International Data Protection & GDPR: A Compliance Guide for Russia

 

September 1, 2023

BRACE Law Firm ©

 

The constitutions of most countries recognize the right of citizens to personal and family privacy, and protecting the personal data of individuals is a vital task for the state and society.

Basic principles for protecting human and civil rights were formulated in European and US legislation as early as the late 19th and early 20th centuries. At the international level, the Universal Declaration of Human Rights was adopted in 1948, followed by the European Convention for the Protection of Human Rights and Fundamental Freedoms in 1950. At the same time, national laws of most countries practically did not regulate issues concerning the processing and protection of personal data for a long time.

Since the 1980s, computers and information technologies have been actively used for data processing, and since the 1990s, the global Internet has become widespread, facilitating the collection and transfer of personal data of individuals. This scientific and technological progress required the regulation of rules for the collection, storage, and dissemination of personal data, especially those carried out using automation. To organize legal regulation and introduce unified approaches to terminology and principles of personal data processing, several international acts were adopted.

In this article, we will consider the main international legal acts in the field of personal data processing and protection, their impact on Russian legislation, and judicial practice involving Russian citizens.

Convention of the Council of Europe for the Protection of Individuals with Regard to Automatic Processing of Personal Data

The first international act regulating the principles of personal data processing and protection during automated processing was the Convention of the Council of Europe for the Protection of Individuals with Regard to Automatic Processing of Personal Data (the "Convention", the "Council of Europe Convention"). It was concluded in Strasbourg on January 28, 1981; subsequently, in 1999, it was amended regarding cross-border data transfer. The goal of adopting the Council of Europe Convention was to ensure for every individual, regardless of nationality or residence, the right to privacy during the automated processing of personal data.

All member states of the Council of Europe ratified the Convention, and other countries, such as Russia, Argentina, Mexico, Morocco, Uruguay, and others, joined it as well. The Russian Federation ratified the Convention via Federal Law No. 160-FZ dated December 19, 2005, but it entered into force only from September 1, 2013. Upon ratification, the following exemptions regarding its scope of application were established:

• The Convention does not apply to personal data processed by individuals exclusively for personal and family needs, or those classified as a state secret;
• The Convention will also apply to non-automated processing if it is carried out in the same manner as automated processing;
• The Russian Federation reserves the right to establish restrictions on the subject's right to access their personal data for the purposes of protecting state security and public order.

Let us consider the main provisions of the Council of Europe Convention.

The Convention provided definitions for the terms "personal data" and "automated processing". Thus, according to Article 2 of the Convention, "personal data" means any information relating to an identified or identifiable individual; "automated processing" refers to operations carried out entirely or partially using automated means: data storage, logical and/or arithmetic operations with such data, their modification, destruction, retrieval, or dissemination.

Fundamental principles of personal data processing are set out in Chapter 2 of the Convention. Personal data undergoing automated processing:

• are collected and processed on a fair and lawful basis;
• are stored for specific and legitimate purposes and are not used in a way incompatible with those purposes;
• are adequate, relevant, and not excessive for the purposes of their storage;
• are accurate and, where necessary, kept up to date;
• are preserved in a form which permits identification of the personal data subject for no longer than is required for the purposes of storing such data.

Special categories of personal data (data relating to racial origin, political opinions, religious or other beliefs, criminal convictions, health, or sexual life) may not undergo automated processing unless domestic law provides appropriate safeguards.

The Convention also regulated issues of cross-border personal data transfer (transferring personal data to the territory of a foreign state). According to Article 12 of the Council of Europe Convention, a state shall not prohibit or subject to special authorization cross-border flows of personal data for the sole purpose of protecting privacy. A state may derogate from this provision if the receiving state does not provide adequate protection or when there is a risk of such data being transferred to a third state that does not provide such protection.

The Convention establishes that appropriate security measures must be taken to protect personal data, aimed at preventing their accidental or unauthorized destruction or loss, as well as unauthorized access, modification, or dissemination of data. Furthermore, Article 8 of the Council of Europe Convention provides additional safeguards to the personal data subject, such as:

• knowing about the existence of an automated personal data file, its main purposes, and the name and residence or place of business of the person or public authority entitled to determine the fate of the automated file (in Russian legislation, such a person is called a "Personal data operator");
• obtaining at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to them are stored in the automated data file, as well as obtaining such data in an intelligible form;
• seeking rectification or destruction of such data if they have been processed in violation of domestic law and the principles of the Convention;
• resorting to legal remedies if a request for confirmation or communication, modification, or destruction is not complied with.

Derogation from the principles of personal data processing and protection provided for by the Council of Europe Convention is allowed only in cases provided for by domestic law in the interests of state security, public safety, the monetary interests of the state, the suppression of criminal offenses, as well as the protection of the personal data subject or the rights and freedoms of others.

