Data protection and cybersecurity laws in Russia

Data protection

1. Local data protection laws and scope

  • Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data” (the “Data Protection Law”)
  • Labour Code of the Russian Federation (for personal data of employees)

2. Data protection authority

  • The Ministry of Digital Development, Communications and Mass Media of the Russian Federation (Minkomsvyaz)
  • The Federal Service for Supervision in the Sphere of Telecom, Information Technology and Mass Communications (Roskomnadzor)

3. Anticipated changes to local laws

Russia has signed an Amending Protocol updating the Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Data Protection Law is expected to be amended to comply with the Convention. For example, a breach notification obligation should be introduced, as well as genetic data – a new category of sensitive personal data.
In March 2021, new rules regarding the dissemination of personal data and the use of publicly available personal data come into force. In particular, all data controllers will:

  • Have to obtain a separate and specific consent to make personal data publicly available; and
  • Bear the burden of proof that their processing of publicly available data is lawful.

In addition, increase of administrative fines is actively discussed in public.

4. Sanctions & non-compliance

Administrative sanctions:
  • Failure to obtain a written consent of a personal data subject – fine of RUB 15,000 to RUB 75,000 (EUR 165 to EUR 835);
  • Processing personal data without proper legal grounds – warning or fine of RUB 30,000 to RUB 50,000 (EUR 335 to EUR 555);
  • Failure to inform a data subject on processing his personal data – warning or fine of RUB 20,000 to RUB 40,000 (EUR 220 – EUR 445);
  • Failure to publish a personal data processing policy – warning or fine of RUB 15,000 to RUB 30,000 (EUR 165 to EUR 335);
  • Failure to file a notification with the Roskomnadzor – warning or fine of RUB 3,000 to RUB 5,000 (EUR 35 to EUR 55);
  • Failure to amend, block access to or destroy personal data at the legitimate request of a data subject or competent authority – warning or fine of RUB 25,000 to RUB 45,000 (EUR 280 to EUR 500);
  • Breach of the localisation requirement – fine of from RUB 1m (EUR 11,150) to RUB 6m (EUR 66,800), and for repeated violations from RUB 6m (EUR 66,800) to RUB 18m (EUR 200,450). Also, blocking the website based on a court ruling is possible
Criminal sanctions:

In serious cases, unlawful data processing may also be deemed as illegal collection and distribution of information on the private life of a person. The Russian Criminal Code provides that such violations are punishable with a fine, compulsory works or imprisonment.

Others: 

Data subjects can file a civil court action against a data controller to seek compensation for damages caused by the illegal processing of personal data. 

5. Registration / notification / authorisation

Data controllers should file a notification with the Roskomnadzor before commencing processing, except for a number of exemptions provided by the Data Protection Law. The notification contains general description regarding data processing activities and protective measures. 

In case of any changes in processing activities, such changes shall be also notified to the Roskomnadzor.  

6. Main obligations and processing requirements

Data controllers must justify data processing by one of the legal grounds provided for in the Data Protection Law. Data subject consent is a most common legal ground for data processing. Other common grounds include performance of an agreement with a data subject or complying with statutory obligations. 

The law requires data controllers to make the following main steps:

  • Define categories of personal data
  • Purposes and duration of processing;
  • Obtain a data subject's consent (unless other data processing ground applies);
  • Appoint a data protection officer, adopt a data protection policy and take appropriate security measures to prevent Unauthorised processing;
  • Notify Roskomnadzor on the commencing of data processing.
  • Localisation rules require that data controllers, when collecting personal data, initially process personal data of Russian citizens on servers physically located in Russia.

7. Data subject rights

Under the Data Protection Law, a data subject has the right to:

  • request details of the processing of his/her personal data by a data controller (what data is being processed and why, etc.);
  • revoke his/her consent to the data processing at any time;
  • object to data processing;
  • request, in certain cases, the rectification, blocking or deletion of his/her personal data; and/or
  • be compensated for damages, including for moral harm.

8. Processing by third parties

To transfer personal data to third parties, the consent of a personal data subject is normally required. Data controller and data processor should also enter into the respective agreement instructing data processor to process personal data on behalf of the data controller.

