Impact of the GDPR in Russia

N/A

It defines personal data in a manner similar to the GDPR.

Special categories of personal data are also similar. Biometric personal data is defined separately under Russian law, but there is no specific concept for genetic data, although respective amendments to the law are expected.

General obligations, such as the necessity to justify data processing with a certain legal ground or to ensure the sufficient level of data protection, are similar to the GDPR with certain practical peculiarities, e.g.

• Russian law does not provide for details on how the DPIA must be conducted;
• the “privacy by design” and “privacy by default” principles are not stipulated;
• legitimate interest is rarely used as a legal ground for processing due to the negative position of the regulator in this respect.

Notable specific obligations include:

• Data localisation rules requiring data controllers to ensure that Russian citizens’ personal data is initially recorded on, stored and updated in the database located in Russia
• Data controllers are obliged to obtain separate and specific consent for the dissemination of personal data. Processing disseminated data can also be restricted;
• Data controllers must notify the Russian DPA describing what personal data is processed as well as how it is processed and protected.

It should be also noted that the Russian law does not require data controllers to notify the regulator or data subjects regarding data breaches.

Data subjects’ rights under Russian law are similar to those under the GDPR, except for the data portability right, which is not stipulated by the Russian law.

Data subjects are entitled to enforce their rights in case of any violations committed by the data controller. This is described in more detail below.

Although legal provisions allow data subjects to protect their rights, in practice Russian case law does not contain many cases where data subjects effectively protect their rights. Thus, Russian practice cannot be considered as developed from the standpoint of individuals’ protection. Most of the cases relate to the DPA’s complaints against controllers, which are not in line with certain provisions of Russian law, e.g. the localisation rules. 

Russian law requires data controllers, being legal entities, to appoint a data protection officer. Russian law is not as specific as the GDPR regarding the DPO’s powers and independence, so in practice Russian companies appoint a DPO from among their employees, and the DPO then combines these functions with his/her existing job duties. 

Data subjects can file a complaint with the Russian DPA, which can lead to the data controller being ordered to remedy any violations or to pay the fines described below.

Serious violations in the sphere of personal data can be qualified as an invasion of privacy, which is a crime under Russian law. However, such cases rarely occur in practice.

Data subjects can also file a civil lawsuit to claim damages from data controllers infringing their rights. In practice, such cases are rare and the amounts of the awards quite low.

Russian law provides for various ranges of fines for different violations.

In general, such violations as the groundless processing of data, failure to obtain written consent, failure to publish data protection policy can result in fines of up to approx. EUR 1,700. Repeated violation could lead to a fine of up to approx. EUR 5,500.

However, Russian law establishes more severe fines for breaching localisation rules, namely of up to approx. EUR 67,000 for the first violation and EUR 200,000 for a repeat offence.

The localisation rules are deemed the most different and business-influencing Russia-specific obligation, since they require each company to rebuild their IT infrastructure or to change data flows within international companies, which creates a lot of complications for global businesses. 

One practical difference in terms of the justification for data processing is that Russian companies tend to ensure processing activities are carried out by consent, since this is the most reliable ground from the DPA’s standpoint, regardless the risk of having consent revoked.

The GDPR does not directly influence current Russian laws, although the Russian DPA frequently states that they are closely monitoring the GDPR and relevant practice and tend to follow the EU route in data protection.

The GDPR was definitely taken into account when the protocol amending the Strasbourg Convention of 1981 was adopted. Russia has signed this protocol, although it has not ratified it yet. It is thus expected that some provisions similar to those of the GDPR will be implemented in the future, for instance, the breach notification requirement, as well as the “privacy by design,” and “privacy by default” principles.

In practice the GDPR affects business in Russia.

First, the extra-territorial applicability of the GDPR forced Russian companies covering EEA markets to ensure compliance for the respective business processes.

Secondly, Russian subsidiaries of international companies have implemented GDPR-compliant processes due to the global instructions of the data protection level.

Finally, Russian companies, which do not have any EEA-targeting activities, are often bound to confirm compliance with the GDPR on the contractual level in order to provide services to EU corporate clients.

Russian law is generally in line with the basic principles stipulated in the GDPR. However, some peculiarities make it more complicated to ensure compliance, e.g. the localisation rules or restriction to process publicly available data.

Further development of law and practice in the sphere of personal data is expected and, most likely, it will generally follow the tendencies and principles of the GDPR. But the history of development of the Russian data protection legislation shows that, although aiming to be close to the EU laws, it may still contain specific requirements reflecting the Russian government’s interests in protecting its citizens and information about them, which may substantially differ from the GDPR provisions.