We note that the provisions of Article 8 of the Convention formed the basis for many decisions of the European Court of Human Rights (the "ECHR", the "European Court"), including those involving Russian citizens. Let us consider some of them.

The Case of Roman Zakharov v. Russia (Application No. 47143/06).[1] Roman Zakharov was the editor-in-chief of a publishing house and the chairman of the St. Petersburg branch of the Glasnost Defense Foundation. In 2003, the plaintiff Roman Zakharov filed a petition with a Russian court against three mobile operators regarding interference with his right to the privacy of telephone conversations, citing that mobile operators intercepted his telephone conversations with the permission of the FSB of Russia. The court decided that R. Zakharov did not prove that the mobile operators transferred any protected information to third parties.

Appealing the decision to higher Russian courts was unsuccessful; consequently, Zakharov filed a complaint with the ECHR. He demanded 9,000 (nine thousand) euros as compensation for non-pecuniary damage. The European Court of Human Rights decided that the applicant had the right to be considered a victim of a Convention violation, even though he could not prove that his telephone conversations were actually intercepted. It indicated that the procedure for obtaining court authorization for interception provided for by the Russian Federal Law On Operational-Search Activity cannot guarantee that secret surveillance is not applied indiscriminately. In the ECHR's opinion, the Russian court does not exercise full control when making a decision authorizing interception, which is unacceptable in a democratic society and also violates Article 8 of the Convention. Regarding compensation for non-pecuniary damage, it decided that the establishment of the fact of a Convention violation would in itself be sufficient just satisfaction for the applicant, but it ordered Russia to reimburse Zakharov 40,000 euros in legal costs.

General conclusions formulated in the "Roman Zakharov case" were repeatedly applied in other ECHR Judgments. Thus, in 2017, the ECHR considered seven complaints from Russian citizens regarding violations of Article 8 of the Convention.

One of them is the Case of Akhlyustin v. Russia (Application No. 21200/05).[2] Akhlyustin was a member of a regional election commission. Secret video surveillance was conducted in the room where he worked. Subsequently, he was convicted under Article 285 of the Criminal Code of the Russian Federation for abuse of office and sentenced to two years of imprisonment. Akhlyustin appealed to the ECHR, demanding payment of 10,000 euros as compensation for non-pecuniary damage. In the complaint, he stated that the secret surveillance at the workplace was conducted unlawfully. The ECHR decided that the employer did not warn the applicant about the video surveillance; therefore, covert surveillance in this case constitutes interference with private life and violates Article 8 of the Convention. The European Court of Human Rights awarded the applicant 7,500 euros as compensation for non-pecuniary damage.

Despite the ambiguity of the ECHR's findings and the termination of their enforcement on Russian territory since 2022, [3] it is certainly worth noting the necessity of studying international acts and their law enforcement practice to minimize risks when working with personal data.

Considering the impact of the Convention on Russian legislation, we note that after joining the Convention, the formation of a regulatory framework in the field of personal data use and protection began in fulfillment of the international obligations undertaken. In 2006, Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Personal Data Law") was adopted, based on the principles established by the Convention, along with a significant number of subordinate regulations.

Noting the significance of the Convention as the first international document dedicated to personal data protection, we agree with the opinion of D.I. Gorokhova that it serves the interests of personal data owners, individual rights and freedoms, and general democratic values. At the same time, it also contains many vague rules and does not regulate specific data protection measures, the adoption of which is delegated to the national laws of participating countries. [4]

EU Personal Data Protection Directive No. 95/46/EC

The relative lack of specificity in the Convention and the expansion of areas where personal data is used required the adoption of other international acts.

In 1995, the first European Directive No. 95/46/EC, On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the "Directive 95/46/EC"), was adopted. The general principles of the Directive were similar to the principles of the Convention. Directive 95/46/EC regulated personal data processing within the EU, regardless of whether it was carried out by automated means. However, in 2018, it was repealed due to the adoption of the General Data Protection Regulation.

In 2002, Directive 2002/58/EC, On the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (the "Directive 2002/58/EC"), was adopted, regulating the use of personal data in the field of public electronic communication services. In particular, Directive 2002/58/EC established the obligations of public communication service providers, such as:

• taking necessary technical and organizational measures to ensure the security of the services provided;
• protecting personal data against accidental or unlawful destruction, accidental loss or alteration, and unauthorized storage, processing, access, or disclosure;
• informing subscribers of any specific risk of a breach of network security and the possible remedies.

The procedure for processing subscriber location data and the use of personal data in subscriber directories were also regulated.

