Russia’s Federal Law of 27 July 2006 No. 152-FZ on Personal Data (‘the Law on Personal Data’) aims to guarantee protection for individuals’ personal data and apply to organisations that collect, use, or share such data.
On 1 March, 2021 the Federal Law of 30 December 2020 No 519-FZ on Amendments to the Federal Law On Personal Data, which amends the Law on Personal Data, came into effect (except for one section that is due to come into effect on 1 July, 2021) (“Amendments”).
The Amendments significantly change the legal landscape for entities that wish to publish personal data on the internet and offline, for example, employer’s vis-à-vis employees. The changes essentially give more control to data subjects on the processing of their personal data for dissemination purposes. The introduction of a specific definition relating to personal data that is permitted by a data subject for dissemination (“Personal Data Permitted for Dissemination”) will see the following become part of applicable data laws in Russia:
Personal Data Permitted for Dissemination, access to which is granted to the general public as authorized by the data subject by giving a consent to the processing of personal data.
In essence, this means that any interested data operator will only be able to rely on a data subject’s consent when placing the personal data in publicly accessible sources and any further use of it after publication. The purpose of this as defined in the explanatory notes to the Amendments is to prevent “the collection and uncontrolled use of such personal data on websites for purposes different from the initial purpose for which it was disseminated”.
The Amendments further provide that the form and the content of the consent are to be established by the authorized agency responsible for the protection of the rights of personal data subjects (“Roskomnadzor”).
What consent requirements do data operators need to consider?
With such an emphasis on consent we have provided a summary of the new requirements below:
- Default Position:
- If the data subject permits the transfer of data to the general public, then the consent must contain a direct indication that the data can be transferred to the general public. The conditions and prohibitions must be expressly specified in the This is a mandatory requirement.
- The absence of conditions and prohibitions in the consent means the operator is allowed to process such personal data, but without transfer (distribution, provision, access and other actions) to the general public.
- Granular: The consent should be given separately from other consents and be specific for each purpose.
- With regards to the publication of employee data, employers are now under a greater burden. Previously, employers could have obtained consent from an employee for the processing of his/her personal data for HR purposes and that consent could have included the authorization to post the employee’s details on the corporate website, however from the 1 March 2021 such consent must be obtained separately.
- Explicit: The Amendments states that explicit consent is required – consent by default is not valid. Previously it was only assumed, but not clearly stated in the law.
- Conditions and Prohibitions: The data subject is entitled to list personal data and to impose prohibitions on release (other than access) and the terms of the processing (other than the grant of access).
- This shift now allows an employee to give his/her consent to an employer to publish his/her personal data (such as a photo, name, education, work experience, key qualifications etc.) on a corporate website and simultaneously impose a prohibition on a further transfer of this data. This could include the transfer to potential clients as a part of a proposal for rendering services.
- Publishing: The operator is required to publish information on the terms of the processing and the existence of any prohibitions within three business days from the receipt of the consent. This puts an obligation on operators to consider any prohibitions or restrictions on the further release, transfer or other processing of personal data to the general public and then promptly in the interest of transparency, make this information available. This obligation comes in to force as of 1 March 2021.
- Right to withdraw consent: The Amendments reconfirm the right of a data subject to revoke the consent.
What options do third parties have?
The multiplier effect of such a burden on data operators and emphasis on consent will also be evident in third party relationships. From the 1 March, 2021 third parties who intend processing Personal Data Permitted for Dissemination therefore have three options:
- to rely on the consent obtained by the data operator from the data subject when processing Personal Data Permitted for Dissemination, subject to compliance with the rules of data processing;
- to rely on the consent provided by a data subject to Roskomnadzor via a dedicated web-based platform to be set up under the law, but also subject to compliance with the rules of data processing (this option will become available starting from 1 July 2021); or
- to ensure on their own that they have appropriate legal grounds as per the general requirements of the Law on Personal Data.
It remains to be seen whether consent(s) obtained before 1 March 2021 are still valid. In addition, whether there is any retroactive effect of the Amendments (i.e. whether it is necessary to obtain new consent in accordance with the new requirements) remains unclear.
Roskomnadzor has published a draft order, which describes in more details the form and the content of the consent, however to date the order has not been formally approved. It is expected that we will soon have further clarity on certain provisions of the Amendments (e.g., the requirements to the consent as noted above; proving the legality of subsequent dissemination in cases of leaks; force majeure; and releases of data by the data subject without issuing the consent). To date, Roskomnadzor has not issued such clarifications.
Recommendations
In light of the above, we would recommend operators and third parties do the following:
- Monitor updates and clarifications from the Roskomnadzor with respect to the regulation of the processing of Personal Data Permitted for Dissemination.
- Revise policies on the protection of Personal Data Permitted for Dissemination to align to the Amendments.
- Where applicable, review all consents and amend them as appropriate. In particular, if an organisation has published details of its employees on its corporate website, their consents would now need to be obtained applying the requirements set out in the Amendments.
- Publish Information on the terms of processing and the existence of any prohibitions in respect of Personal Data Permitted for Dissemination.
In light of these changes, any operator wishing to have the ability to process Personal Data Permitted for Dissemination should now consider what changes would need to be made to its policies and consents to ensure it will be compliant with the Amendments. We anticipate that there may be some official guidance made by Roskomnadzor to flesh out some of these rules, particularly around the content of the consent and the retroactive effect of the Amendments, so this story is not yet fully complete.
If you have any queries in relation to these changes, please contact the author.