Introduction
In Russia, the definition of "personal data" is rather broad. More specifically, any information (directly or indirectly) related to an identified or identifiable individual (data subject) is considered to be personal data (Article 3 of the Federal Law of July 27, 2006 No.52-FZ "On Personal Data" (as amended) ("PD Law")).
In general, the following pieces of information will qualify as personal data:
- name and surname,
- date and place of birth,
- residing and registration address,
- family, social and economic status,
- education, specialization and profession,
- phone number and e-mail.
Russian personal data landscape and legal regime are regulated mainly by the PD Law. Several times the PD Law has undergone certain changes and developments, including recently.
Administrative sanctions for the breach of the PD Law are set in the Code of Administrative Offences ("CAO"), in particular, in Article 13.11, which contains certain sanctions for violation of the order of collection, storage, use and distribution of data related to individuals (personal data) that is established by the law.
Prior to July 01, 2017, under the specified Article the maximum administrative fine which a company might have faced for a typical data protection or privacy breach was RUR 10 000. In practice, there were cases when smaller fine amounts had been imposed on breaching entities (data controllers).
In Russia, a national personal data watchdog is the Federal Service for Supervision of Communications, Information Technology, and Mass Media ("Roskomnadzor"). That authority is entitled to investigate compliance with the data protection regulations as set forth by the PD Law and other related laws.
Prior to July 01, 2017, in the event of privacy breach detection, Roskomnadzor had to collect the appropriate evidence and transfer the administrative investigation file to the Public Prosecution Office, whose officers were in charge of initiating an administrative case and bringing the case to the competent court to seek imposition of the relevant fine on the infringing data controller. Because of the involvement of these two state agencies, there had been significant delays in the administrative proceedings, which eventually resulted in the lapse of limitation period and dismissal of the initiated cases. For privacy infringement matters, the statutory (administrative) limitation term is three (3) months commencing from the date of the corresponding administrative offense.
Starting from July 01, 2017, Roskomnadzor has been given the legal competence to initiate the administrative cases directly by filing the administrative offence related reports to competent courts for rendering judgments for data protection breaches.
Therefore, all domestic and foreign companies acting as data controllers that are collecting, storing, using, processing, transferring the personal data containing the Russian element need to take into account the newly implemented rules and sanctions for privacy violations in Russia.
Reasons for amendments and legislative history
In 2014, the legislation committee of the Russian State Duma (the lower Chamber of the Russian Parliament) drafted and presented a bill of law (No. 683952-6) providing the establishment of amendments to CAO on the subject of clarification of provisions setting the liability for infringement of privacy regulations ("Bill"). The submission of the Bill was aimed at improving the personal data enforcement situation to ensure a more effective legal protection to deal with the growing statistics of Russian personal data violations.
From the legislative history of devoted to the Bill the following major reasons have been cited by the legislators to explain the proposed amendments:
- intensive development of information and communication technologies resulting in growing statistics of data breaches from the privacy prospective;
- then-effective low fines fail to provide adequate remedies to challenge data breaches;
- specific types of data breaches shall be determined in CAO;
- liability shall correspond to the general European rules of data protection;
- procedure related to judicial imposition of fines for data breaches shall be simplified.
In 2015-2016, the Bill has been subject to legislative hearings in front of the Russian State Duma and the Russian Council of Federation (the upper Chamber of the Russian Parliament).
On February 7, 2017 the Bill has been signed into law by the Russian President, and the CAO amendments for privacy violations have been effectuated on the 1st of July, 2017.
New administrative rules and sanctions
The previously effective wording of Article 13.11 of CAO was quite broad in terms of general interpretation and provided no specific types of data protection breaches. The new version of the mentioned Article now enlists specific categories of administrative offences for privacy violations under the PD Law.
More specifically, the previous wording of Article 13.11 of CAO reads as follows: "breach of the procedure of collection, storage, use or distribution of the data on citizens (personal data)" shall be punishable either with a warning or with the imposition of the following fines:
- on individuals – from RUR 300 to RUR 500;
- on company officers (the same for individual entrepreneurs) – from RUR 500 to RUR 1000;
- on companies – from RUR 5000 to RUR 10 000.
Starting from July 01, 2017, the corresponding data protection breaches have been diversified into the following types of specific privacy violations, and the following fines are now becoming applicable (unless the offense constitute a crime where applicable) for the following data infringers:
| Violation | Individuals (RUR) | Individual entrepreneurs (RUR) | Officers (company officers or government officials) (RUR) | Companies (RUR) |
| personal data processing in cases not provided under the applicable laws as well personal data processing incompatible with the processing purposes (warning is possible instead of a fine) | 1000 - 3000 | 5000 – 10 000 | 5000 – 10 000 | 30 000 – 50 000 |
| personal data processing made without the written consent in cases where such consent is necessary or personal data processing made with the written consent does not meet mandatory requirements | 3000 - 5000 | 10 000 – 20 000 | 10 000 – 20 000 | 15 000 – 70 000 |
| failure to publish or provide access to a privacy policy or the information on requirements for personal data protection (warning is possible instead of a fine) | 700 – 1 500 | 5 000 – 10 000 | 3 000 – 6 000 | 15 000 – 30 000 |
| failure to provide an individual with the information on his/her personal data processing (warning is possible instead of a fine) | 1 000 - 2000 | 10 000 -15 000 | 4 000 – 6 000 | 20 000 – 40 000 |
| failure to satisfy (within the prescribed term) a request on personal data clarification, blocking or destruction (in cases where personal data is not full or is outdated, imprecise or illegitimately received or unnecessary for the announced purpose of data processing) (warning is possible instead of a fine) | 1 000 – 2 000 | 10 000– 20 000 | 4 000 -10 000 | 25 000 – 45 000 |
| failure, in case of personal data processing made without automated means, to comply with the terms of security requirements while storing tangible media containing personal data; or terms that exclude unauthorized access if it has been resulted in illegitimate or accidental access to personal data or its destruction, modification, blocking, copying, submission or dissemination | 700 - 2000 | 10 000 – 20 000 | 4 000 – 10 000 | 25 000 – 50 000 |
| failure for a state authority or a municipal authority to meet the obligation on depersonalizing personal data or following methods or requirements on depersonalizing (warning is possible instead of a fine) | N/A | N/A | 3 000 – 6 000 | N/A |
Therefore, if Roskomnadzor investigates and locates corresponding data breach committed by data controller, it is empowered to:
- initiate an administrative offence related case;
- prepare the administrative offence report against the infringer; and
- move the administrative case to the court.
Implications to expect
At this point of time, there are no issued official recommendations or practical guidance from Roskomnadzor or Ministry of Communications of the Russian Federation on the possible interpretation and application of the subject matter amendments. Therefore, it is generally expected for the moment that the above new rules and sanctions will have to be tested in practice at first.
At the same time, it is already clear that the Russian IT Regulator (Roskomnadzor) reserves the right to conduct scheduled (regular) and non-scheduled (random) privacy compliance checks. And, for this particular reason, it makes sense to immediately audit the internal data processing operations towards the Russian personal data, as well as underlying documentation and policies, to bring them all in line with the PD Law and the proposed amendments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