General Data Protection Regulation (GDPR)

One of the most important international acts of the European Union regulating personal data protection is the General Data Protection Regulation (the "Regulation", the "GDPR"). It was adopted on April 27, 2016, and entered into force on May 25, 2018. The goal of its adoption was the harmonization of national rules of European Union countries on personal data processing into one unified regulation, establishing rules for data transfer outside the EU, and protecting the rights of personal data subjects.

This document has direct effect and is mandatory for all persons processing personal data of EU citizens, regardless of whether it is carried out within or outside the EU. We note that Russian companies — personal data operators — may also fall under the Regulation in the following cases:

• if they have branches and representative offices in EU countries, as well as an office or workplace where personal data processing is carried out;
• if they provide services or sell goods to EU citizens, including online, regardless of whether payment is required from the personal data subject (the "personal data subject") (furthermore, under the GDPR, even the intention to offer services or goods is sufficient: for example, if the company's website uses a national language or currency of an EU member state, making it possible to order in that language);
• if they monitor the actions of EU citizens. Monitoring should be understood as observing and predicting preferences, personality traits, and behavioral characteristics of individuals for marketing, statistical, and other purposes.

Let us consider the terminology and key provisions of the GDPR in more detail.

Under "personal data", the GDPR understands any information relating to an identified or identifiable individual. This includes names, identification numbers, location data, online identifiers, IP addresses, data obtained using "cookies", etc. Under "processing of personal data", the GDPR understands any operation or set of operations performed on personal data using automated means and without them, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval and sampling, examination, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, selection, erasure, or destruction.

The Regulation distinguishes between two types of personal data operators: processors and controllers. The former directly process data; the latter determine the purposes and means of personal data processing and verify their correctness.

Principles of personal data processing according to the GDPR:

• lawfulness, fairness, and transparency;
• purpose limitation (data are collected for specific, explicit, and legitimate purposes and should not be further processed in a manner incompatible with those purposes);
• data minimization (using the minimum amount of data necessary to fulfill the stated goals);
• accuracy (data must be accurate; erroneous data must be corrected or deleted);
• storage limitation (data must be kept no longer than necessary to achieve the purposes);
• integrity and confidentiality (data must be processed in a manner that ensures security, including protection against unauthorized or unlawful processing using appropriate technical and organizational measures);
• accountability (the personal data operator must demonstrate compliance with all GDPR principles).

Personal data processing is permitted only in the cases provided for in Article 6 of the GDPR, namely:

• the existence of the personal data subject's consent to the processing;
• processing is necessary for the performance of a contract in which the personal data subject is a party;
• processing is necessary for compliance with a legal requirement;
• processing is carried out to protect the vital interests of the personal data subject or another individual;
• processing is carried out in the public interest;
• processing is necessary for the purposes of the legitimate interests pursued by the controller.

In the absence of one of these grounds, the processing will be deemed unlawful.

When processing is based on consent, the controller must be able to demonstrate its existence. Processing of a child's personal data when providing information society services will be lawful if the child has reached 16 years of age; in other cases, consent must be given or authorized by a parent or other authorized person.

Article 9 of the GDPR separately regulates the grounds for processing special categories of personal data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, information concerning health, or data concerning a person's sex life or sexual orientation.

One of the most important provisions of the Regulation is the rights granted to personal data subjects, covered in Chapter 3 and Chapter 8 of the Regulation, namely:

1. The right of access to personal data. The personal data subject has the right to obtain from the controller information about the existence of personal data that the subject provided themselves, as well as data that the controller collected from other sources or created. In particular, information may be requested about the purposes of processing, categories of data processed, recipients to whom the data may be disclosed, etc. Data are provided within one month after the request in the form requested by the subject, including electronically.

2. The right to rectification of personal data. The personal data subject has the right to demand the correction of inaccurate data or the completion of incomplete data.

3. The right to erasure (the "right to be forgotten"). The personal data subject has the right to demand that the controller delete their data in cases listed by the GDPR. For example, if personal data are no longer necessary for the purposes of processing, the personal data subject withdrew their consent for processing, or personal data were processed unlawfully.

The Regulation also provides legal grounds when processing may continue without the subject's consent: for archiving and statistical purposes, for scientific or historical research purposes, for exercising the right to freedom of expression, etc.

4. The right to restriction of processing. The personal data subject has the right to demand that the controller restrict processing in cases listed by the GDPR. For example, if their accuracy is contested or the processing is unlawful, but the personal data subject objects to the erasure of personal data, etc.

5. The right to data portability. The personal data subject has the right to receive personal data in a machine-readable format if the processing is carried out by automated means.

6. The right to object. The personal data subject has the right to object to the processing of personal data, and the controller is obliged to stop processing them. Exception: if the controller can demonstrate the existence of other legal grounds for processing. If personal data are processed for direct marketing purposes, the personal data subject has an unconditional right to object to the processing of their data.

