+7 (495) 147 11 03
email
telegram
  EN
email
email
telegram

Personal Data Protection in Russia's Digital Environment: Legal Framework and Compliance Requirements

 

September 30, 2023

BRACE Law Firm ©

 

Digital technologies, including the Internet, are currently widely used throughout the world to process personal data, and Russia is no exception. Presidential Decree No. 203 dated May 9, 2017, approved the Strategy for Information Society Development in the Russian Federation for 2017–2030 (the "Strategy"), which provided for a transition to a digital economy (an activity in which data in digital form is the key factor of production).

According to the Strategy, digital transformation should affect all key sectors of the economy, the social sphere, and public administration. For example, the Portal of State and Municipal Services is already operational, allowing for certain state and municipal services to be obtained in electronic form. An experiment on the implementation of a digital educational environment in schools and universities began in 2020. A similar process is underway in healthcare and other sectors of the social sphere and the economy. Furthermore, people have become active users of Internet resources: communicating on social networks, making purchases in online stores, etc.

At the same time, pervasive digitalization has exacerbated the issue of protecting the personal data of citizens, as the risk of unauthorized acquisition and distribution of personal data in the digital environment is much higher.

This article examines the specifics of personal data processing in the digital environment and how legislation in this area is transforming to meet modern realities. However, due to the limited scope of this material, technologies and concepts used in practice but not regulated by current legislation, such as Big Data, blockchain data processing technologies, and others, will not be addressed.

Features of Personal Data Processed in the Digital Environment

The basic regulatory act governing relations concerning personal data processing in the Russian Federation is Federal Law No. 152-FZ dated July 27, 2006, On Personal Data (the "Law on Personal Data" or the "Law No. 152-FZ"). According to Article 3 of the Law No. 152-FZ, personal data means any information relating to a directly or indirectly identified or identifiable individual (the "personal data subject").

The Law contains neither an exhaustive list of personal data nor clear criteria for classifying specific information about a person as personal data. Meanwhile, a large volume of information is collected, transmitted, and used on the Internet: both standard information (Full Name, address, telephone, etc.) and rather specific data.

In practice, questions arise as to whether email addresses, cookies, IP addresses, user IDs, Yandex Metrica and Google Analytics data, etc., constitute personal data. Let us analyze the most frequently occurring questions using examples from available judicial practice.

Regarding email addresses, Roskomnadzor takes the position that an email address containing a Full Name may be classified as personal data, but if the address is merely a set of words, it cannot be considered personal data. In Case No. A40-139096/2022, the Supreme Court of the Russian Federation [1] supported the opinion of lower courts in refusing to recognize an email address as personal data, as it is impossible to identify the specific person to whom it belongs by an email address alone without additional identifiers. Furthermore, the courts indicated that an email address does not possess the property of "absolute permanence", since if an electronic mailbox is deleted from a server for any reason, the exact same email address can be registered by a new user.

Representatives of Roskomnadzor express a similar position during video seminars regarding user IDs (a unique identification number of an account registered in any social network). In their opinion, for a user ID to be recognized as personal data, it must meet two criteria: permanence and uniqueness.

A somewhat different situation arises regarding cookies. Cookies are small text files containing data. They store information about a user's previous actions on a web resource and can remember preferences, language, currency, viewed pages and products, IP addresses and locations, operating system and browser versions, etc. This allows the online resource to "recognize" a given user during a return visit. Thus, both judicial and regulatory authorities recognize cookies as personal data, as they characterize the Internet user.

The position of judicial authorities on the classification of IP addresses is not as unequivocal. In some cases, courts classify an IP address as personal data. Let us consider the example of Case No. 2-5354/2015. [2]

During investigative activities, the Ministry of Internal Affairs (UMVD) sent inquiries to the regional branch of OJSC MegaFon requesting information on subscribers assigned the IP addresses specified in the requests at the relevant times, which were used to access the Internet resources vk.com and ok.ru. The operator refused to provide the information, citing communication secrecy. In connection with the provider's refusal, the UMVD appealed to the court. The court indicated that information about subscribers (personal data) includes the Full Name of the individual subscriber, as well as the subscriber's address or the installation address of the terminal equipment, subscriber numbers, and other data allowing for the identification of the subscriber or their terminal equipment, database information, including information on connections, traffic, and payments of the subscriber.

