We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
11 December 2020
The Federal Law dated 27 July 2006 152-FZ On Personal Data (the Personal Data Law):
Adopted in 2006, the Personal Data Law has undergone numerous important changes aimed at further legal enhancement and development of national data protection regulations.
One of the recent amendments proposed in support of the Personal Data Law is Draft Law 992331-7 On Amendment of the Personal Data Law (the draft law), which aims to clarify data processing procedures.(1) The draft law was introduced on 21 July 2020 for consideration before Parliament and will be at the first reading stage soon.
New consent identifiers
In certain cases provided by the Personal Data Law, the processing of personal data can be carried out only with data subjects' consent and such consent must be made in writing. Consent in the form of an e-document, signed with an e-signature, is recognised as an equivalent to written consent.
Data subjects' written consent must include:
Of course, data subjects' consent must include their signature (Article 9(4.9) of the Personal Data Law).
The draft law provides one more addition to the required information – notably, the indication of another unique identifier, established by federal law or agreement between the parties, which may expressly determine the data subject and confirm their consent.
If Parliament approves this proposed amendment in the draft law, data processing operations which take place through consent on the web will be simplified, since specific online or e-identifiers will be applicable and possible, after all.
Allowance of several purposes
At present, each purpose of a data processing operation requires the separate consent of data subjects. More specifically, Article 9(4.4) of the Personal Data Law now uses the purpose of data processing only in a singular manner.
The draft law would extend the effect of consent to several data processing purposes, which must be properly listed in the consent document. The draft law also states that if the processing of personal data is carried out for several purposes, the following information must also be indicated for each particular case:
If this proposed amendment in the draft law is finally approved by Parliament, it will be possible to receive consent from data subjects for several data processing purposes. To this extent, the current routine practised by data operators and the formal approach ('one consent – one purpose') that is now in place will no longer be necessary. The explanatory note to the draft law outlines that these amendments will reduce the significant amount of written consent (papers) usually issued by individuals (data subjects) and will therefore improve documentation flows.
In addition, the draft law proposes that the processing of personal data by data operators on a legal basis can be carried out for additional purposes in the event of data subjects' consent providing the information on such (specified) additional purposes.
Supplement of technical security measures list
When processing personal data, data operators must take the necessary legal, organisational and technical measures or ensure their adoption to protect personal data from unauthorised or accidental access, destruction, modification, blocking, copying, provision, dissemination and other illegal actions. Personal data can be, among other things, protected by:
The draft law now provides for another amendment to the list of specific security measures to safeguard personal data that is processed by emphasising the need to use duly certified equipment to destroy personal data. More specifically, the draft law proposes modifying Article 19(2) of the Personal Data Law with a Section 3prim which reads as follows:
the use of information protection means for the destruction of personal data, which includes the function of data destruction, which have passed the conformity assessment procedure in the prescribed manner, carried out by the federal executive body authorized to act in the field of security (i.e. Federal Security Service of Russia), or by the federal executive body authorized to act in the field of countering technical intelligence and technical protection of information (i.e. FSTEC Russia).
According to the draft law, the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) will have the power to establish requirements for personal data depersonalisation and specific methods of depersonalisation. At present, this particular area of data protection legislation is blurred.
If the draft law, or certain proposals therein, is adopted into law, businesses, including domestic and foreign companies, acting as data operators, will need to review their data protection documents (ie, consent documents), technical security measures and data processing activities and revise them to be compatible with the above amendments and Roskomnadzor's requirements. Further, once Roskomnadzor publishes details of its depersonalisation methods, which may happen in the near future, companies will also need to address those requirements.
For further information on this topic please contact Sergey Medvedev or Ilya Goryachev at Gorodissky & Partners by telephone (+7 495 937 6116) or email (firstname.lastname@example.org) or email@example.com). The Gorodissky & Partners website can be accessed at www.gorodissky.com.
(1) See here.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.