7. The right to influence automated individual decision-making and profiling. The Regulation allows personal data subjects to object to decisions made by computerized systems without human involvement.

8. The right to lodge a complaint with a supervisory authority. The personal data subject has the right to lodge a complaint with a supervisory authority in the place of residence, place of work, or place of the violation. The supervisory authority is obliged to consider the complaint and inform the applicant of the outcome of the investigation. Furthermore, the personal data subject has the right to appeal the decision of the supervisory authority in court.

9. The right to compensation. In the event of a GDPR violation, the Operator is obliged to provide the personal data subject with compensation for any damage caused as a result of the processing of their personal data.

We should also say a few words about ensuring the security of personal data provided for by the Regulation. Personal data operators are obliged to adopt appropriate technical and organizational measures to ensure an adequate level of security, including the following:

• cryptographic protection of personal data;
• applying means to ensure ongoing confidentiality of data, as well as means for timely restoration of access to data in the event of incidents;
• regular testing and evaluation of the effectiveness of the technical and organizational measures adopted.

Furthermore, Operator companies are obliged to notify regulatory authorities, and in several cases personal data subjects, of any violations within 72 hours after discovering such a violation.

To comply with the rights and protection of personal data, a personal data operator falling under the provisions of the GDPR must, at a minimum, develop and implement several documents:

1. Data Processing Agreement (DPA). This agreement is concluded between the controller and the processor and must contain the scope, nature, and duration of the processing, a list of categories of personal data and personal data subjects, the rights and obligations of the parties, technical and organizational security measures, and conditions for engaging other processors. Requirements for the content of the DPA are provided for in Article 28 of the Regulation.

2. Privacy notice. This policy must contain information about the purposes and grounds for processing personal data, categories of data processed, rights of personal data subjects, and the period of storage of personal data. The policy must be written in simple and clear language, without using complex terminology.

Articles 13–14 of the Regulation oblige the Operator to inform personal data subjects of their rights. Generally, this is carried out by publishing the Privacy notice in open sources.

3. Consent to the processing of personal data. The Regulation establishes that it must be both easily obtained and easily withdrawn.

4. Data Protection Impact Assessment (DPIA). Article 35 of the GDPR requires the assessment to include the following:

• a description of operations and purposes of data processing;
• an assessment of the necessity and proportionality of processing operations in relation to the purposes;
• an assessment of risks in relation to the rights and freedoms of personal data subjects;
• measures to eliminate risks, security guarantees, as well as mechanisms for ensuring personal data protection.

To comply with the Regulation's requirements, a company — personal data operator — must appoint a company representative in the EU and a data protection officer.

The representative must be located in an EU country where the data subjects are and must interact with both the personal data subjects and the EU supervisory authorities. The data protection officer may be a company employee or another person on the basis of a service agreement. The tasks of the data protection officer are:

• informing the personal data operator regarding its obligations provided for by the Regulation and monitoring their compliance;
• advising on the issue of data protection impact assessment and monitoring its performance;
• interacting with EU supervisory authorities.

For non-compliance with the GDPR, a personal data operator may be subject to a fine in an amount of up to 20,000,000 Euros or up to 4% of annual turnover (Article 83 of the GDPR). Its amount varies depending on the severity of the violation, its duration, and the consequences. Furthermore, even if a Russian company manages to avoid economic sanctions, other measures of influence may be applied against it, such as restrictions on access to European websites, a ban on entry into EU countries, etc.

Assessing the significance of the GDPR, we note that it, unlike the Convention, details the requirements for personal data processing and protection. It is also worth noting that, despite some differences, the Personal Data Law and the GDPR are based on identical principles, have similar norms, and are aimed at protecting the personal data of individuals.

Summing up, we once again draw the attention of Russian companies acting as personal data operators to the necessity of accounting for the provisions of international legal acts, especially if the processing of foreign citizens' data is intended. Furthermore, compliance with the norms of international law, based on the right of citizens to privacy, will positively affect the company's reputation, increase the degree of trust from clients and partners, and increase the chances of entering foreign markets.

__________________________

References

1. ECHR Judgment dated December 4, 2015, Roman Zakharov v. Russia (Application No. 47143/06).
2. ECHR Judgment dated November 7, 2017, Akhlyustin v. Russia (Application No. 21200/05).
3. Federal Law No. 183-FZ dated June 11, 2022, On Amending Certain Legislative Acts of the Russian Federation and Recognizing as Invalid Certain Provisions of Legislative Acts of the Russian Federation.
4. I. Gorokhova, "Convention of the Council of Europe for the Protection of Individuals with Regard to Automatic Processing of Personal Data", National Security, 2013, 1 (24).