In this case, the court's reasoning regarding the distinction between static and dynamic IP addresses is also of interest. The court concluded that identifying a user by establishing their personal data via a static IP address (permanently assigned to the terminal user equipment) cannot differ in its legal consequences from cases where an IP address is assigned to user equipment automatically for the period of a connection session to the Internet (a dynamic IP address).

At the same time, judicial practice exists that does not recognize an IP address as personal data, [3] and there are also opinions among specialists that it is justified to classify a static IP address as personal data because it is easy to identify a user by it, whereas a dynamic IP address is not such data.

It should be noted that if information about a network access point or geolocation is not always regarded as personal data because it cannot unequivocally identify an individual, it is generally qualified as personal data when combined with other data. The Case of PJSC Summa Telecom No. A40-51869/2016-145-449 is indicative in this regard. [4]

Based on the results of an inspection, the regulatory authority established that the commercial entity was transmitting information about subscribers to partners (subscriber search queries, device model or type of browser used by the user, Internet addresses of visited web pages, the subject matter of the information viewed, and the subscriber's IP address) sufficient to form an advertising profile of the subscriber. Subsequently, the advertiser sends personalized advertising depending on the subject's preferences. The regulatory authority issued an order to cease the distribution of personal data without the consent of the subscribers. The commercial entity's attempt to challenge the order in court was unsuccessful. The court indicated that the transmitted information is information about the connections and traffic of a specific subscriber and, therefore, constitutes their personal data.

We note that the correct classification of information is important for understanding whether the requirements of the Law on Personal Data apply to its processing. Unfortunately, law enforcement practice on this issue is not uniform, and official clarifications from regulatory authorities are lacking.

Specifics of Obtaining Consent for Actions with Personal Data

As a general rule, the person organizing or performing the processing of personal data (the "Operator" or "PD Operator") must obtain the consent of the personal data owner for their processing. Requirements for consent are regulated in Article 9 of the Law on Personal Data. For general categories of data, consent may be given in any form that allows for confirmation of the fact of its receipt. Written consent is required for the processing of special categories of personal data and biometric data. Consent in the form of an electronic document signed with an electronic signature is recognized as equivalent to consent on paper.

It should be noted that the Law on Personal Data does not contain direct rules or specifics regarding the execution of consent in cases where personal data is provided remotely via the Internet. This causes numerous questions for PD Operators.

According to clarifications provided by Roskomnadzor on its website in the FAQ section, if the law requires written consent in specific cases, the document must be signed either on paper or in electronic form via an electronic signature as an analogue of a handwritten one. In the event that written consent is not mandatory, it may be expressed in any way, in particular by ticking a box in electronic form. In this regard, it must be remembered that the obligation to provide evidence of obtaining consent rests with the PD Operator.

In practice, we recommend placing a personal data processing consent form on your website. This can be done in several ways: placing it before the personal data entry form, adding an active link to it, or placing the text in a pop-up window. Under the personal data entry form, a button "I agree to the processing of personal data" or a field where a corresponding checkmark must be placed should be located. Personal data must not be sent without the subject's confirmation of consent to its processing.

Furthermore, pursuant to Part 2 of Article 18.1 of the Law on Personal Data, a Policy regarding personal data processing must be published on the website, regulating the purposes of processing, the categories and list of processed personal data, the methods and terms of processing, and information on the implemented protection measures.

On March 1, 2021, amendments to the Law on Personal Data entered into force, [5] introducing a new term: "personal data permitted by the personal data subject for distribution" — data to which access by an unrestricted number of persons is provided by their subject by giving consent (Part 1.1 of Article 3 of the Law No. 152-FZ). It replaced the concept of "publicly available personal data". The purpose of these changes was to limit the uncontrolled use of data posted on websites and in other open sources. Now, if an Operator wishes to distribute data to an indefinite circle of persons (for example, by posting it on a website), it must obtain the consent of the personal data subject for its distribution. This is executed separately from the consent to the processing of personal data. The silence or inaction of a personal data subject cannot be considered consent.

Consent to the processing of personal data permitted by the personal data subject for distribution (the "consent to PD distribution") may be provided:

  • directly to the PD Operator;
  • using the information system of Roskomnadzor.

