Introduction

Federal Law 152-FZ of 27 July 2006 on Personal Data (Personal Data Law) is the primary law regulating personal data processing operations and related protection issues in Russia. Among the special regimes set out in the Personal Data Law is that which concerns the processing of personal data which is made publicly available by the data subject.

On 30 December 2020 the president signed into law (after its adoption by Parliament) Draft Law 1057337-7 on the Amendment of the Personal Data Law, which makes certain amendments to the existing regulations concerning publicly available personal data. The new law was published on the Russian legal portal on 30 December 2020 and will become effective on 21 March 2021 (in terms of the new definition of 'public personal data') and 1 July 2021 (in terms of the main data processing aspects relating to public personal data) (effective dates).

The new law also concerns the protection of personal data which is made publicly available. It deals with particular situations where data users have published information about themselves (eg, on a website), resulting in the dissemination of such data by other persons.

New notion of 'publicly available personal data'

The new law introduces the specific notion of 'personal data made publicly available'. This is defined as personal data to which the data subject gives an unlimited number of persons access by consenting to the processing of the data for further distribution pursuant to the order determined by the Personal Data Law.

In the existing Personal Data Law, the fact that personal data is made publicly available is among the special cases of data protection regulation (Article 6). Under the new law, the processing of this particular category of data will require the data subject's consent. Requirements with regard to the content of such consent will be set by the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).

Therefore, as soon as the new law enters into effect, the processing of personal data made public by the personal data subject will become subject to the special legal regime, implying the need for the data subject to give their explicit consent.

Specific conditions and restrictions for processing publicly available personal data

The new law also introduces Article 10.1 to the Personal Data Law, which specifically provides the following conditions and restrictions for the processing of personal data made publicly available:

  • The consent for the processing of such personal data must be obtained separately from the other types of consent for the processing of personal data. The data operator must ensure that the data subject has the right to select the list of personal data for each category mentioned in the consent which it permits to be processed for distribution.
  • In the event that a data subject discloses personal data to an indefinite number of persons without providing the data operator with their consent for such data to be distributed or processed, the obligation to provide evidence of the legality of the subsequent distribution or other processing of such personal data lies with each person who has distributed or otherwise processed the data.
  • In the event that personal data has been disclosed to an indefinite number of persons due to an offence, crime or matter of force majeure, the obligation to provide evidence of the legality of the subsequent distribution or other processing of such personal data lies with each person who has distributed or otherwise processed the data.
  • If it does not follow from the consent provided by the data subject that they have agreed to the distribution of their personal data, such personal data must be processed by the data operator to which the data subject provided the personal data, which will have no right of distribution.
  • If it does not follow from the consent provided by the data subject that the data subject has not established restrictions and conditions for the processing of the personal data (as provided below), or if the consent does not indicate the categories and list of personal data for which the data subject has set conditions and restrictions (as provided below), such personal data must be processed by the data operator to which the data subject provided the personal data and must not be transferred (distributed, provided or accessed) to an unlimited number of persons.
  • Data subjects may provide their consent for the processing of personal data for distribution to the data operator directly or via the IT system of the body authorised to protect the rights of data subjects (Roskomnadzor). Rules for the use of such IT system will be determined by Roskomnadzor.
  • Under no circumstances can a data subject's silence or inaction be considered as them consenting to the processing of their personal data for distribution.
  • In their consent for the processing of personal data for distribution, the data subject has the right to establish restrictions on the transfer (except with respect to providing access) of such personal data by the operator to an unlimited number of persons, as well as restrictions on the processing or processing conditions (except with respect to obtaining access) of such personal data by an unlimited number of persons. Data operators cannot refuse to meet such restrictions and conditions. Further, within three days of receiving the corresponding consent from a data subject, the data operator must publish information on the processing conditions and the existence of restrictions and conditions for the processing of personal data permitted by the data subject for distribution by an unlimited number of persons.
  • The restrictions established by a data subject with respect to the transfer (except with respect to providing access) or processing of, or processing conditions (except with respect to obtaining access) relating to, personal data permitted by the data subject for distribution do not apply to cases in which personal data is processed in the state's or the public interest, as defined by Russian law.
  • The transfer (distribution, provision or access) of personal data permitted by the data subject for distribution must be stopped at any time, on the data subject's request. This request must include the data subject's surname, first name, patronymic (if any) and contact information (eg, phone number, email address or postal address) and a list of personal data whose processing must be terminated. The personal data indicated in such a request can be processed only by the data operator to whom the request has been sent. The data subject's consent to the processing of personal data permitted by the data subject for distribution is terminated as soon as the data operator receives the request.
  • Data subjects have the right to request that any person stop transferring (distributing, providing or accessing) their personal data which they had previously authorised for processing in case of non-compliance, or to apply to the court. Such person must stop the transfer (distribution, provision or access) of the personal data within three working days of receipt of the request from the data subject or within the period specified in a court decision that has entered into force. If such period is not specified in the court decision, such person must stop the transfer (ie, distribution, provision or access) of the personal data within three working days of the court decision entering into force.

These requirements (conditions and restrictions) do not apply in the event of data processing which aims to fulfil the functions, powers and duties imposed by Russian law on federal executive bodies, executive bodies of constituent entities of Russian or local self-government bodies.

Comment

Immediately after the effective dates, when the new law becomes valid and fully applicable, businesses and respective data operators will have to comply with the special regime of protection for public personal data, as outlined above. Of course, certain preparatory actions must be taken in advance to avoid data breaches in this respect and relevant liability under Russian law.

As a first step, data operators should review their internal data protection policies and documents, especially those governing business processes and specific processing operations relating to public personal data, and assess whether such activities would contradict the new requirements. If this is the case, certain adaptions and corrections will have to be made from a legal and organisational perspective.