Introduction

The Federal Law dated 27 July 2006 152-FZ On Personal Data (the Personal Data Law):

  • grants protection to personal data;
  • describes data subjects' rights;
  • imposes obligations on data operators; and
  • specifies various data processing activities, which must be made through consent or another legal basis.

Adopted in 2006, the Personal Data Law has undergone numerous important changes aimed at further legal enhancement and development of national data protection regulations.

One of the recent amendments proposed in support of the Personal Data Law is Draft Law 992331-7 On Amendment of the Personal Data Law (the draft law), which aims to clarify data processing procedures.(1) The draft law was introduced on 21 July 2020 for consideration before Parliament and will be at the first reading stage soon.

How will proposed changes affect data processing operations in Russia?

New consent identifiers

In certain cases provided by the Personal Data Law, the processing of personal data can be carried out only with data subjects' consent and such consent must be made in writing. Consent in the form of an e-document, signed with an e-signature, is recognised as an equivalent to written consent.

Data subjects' written consent must include:

  • their surname;
  • their name;
  • their patronymic;
  • their address;
  • their main identification document (ie, passport) number; and
  • information on the date of issuance of the specified document and the issuing authority (Article 9(4.1) of the Personal Data Law).

Of course, data subjects' consent must include their signature (Article 9(4.9) of the Personal Data Law).

The draft law provides one more addition to the required information – notably, the indication of another unique identifier, established by federal law or agreement between the parties, which may expressly determine the data subject and confirm their consent.

If Parliament approves this proposed amendment in the draft law, data processing operations which take place through consent on the web will be simplified, since specific online or e-identifiers will be applicable and possible, after all.

Allowance of several purposes

At present, each purpose of a data processing operation requires the separate consent of data subjects. More specifically, Article 9(4.4) of the Personal Data Law now uses the purpose of data processing only in a singular manner.

The draft law would extend the effect of consent to several data processing purposes, which must be properly listed in the consent document. The draft law also states that if the processing of personal data is carried out for several purposes, the following information must also be indicated for each particular case:

  • a list of personal data processed;
  • the data processor's details (if applicable);
  • a list of consented actions relating to the personal data processed;
  • a general description of the data processing methods;
  • the terms of consent; and
  • details of the consent revocation procedure.

If this proposed amendment in the draft law is finally approved by Parliament, it will be possible to receive consent from data subjects for several data processing purposes. To this extent, the current routine practised by data operators and the formal approach ('one consent – one purpose') that is now in place will no longer be necessary. The explanatory note to the draft law outlines that these amendments will reduce the significant amount of written consent (papers) usually issued by individuals (data subjects) and will therefore improve documentation flows.

In addition, the draft law proposes that the processing of personal data by data operators on a legal basis can be carried out for additional purposes in the event of data subjects' consent providing the information on such (specified) additional purposes.

Supplement of technical security measures list

When processing personal data, data operators must take the necessary legal, organisational and technical measures or ensure their adoption to protect personal data from unauthorised or accidental access, destruction, modification, blocking, copying, provision, dissemination and other illegal actions. Personal data can be, among other things, protected by:

  • establishing 'models of threats';
  • applying organisational and technical measures; and
  • using technical measures to protect information which has passed the conformity assessment procedure in the prescribed manner (Article 19(2.3) of the Personal Data Law).

The draft law now provides for another amendment to the list of specific security measures to safeguard personal data that is processed by emphasising the need to use duly certified equipment to destroy personal data. More specifically, the draft law proposes modifying Article 19(2) of the Personal Data Law with a Section 3prim which reads as follows:

the use of information protection means for the destruction of personal data, which includes the function of data destruction, which have passed the conformity assessment procedure in the prescribed manner, carried out by the federal executive body authorized to act in the field of security (i.e. Federal Security Service of Russia), or by the federal executive body authorized to act in the field of countering technical intelligence and technical protection of information (i.e. FSTEC Russia).

Depersonalisation methods

According to the draft law, the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) will have the power to establish requirements for personal data depersonalisation and specific methods of depersonalisation. At present, this particular area of data protection legislation is blurred.

Comment

If the draft law, or certain proposals therein, is adopted into law, businesses, including domestic and foreign companies, acting as data operators, will need to review their data protection documents (ie, consent documents), technical security measures and data processing activities and revise them to be compatible with the above amendments and Roskomnadzor's requirements. Further, once Roskomnadzor publishes details of its depersonalisation methods, which may happen in the near future, companies will also need to address those requirements.

Endnotes

(1) See here.