The requirements for the content of the consent to PD distribution were approved by Roskomnadzor Order No. 18 dated February 24, 2021. [6] It must contain:

  • The Full Name and contact details of the PD subject (telephone number, email address, or postal address);
  • Information about the PD Operator (name, address, INN, OGRN);
  • Information about the Operator's information resources (the address consisting of the protocol name ("http" or "https"), server ("www"), domain, directory name on the server, and web page file name) through which access to the personal data will be provided to an unrestricted circle of persons;
  • The purpose of processing personal data;
  • The categories (general, special, or biometric) and the list of personal data for which processing consent is given;
  • The prohibitions and access conditions established by the personal data subject.

The personal data subject is entitled to choose exactly which personal data and under what conditions they permit the PD Operator to distribute (Part 9 of Article 10.1 of the Law on Personal Data). For example, they may permit the publication of only their surname but prohibit the publication of a photo. They may also determine the conditions under which the obtained personal data may be transferred by the PD Operator:

  • only via its internal network with access to information for strictly defined employees only;
  • using information and telecommunications networks;
  • without transfer of the obtained personal data;
  • the term of the consent.

A functionality allowing the Operator to prepare a template for the distribution consent form has been implemented on the Roskomnadzor website. At its discretion, the Operator may send the generated template to Roskomnadzor to receive recommendations.

The PD Operator is also obliged to publish information on the processing conditions and on the existence of prohibitions and conditions no later than three business days from the moment of receiving the relevant consent from the personal data subject. This provision also raises questions. It is unclear exactly how and in what form this information should be published. We agree with the opinion of some researchers that including general indications in the Policy regarding possible options for conditions and prohibitions that may be selected in consents is sufficient for compliance with this provision. [7]

The transfer of personal data permitted for distribution must be terminated at any time upon the request of the personal data subject. Such a request must include the Full Name, contact information (telephone number, email address, or postal address) of the PD subject, as well as a list of the personal data the processing of which must be terminated. The distribution must be terminated within three business days from the moment the application is received.

For processing personal data without the written consent of the personal data subject, or in violation of the requirements for consent, the Operator shall be held administratively liable under Part 2 of Article 13.11 of the CAO RF. The penalty is a fine of up to 10,000 rubles for individuals, up to 40,000 rubles for officials, and up to 150,000 rubles for legal entities.

If the law does not provide for a mandatory written form of consent, there is a risk of being held liable under Part 1 of Article 13.11 of the CAO RF for processing personal data in cases not provided for by law. This entails an administrative fine of up to 6,000 rubles for individuals, up to 20,000 rubles for officials, and from 60,000 to 100,000 rubles for legal entities.

For repeated offenses, the penalty increases.

In our view, to minimize the risks of legislative violations, it is necessary to regulate the specifics of giving "remote" consents at the legislative level. We also support the opinion of researchers of this problem [8] that obligations should be added to the Law on Personal Data for the PD Operator to post standard forms for consents and their withdrawal on the website/platform, as well as to visualize the texts of user agreements and create a simplified version of rules for users allowing information to be read through a quick glance.

Regarding the consent to distribution, the wording of Article 10.1 of the Law on Personal Data seems to us to be not very successful and requires further development.

Requirements for the Localization of Personal Data Processing

Federal Law No. 242-FZ dated July 21, 2014, which introduced amendments to the Law on Personal Data, established requirements for the localization of certain personal data processing procedures. [9] Since September 1, 2015, PD Operators have been obliged, when collecting personal data of citizens of the Russian Federation, to perform subsequent processing operations (accumulation, storage, and others) using only databases located in the territory of the Russian Federation (Part 5 of Article 18 of the Law No. 152-FZ). Primarily, this provision concerns PD Operators processing data using the Internet. Let us consider these requirements in more detail.

According to comments from the Ministry of Digital Development, Communications and Mass Media posted on the agency's official website, "collection" should be understood as a targeted process of obtaining personal data. Thus, the localization requirement does not apply to personal data received by the Operator as a result of accidental receipt by email or from another legal entity, if such data constitutes contact information of representatives of such a legal entity.

The localization requirement applies not only to Russian but also to foreign companies, including those that do not have a physical presence in Russia, if they carry out activities aimed at the territory of Russia. The following circumstances may indicate that a website is aimed at the territory of the Russian Federation:

  1. Use of a domain name associated with the Russian Federation or a constituent entity of the Russian Federation (.ru, .рф, .su, .москва, .moscow, etc.).
  2. The presence of a Russian-language version of the website. At the same time, since the Russian language is widely used in some countries outside the Russian Federation, the presence of at least one of the following elements is additionally necessary to determine that a website is aimed specifically at the territory of the Russian Federation:
  • the possibility of making payments in Russian rubles;
  • the possibility of performing a contract concluded on such a website in the territory of the Russian Federation (delivery of goods, provision of services, or use of digital content in the territory of Russia);
  • the use of advertising in the Russian language referring to the corresponding website;
  • other circumstances clearly indicating the website owner's intention to include the Russian market in its business strategy.

