We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
February 11 2014
In recent years companies have discovered the Internet as an effective distribution channel. From an operational perspective, e-commerce solutions are multifaceted and involve many legal aspects. The operation of online platforms usually requires the collection and processing of users' personal data. In Russia, personal data collection and processing are governed by the Personal Data Law (152-FZ/2006) and the regulations enacted thereunder.
In order to deliver goods, an e-shop must identify at least the name and address of the client. When collecting these and other personal data, the e-shop must comply with the requirements of the Personal Data Law for data operators, which include a requirement to obtain the client's consent to process the collected data. Consent must be given "in any form which allows such consent to be proved". But is it sufficient for consent to be given by ticking a box on a website, or by text message or telephone? This may not constitute adequate proof that the consent was given by the relevant person, or that the consent was given at all. What should e-commerce companies do in such cases? Should they collect written consent?
Written consent may be obtained on delivery of the ordered goods by courier, a method that has been adopted by some e-shops. However, clients may not always appreciate this, since in a brick-and-mortar shop they are not usually required to show their passports or sign data processing consent forms. Furthermore, this is a burdensome procedure and makes little sense for the e-commerce business.
Fortunately, in certain cases the Personal Data Law allows for the collection and processing of personal data without the consent of data subjects. One such exemption applicable to e-commerce businesses is where personal data collection and processing are necessary to fulfil a contract to which the data subject is a party or ultimate beneficiary, or where such data is needed to conclude the contract.
However, written consent is necessary for the collection of other data. Roscomnadzor, the Russian data protection authority, recently explained that:
"the criterion which would allow the consent given through the website to be reliably proved is an electronic signature of the data subject. Russian law does not allow consent to be given by SMS [text message] or by telephone."
Under Russian law, only a qualified enhanced e-signature has the legal force of a handwritten signature. However, the signature must be created through encryption, enable verification by the creator and facilitate the detection of any changes. Such signatures can be obtained at special certification centres and require the purchase of certain software. Thus, the average consumer cannot be expected to have such a complicated tool at his or her disposal.
Data needed for the conclusion of an e-sales contract (and therefore not requiring written consent) includes the name, telephone number and address of an individual client and sometimes his or her credit card details. However, written consent is usually required for other data (eg, passport number or health information). Thus, when collecting personal data, an e-commerce company must always be aware of both the data that can be requested and that which cannot. Furthermore, once the sales contract has been performed and the data is no longer needed for legal purposes (eg, for warranty obligations), all personal data must be deleted. There may be ways of making such data available after the sales contract has been performed; however, if a company wishes to use this data for marketing communications, written consent is required.
E-commerce companies' compliance with the Personal Data Law is not limited to obtaining data privacy consent. Extensive technical and organisational measures must also be applied by all companies processing personal data. Technical measures imposed by the Federal Security Services and the Federal Service for Technical and Export Control include:
Furthermore, the Personal Data Law strictly governs certain aspects of the cross-border transfer of personal data. In some cases it may be necessary to register with Roscomnadzor in order to perform data processing.
For further information on this topic please contact Thomas Mundry or Vyacheslav Khayryuzov at Noerr by telephone (+7 495 799 56 96), fax (+7 495 799 56 97) or email (firstname.lastname@example.org or email@example.com). The Noerr website can be accessed at www.noerr.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.