Member Article

Dear All!

We would like to update you of recent strategic directions report released by the Russian Data Protection Authority (‘Roscomnadzor’) in connection with 10th anniversary of the Russian Law on Personal Data (Federal Law No.152-FZ dd. 27 July 2006).

General background

The report was released and presented by the Roscomnadzor’s officials at the end of March during press conference for the media. The document is a high-level guidance, which may serve as a reference point for data controllers, data subjects, officials of Roscomnadzor and other stakeholders. It outlines current status in the area of data protection, key ways/directions of how Roscomnadzor plans to perform its controlling authorities in the nearest future.

The main concerns of Roscomnadzor with respect to data protection in Russia

In a nutshell the report states that though the current system of personal data protection in Russia is quite effective, many problems remain. Among them report mentions absence of internal policies regulating data processing, as well as lack of the personnel in the companies qualified enough to cope with personal data issues in a professional and efficient manner.

One of the other concerns mentioned is violation of data minimization principle. In the report, Roscomnadzor also points out that many information resources do not allow data subjects to delete their personal data.

Apart the above Roscomnadzor refers to low awareness of data subjects of their rights in the area of personal data and quite widespread abusive practices where data controllers intentionally disregard requirements of data protection laws due to insignificant penalties for violations.

Key strategic directions of Roscomnadzor

Roscomnadzor refers to the need for increasing level of protection of the right to privacy, personal and family secrecy as well as to shape and promote practices aimed at compliance with the data protection laws. It plans to achieve the said goals relying on the following principles:

• Setting priorities in conducting its activity;

• Taking into account interests and needs of data controllers operating in different industries;

• Ensuring participation of business (representatives of data controllers) in Roscomnadzor’s activities;

• Ensuring transparency and accessibility of Roscomnadzor as the authority protecting data subjects’ rights.

What to expect in the near future

Apart from the outlined broad directions, report enumerates some specific measures (along with relevant timeframes), which might be of interest for many data controllers. For example, in 2016 Roscomnadzor intends to proceed with preparing legislative initiatives aimed at differentiating liability of data controllers for violations of personal data legislation. Currently under Russian law, there is a one general administrative offence for violation of statutory procedure of personal data processing. It is worth noting that currently there is a draft bill, which suggests increasing liability for violation of Russian data protection legislation and differentiating it depending on different types of violations. In particular, it proposes maximum amount of administrative fine which can be imposed on data operators for certain data protection breaches in the amount up to 300, 000 RUR (approximately 3,822 EUR). Since February 2015 consideration of this document by the State Duma has been “frozen”. However, in the context of the report, we may expect that further developments with respect to the draft bill might be expected rather soon.

In 2017 Roscomnadzor plans to implement risks based approach while supervising compliance with the data protection laws. It implies that inclusion of data controllers into inspection plans as well as depth of their audit by Roscomnadzor will depend on likelihood and severity of harm for data subjects in the event of breach of data legislation by data controllers.

The other measures outlined in the report include:

• Creation of rating systems of data controllers, their associations, other self-regulatory bodies processing personal data;

• Conducting analysis (jointly with Advisory Council of Roscomnadzor) on peculiarities of data processing in different industries (for example, banking, insurance, communication, tourism and so on) aimed at revealing the main drawbacks of data processing activities in these areas and elaborating comprehensive, definitive and clear recommendations for the data controllers;

• Introducing mechanisms of self-regulation of the operators of personal data;

• Improving level of awareness among data subjects (especially minors) of their rights related to data protection and privacy.

***

Hope that the information provided herein would be useful for you.

If any of your colleagues would also like to receive our newsletters, please let us know by sending us his/her email address in response to this message. If you would like to learn more about ourData Protectionpractice, please let us know about it in reply to this email. We will be glad to provide you with our materials.

If you have any questions, please, do not hesitate to contact the Partners of ALRUD Law Firm –MariaOstashenko([email protected]) or Irina Anyukhina ([email protected]).

Kind regards,

ALRUD Law Firm

Note: Please be aware that all information provided in this letter was taken from open sources. The author of this letter bears no liability for consequences of any decisions made in reliance upon this information.

 

Link to article