In the opinion of Roskomnadzor, confirmation of compliance with the aforementioned requirements by the PD Operator is the provision of such documents as:

  • a certified block diagram of the layout of workstations where the storage of personal data of Russian users is carried out;
  • a certificate on the recognition of acquired server capacities on the organization's balance sheet;
  • a purchase and sale agreement for server capacities. [10]

In the case of an operator leasing technical platforms (data centers, server capacities) in the territory of the Russian Federation, a copy of the lease agreement concluded with the company providing the relevant services must be presented.

In accordance with Article 15.5 of Federal Law No. 149-FZ dated July 27, 2006, On Information, Information Technologies and Information Protection, a violation of the rules for collecting personal data of subjects on the Internet entails the restriction of access to information processed in violation of personal data laws and inclusion in the Register of Violators of the Rights of Personal Data Subjects. These actions are performed on the basis of a court decision that has entered into legal force. Let us consider the example of Case No. 33-38783/16. [11]

Roskomnadzor appealed to the court with a claim against the defendant LinkedIn Corporation to recognize the activity of the Internet resources as violating the requirements of the Law on Personal Data and to order measures to restrict access by entering domain names, page pointers, and network addresses into the Register of Violators of the Rights of Personal Data Subjects. In support of its claims, it was stated that this resource collects personal data of Russian citizens, including Full Names, email addresses, contact, payment, and biographical data, while the administrator of the linkedin website domain name is LinkedIn Corporation, located in the USA. During the court hearing, the defendant stated that the mere accessibility of the website in Russia is insufficient to conclude that the legislation of the Russian Federation applies to it. The court decided that the presence of a Russian-language version of the site indicates that the website is aimed at the territory of the Russian Federation. The possibility of using advertising in the Russian language further indicates the inclusion of the Russian audience in the sphere of business interests of the website owner. The claim was satisfied in full.

Furthermore, failure to perform the obligation to localize databases entails the risk of being held liable under Part 8 of Article 13.11 of the CAO RF. The administrative fine is up to 50,000 rubles for individuals; up to 200,000 rubles for officials; and up to 6,000,000 rubles for legal entities.

For example, in one case, Roskomnadzor established that a foreign organization was collecting personal data of Russian citizens (Full Name, telephone number, email address) using the foreign Speedtest service. The court found the organization guilty of committing an administrative offense under Part 8 of Article 13.11 of the CAO RF and imposed a fine of 1,000,000 rubles. [12]

Features of Personal Data Protection in Information Systems

When data processing occurs using information systems, additional security threats appear. Article 19 of the Law No. 152-FZ regulates the requirements for personal data protection in personal data information systems. Furthermore, they have been further developed in sub-legislative acts of the Government and orders of regulatory authorities: FSTEC of Russia and the FSB of Russia. These requirements were discussed in detail in our article "Ensuring Security and Protection of Personal Data During Its Processing". [13]

In the framework of this article, we focus on only one of the measures introduced into the Law on Personal Data by Federal Law No. 515-FZ dated December 30, 2020. [14] By these amendments, since January 10, 2021, a PD Operator must take measures to detect, prevent, and eliminate the consequences of computer attacks on personal data information systems and to respond to computer incidents in them. PD Operators develop the list of measures in accordance with the orders of regulatory authorities.

Notification of Personal Data Leaks

Despite the established requirements for personal data protection and ever-increasing fines for violations, the number of cases of personal data leaks of citizens onto the Internet has significantly increased in recent years. According to open sources, [15] in 2022, leaks occurred from major companies operating remotely, such as "Yandex.Eda", "Delivery Club", "CDEK", "Gemotest", and others.

