8,000 to 12,000 rubles for officials and 40,000 to 80,000 rubles for legal entities.

Following inspections, regulatory bodies may also issue mandatory orders and directives to remedy violations. In one instance, a prosecutor's office issued a directive to an organization regarding violations in data processing. The grounds included:

• The absence of consent from former employees for cross-border transfer to Ireland and the UK, and the failure to specify cross-border transfer in a contract with a counterparty;
• The cross-border transfer of employee data to a country not providing adequate protection based on written consents that did not meet the requirements of the Personal Data Law.

The Operator failed to challenge the directive in court: the court agreed that transferring employee data without their written consent violated Law No. 152-FZ.

Furthermore, a person may be held civilly liable for damages or moral harm. In one case, a store manager personally provided a worker's mobile number to an Uzbek citizen for personal reasons. Subsequently, the worker received messages containing profanity and personal threats. The data subject sued the store and the manager for 100,000 rubles in moral damages. Roskomnadzor confirmed the circumstances. The court noted the number was provided to the manager personally, and the transfer was due to a personal conflict rather than employment duties. The court awarded 5,000 rubles in moral damages against the manager but dismissed the claim against the store.

Additionally, an employee may face disciplinary action for violating transfer rules while performing duties. In the aforementioned case, the store manager received a formal reprimand following the Roskomnadzor inspection.

In conclusion, the requirements for processing the personal data of Russian citizens, including cross-border transfer rules, are becoming increasingly detailed, and liability for violations is regularly tightened. PD Operators must organize their operations accordingly and stay informed of legislative changes.

___________________________________

References

1. Federal Law No. 266-FZ dated July 14, 2022, On Amending the Federal Law On Personal Data, Certain Legislative Acts of the Russian Federation, and Recognizing Part Fourteen of Article 30 of the Federal Law On Banks and Banking Activities as Void.
2. Roskomnadzor Order No. 128 dated August 5, 2022, On Approval of the List of Foreign States Providing Adequate Protection for the Rights of Personal Data Subjects.
3. Concluded in Strasbourg on January 28, 1981.
4. Russian Federation Government Decree No. 24 dated January 16, 2023, On Approval of the Rules for Decision-Making by the Authorized Body for the Protection of the Rights of Personal Data Subjects Regarding the Prohibition or Restriction of Cross-Border Transfer of Personal Data for the Purpose of Protecting Morality, Health, Rights, and Lawful Interests of Citizens.
5. Russian Federation Government Decree No. 6 dated January 10, 2023, On Approval of the Rules for Decision-Making on the Prohibition or Restriction of Cross-Border Transfer of Personal Data by the Authorized Body for the Protection of the Rights of Personal Data Subjects and Informing Operators of the Decision Adopted.
6. Decision of the Ezhvinsky District Court of Syktyvkar dated September 18, 2017, in Case No. 12-102/2017.
7. Appellate Ruling of the Moscow City Court dated June 4, 2018, in Case No. 33A-3957/2018.
8. Decision of the Leninsky District Court of St. Petersburg dated August 25, 2022, in Case No. 2-644/2022.