top of page

RUSSIA - Data Protection and GDPR Review


History of Data Protection in Russia


The history of data protection in Russia is a relatively recent development and has taken shape in the context of broader political, legal, and technological changes. It is also distinct from Western and EU models given the country's unique governance structure and geopolitical priorities. Here's an overview of key events and legislation that have shaped Russia's data protection landscape.


Early 2000s: Initial Steps


In the early 2000s, Russia took its first significant steps toward data protection with the adoption of laws governing personal and confidential information. However, these were mostly sector-specific regulations focusing on areas like healthcare, finance, and telecommunications.


2006: Federal Law on Personal Data


In 2006, Russia adopted the Federal Law No. 152-FZ "On Personal Data," which represented the country's first comprehensive legislation on data protection. This law laid the groundwork for data protection principles like data subject rights, data controller responsibilities, and data transfer guidelines.


2011: Amendments and Regulations


In 2011, significant amendments were made to the Federal Law on Personal Data, including the introduction of a requirement to obtain consent for data processing and the specification of data subject rights. The amendments aimed to bring Russian law closer to international standards.


2014: Data Localization Law


Perhaps the most significant and controversial data protection development in Russia was the adoption of the Data Localization Law in 2014. This law mandates that data operators must collect, store, and process the personal data of Russian citizens on servers located within Russia.


2015: Implementation and Enforcement


The Data Localization Law came into effect in September 2015, and its implementation has led to several high-profile cases where international companies were required to relocate their data storage facilities to Russia.


2017: VPN and Search Engine Laws


In 2017, Russia enacted laws that further tightened internet controls. The laws restricted the use of VPNs and anonymizers that could be used to access websites banned in Russia and required search engines to comply with the state's information blocklist.


2019: Sovereign Internet Law


In 2019, the "Sovereign Internet Law" was enacted, aimed at creating a national internet network that could operate independently from the global internet. Although not strictly a data protection measure, it has implications for how data is routed and stored.


Ongoing Developments


Data protection continues to evolve in Russia, with increasing regulatory activities and proposed amendments to existing laws. The tension between international standards and national sovereignty remains a defining feature of Russia’s data protection landscape.


Russia’s history of data protection reflects its unique geopolitical situation and governance priorities. The country has developed its own set of data protection laws, distinct from Western and EU standards, but aimed at safeguarding the personal data of its citizens while also maintaining a level of state control. With the increasing digitization of society and the evolving global data landscape, it is likely that Russia’s approach to data protection will continue to evolve.


While Russia has its own distinct set of data protection laws, the country is increasingly engaging with international companies and European Union (EU) member states, where GDPR is enforced. This guide will help you understand how data protection works in Russia and its relationship with GDPR.


Guide of Contents


1. Regulatory Framework

2. Key Legislation

3. Russia's Data Localization Law

4. Data Subject Rights

5. Consent Requirements

6. Data Breach Reporting

7. International Data Transfers

8. Comparisons with GDPR

9. Compliance for Businesses

10. Penalties and Enforcement

11. FAQs

12. Future Outlook


1. Regulatory Framework


- Roskomnadzor: The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) is the main regulatory authority for data protection in Russia.


2. Key Legislation


- Federal Law No. 152-FZ "On Personal Data" (2006)**: This is the cornerstone of Russia’s data protection laws.


3. Russia's Data Localization Law


- Federal Law No. 242-FZ: Also known as the Data Localization Law, mandates the storage and processing of personal data of Russian citizens on servers located in Russia.


4. Data Subject Rights


Russian citizens have the right to:


- Access their data.

- Correct inaccurate data.

- Opt out of data processing for marketing purposes.


5. Consent Requirements


- Explicit, informed consent is generally required for data processing.

- Consent for children under the age of 14 requires parental approval.


6. Data Breach Reporting


- Must report data breaches to Roskomnadzor and affected data subjects, though the timelines are not as stringent as GDPR’s 72-hour requirement.


7. International Data Transfers


- Data about Russian citizens must first be stored in Russia.

- Cross-border data transfers are allowed if the foreign country provides adequate data protection levels.


8. Comparisons with GDPR


- GDPR emphasizes data subject rights more strongly, including the right to data portability and the right to be forgotten, which are not expressly mentioned in Russian law.

- GDPR has a more stringent timeline for data breach notifications.

9. Compliance for Businesses


- Data Processing Notification: Russian companies must notify Roskomnadzor before processing personal data.

- Data Protection Officer: No mandatory requirement unlike GDPR, but having one is advised.


10. Penalties and Enforcement


- Non-compliance can result in administrative fines, temporary suspension of data processing activities, and even criminal penalties in extreme cases.


11. FAQs


- Is GDPR applicable in Russia?: Generally, no. But if a Russian company operates within the EU, GDPR may apply to its activities there.

- **How does Russian law differ from GDPR?**: Russian law places more emphasis on data localization, and it does not have as broad a range of data subject rights as GDPR.


12. Future Outlook


- Emerging technologies and increasing international commerce are likely to impact Russia’s data protection landscape.

- Ongoing tension between national sovereignty and international data standards.


Conclusion


Russia has its own regulatory framework for data protection, distinct from GDPR. However, international companies operating in Russia and Russian companies operating in the EU must be aware of and comply with both sets of regulations. With evolving data protection norms globally, the Russian data protection landscape is likely to continue changing.


Disclaimer**: This guide is for informational purposes only and should not be considered as legal advice. Consult legal experts for advice tailored to your specific circumstances.

Kommentare


bottom of page