Since September 1, 2022, a provision has been introduced into the Law on Personal Data, [16] obliging the Operator to notify Roskomnadzor of facts of unlawful or accidental transfer (provision, distribution, access) of personal data (Part 3.1 of Article 21 of the Law No. 152-FZ). According to the specified provision, the operator must notify the regulatory authority:

  • within 24 hours — of the incident occurred, the assumed causes and harm, and the measures taken to eliminate the consequences of the incident;
  • within 72 hours — of the results of the internal investigation of the incident, as well as of the persons whose actions caused the incident.

Information is transmitted by sending a notification through the Roskomnadzor website. The procedure for interaction between the regulatory authority and the PD Operator when recording incidents was approved by Roskomnadzor Order No. 187 dated November 14, 2022. [17] Operators classified as subjects of critical information infrastructure are obliged to report computer incidents through the GosSOPKA information system (Part 12 of Article 19 of the Law No. 152-FZ).

For violation of obligations when interacting with Roskomnadzor, PD Operators are held administratively liable under Article 19.7 of the CAO RF "Failure to Submit Information". The fine for officials is up to 500 rubles; for legal entities — up to 5,000 rubles.

In conclusion, we note that today digital technologies are several steps ahead of the legislative framework regulating the processing and protection of personal data in the information environment. In our view, it is necessary to determine the legal regime for new types of personal data at the legislative level, regulate the specifics of data collection and processing using information technologies and state information systems, and expand personal data protection measures in the digital environment. To regulate such specific legal relations, we believe the need has arisen to develop a Digital Code.

____________________

References

  1. Ruling of the Supreme Court of the Russian Federation dated July 21, 2023 No. 305-ES23-12160.
  2. Decision of the Oktyabrsky District Court of Samara dated September 24, 2015, in Case No. 2-5354/2015.
  3. Resolution of the Eighteenth Arbitration Court of Appeal dated April 5, 2017 No. 18AP-2210/2017 in Case No. A07-24090/2016.
  4. Decision of the Arbitration Court of Moscow dated May 25, 2016, in Case No. A40-51869/2016-145-449.
  5. Federal Law No. 519-FZ dated December 30, 2020, On Amending the Federal Law On Personal Data.
  6. Roskomnadzor Order No. 18 dated February 24, 2021, On Approving the Requirements for the Content of Consent to the Processing of Personal Data Permitted by the Personal Data Subject for Distribution.
  7. Abyshko A.O. The End of Publicly Available Personal Data in Russia? On the Question of Federal Law No. 519-FZ dated December 30, 2020 // Zakon, 2022, No. 3.
  8. Dmitrieva E.G. Problems of Personal Data Protection in the Digital World and Ways to Solve Them // Pravo i Бизнес, 2021, No. 3.
  9. Federal Law No. 242-FZ dated July 21, 2014, On Amending Certain Legislative Acts of the Russian Federation in Part of Clarifying the Procedure for Processing Personal Data in Information and Telecommunications Networks.
  10. Letter of Roskomnadzor No. 08VM-59834 dated July 14, 2023, On the Consideration of the Appeal of the Association of Russian Banks.
  11. Ruling of the Moscow City Court dated November 10, 2016, in Case No. 33-38783/2016.
  12. Resolution of the Second Court of Cassation of General Jurisdiction dated December 26, 2022, in Case No. 16-9987/2022.
  13. See: https://brace-lf.com/en/analytics/digital-law-data-protection/personal-data-protection-security-requirements-russia.
  14. Federal Law No. 515-FZ dated December 30, 2020, On Amending Certain Legislative Acts of the Russian Federation in Part of Ensuring the Confidentiality of Information on Protected Persons and on the Performance of Operational-Investigative Activities.
  15. ru Portal.
  16. Federal Law No. 266-FZ dated July 14, 2022, On Amending the Federal Law On Personal Data, Certain Legislative Acts of the Russian Federation and Recognizing Part Fourteen of Article 30 of the Federal Law On Banks and Banking Activities as Invalid.
  17. Roskomnadzor Order No. 187 dated November 14, 2022, On Approving the Procedure and Conditions for Interaction of the Federal Service for Supervision of Communications, Information Technology and Mass Media with Operators within the Framework of Maintaining the Register of Personal Data Incidents.
E-mail
info@brace-lf.com

Send us a request with a detailed description of the issue.

Our phone
+7 (495) 147-11-03

Contact us by phone.

Clients & Partners

65.png
68.png
69.png
73.png
75.png
fitera.jpg
imko.png
logo.png
Logo_RED_RGB_Rus.png
logo_SK_2.png
Яндекс.Метрика