Third parties, being data processors, must comply with the same legal requirements and obligations as data operators and data processing rules. The data controller is liable for acts or omissions of third parties acting under its authorisation, while the respective third parties are liable to the controller for data breach.

9. Transfers out of country

The Data Protection Law distinguishes two types of cross-border data transfer:

  • Transfer of data to countries with adequate protection of personal data (“Safe Countries”); and
  • Transfer of data to countries without adequate protection of personal data (“Unsafe Countries”). 

Safe Countries comprise signatories to the Strasbourg Convention of 28 January 1981 or countries that are included into the specific safe countries list of Roskomnadzor (includes Canada and Australia among others).  

Requirements of the Data Protection Law apply to the transfer of personal data to the Safe Countries, i.e. the data controller can justify such transfer by any applicable ground. 

Transfer to the Unsafe Countries (for example, the US) requires an additional qualified consent of the data subject, unless an exception applies.

10. Data Protection Officer

A data protection officer shall be appointed and notified to Roskomnadzor.

11. Security

According to the law, personal data must be protected against unauthorised access, alteration, transfer, disclosure by transfer or deletion as well as damage and accidental destruction. In order to ensure the security of personal data, the data controller must, in particular:

  • Adopt policies on data processing;
  • Appoint data protection officer;
  • Determine the level of damage which may be caused in the event of unauthorised processing of personal data; and
  • Establish rules relating to access to personal data. 

12. Breach notification

Currently there is no mandatory requirement to report data breaches to data subjects or to Roskomnadzor. 

13. Direct marketing

The prior consent of the individual to use his personal data is required for direct marketing purposes.

14. Cookies and adtech

The Data Protection Law does not define "cookies". However, under some circumstances cookies were considered by courts as personal data.

Adtech is also not defined, and general rules regarding marketing and data processing apply.

15. Risk scale

Moderate.

N/A

Cybersecurity

1. Local cybersecurity laws and scope

Federal Law of 26 July 2017 No. 187-FZ On Security of Critical Informational Infrastructure of the Russian Federation (“the Law”).

2. Anticipated changes to local laws

Adoption of administrative fines is expected.

3. Application 

The Law sets out requirements for ensuring security of critical informational infrastructure in the healthcare, science, transportation, communication, banking, financial services, energy, nuclear energy, defence, aerospace, mining, iron and steel and chemicals sectors.

4. Authority

The Federal Service for Technical and Export control: https://fstec.ru/en/

The Federal Security Service: http://www.fsb.ru/ (Russian only)

5. Key obligations 

  • Requirement to establish and maintain a security system.
  • Obligation to assess and assign a level of importance to critical infrastructure, subject to notification to the authority in charge.
  • Obligation to develop a plan of reacting to cybersecurity incidents.
  • Mandatory reporting of all incidents threatening the security of the critical infrastructure.
  • Assessment of security level.

6. Sanctions & non-compliance 

Criminal sanctions:
  • Creation and use of computer programmes initially intended for illegal effect on the critical information infrastructure, including for deletion, blockage, modification, copying of information – imprisonment for up to five years with fine of up to RUB 1mn (EUR 13,300);
  • Illegal access to protected computer information contained in the critical information infrastructure – imprisonment for up to six years with fine of up to RUB 1m (EUR 13,300);
  • Breach of exploitation rules of means of storage, processing or transfer of protected computer information or access to information systems contained in the critical information infrastructure, if it caused harm – imprisonment for up to six years with or without deprivation from profession for up to three years. 
  • If the above crimes are committed by a group of people collusively – imprisonment for up to eight years with or without removal from the profession for up to three years.
  • If the above crimes caused severe consequences – imprisonment for up to ten years with or without removal from the profession for up to five years. 

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

A National Coordination Centre for Computer Incidents (NCCCI) created by the Federal Security Service.

8. National cybersecurity incident management structure

Critical informational infrastructure subjects shall inform the Federal Security Service (NCCCI) about all cybersecurity incidents and about measures taken. The information shall be submitted within three hours (for significant objects) or 24 hours (for other objects) of when an incident is revealed.

9. Other cybersecurity initiatives 

N/A

N/A

Maxim Boulba
Vladislav Eltovskiy