HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA Ksenia Andreeva Anastasia Dergacheva Vasilisa Strizh Brian Zimbler

Transcription

1 HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA Ksenia Andreeva Anastasia Dergacheva Vasilisa Strizh Brian Zimbler November 14, Morgan, Lewis & Bockius

2 Contents Year in review: new laws, initiatives and recent cases in the data privacy field News from the Russian data protection regulator, Roskomnadzor Hottest topics: Consents and other legitimate grounds for personal data processing Transfers of personal data to third parties including cross-border transfers as the new EU regulations (GDPR) become effective Localization of data storage: recent trends 2

3 General Background Federal Law No. 152-FZ On Personal Data (the PD Law ) of 2006: based on the EU Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data personal data is any information directly or indirectly related to an identified or identifiable individual (data subject) no concepts of data controller and data processor concept of data operator, a person that organizes or carries out (alone or together with other persons) the processing of personal data and determines the purposes of processing data processing can be delegated to a third party, who will be acting under the authorization or instruction of the data operator It applies to all data operators and third parties acting under the authorization of data operators. Certain provisions of the PD Law apply to the data operators that have no legal presence in Russia but target Russian customers Federal Service for Supervision of Communications, Information Technology and Mass Media, or Roskomnadzor, is the data protection authority 3

4 SECTION 01 YEAR NEW LAWS, INITIATIVES AND COURT CASES IN THE DATA PRIVACY FIELD

5 Administrative Fines Effective as of 1 July 2017 New version of Article of the Russian Administrative Offences Code is effective from 1 July 2017: Before: 1 violation (generic) with maximum fine of 10,000 Rubles (about US$170) Now: 7 violations with different fines up to 75,000 Rubles for each (about US$1290) Streamlined enforcement procedure Roskomnadzor may directly issue notices of administrative violations and impose fines Roskomnadzor does not need to involve the general prosecutor s office No clarity on how to calculate fines one fine per individual whose rights are violated? one fine per violation, regardless the number of individuals affected? Who is liable data operator or third party processing data under the operator s instruction? What if the data operator or third party processor has no legal presence in Russia? 5

6 New Guidelines from Roskomnadzor Roskomnadzor s Code of Good Practices (available at Roskomnadzor s official website) May 2017: new Guidelines for notifying Roskomnadzor on the commencement of personal data processing (= registration with Roskomnadzor) June 2017: list of countries providing for adequate protection of personal data: + New: Costa Rica, Qatar, Mali, Singapore, South Africa, Gabon, Kazakhstan July 2017: Roskomnadzor published recommendations for drafting personal data policies November 2017: Roskomnadzor offered new interpretation of certain important concepts, during its VIII Annual Conference on Personal Data 6

7 New Legislative Initiatives Draft Law No : introduced to State Duma on November 3, 2017 personal data of minors = special sensitive data category additional complex rules for processing of personal data of minors Draft Law No (amendments to Anti-Money Laundering Law): approved in the 1 st hearing on September 27, 2017 biometric personal data of banks clients will be available in the Unified System of Identification and Authentication further processing of such biometric data by other banks is subject to consent of the data subject signed by simple e-signature Draft Law on Big Data: Roskomnadzor may release the draft by the end of 2017 expected to reflect Roskomnadzor s position on non-traditional personal data, including IP addresses, log files, login details, cookies, or any other information or technology (e.g., website analytics, targeted online advertising) 7

8 Old Initiative (Still on the Table) Draft Law No On Introduction of Changes to Personal Data Law and Article 28.3 of the Russian Administrative Offences Code new definition of data processor express provisions on electronic form of data processing consent additional ground for cross-border transfer to inadequate countries obligation to notify leakage of personal data to Roskomnadzor Status of the Draft Law: introduced to the State Duma in 2013 approved in the 1 st hearing on May 26, 2017 revised draft law for the 2 nd hearing is still pending 8

9 Court Practice: Vkontakte v. Double Data January 2017: Vkontakte filed a lawsuit against Double Data and National Bureau of Credit Histories for the alleged violation of IP rights of the manufacturer of the social network users database unauthorized commercial use of users personal data August 2017: Settlement agreement with National Bureau of Credit Histories concept of publicly available data and limits of its collection/use October 2017: Moscow City Arbitrazh Court ruled in favor of Double Data respondent s software retrieves only public data of users and cannot access private profiles owners of information contained in the users profiles are users themselves, not the database owner legal grounds for personal data processing have not been assessed by the court 9

10 SECTION 02 NEWS FROM ROSKOMNADZOR

11 News from Roskomnadzor Roskomnadzor encourages companies that process large volumes of personal data to have their strategy on data processing approved by the regulator As a part of systematic monitoring of the market, Roskomnadzor determines companies that are not yet registered with Roskomnadzor and requests explanations on the grounds of data processing (approximately 12,000 requests circulated in Y2017) Scheduled inspections list for Y2018 will be published at the beginning of December 2017 Unscheduled inspections 3 working days notice + possible extension, at the request of the operator In Y2018 most of the inspections are expected to be documentary and on-site 11

12 Roskomnadzor Inspections: From July 2017 to date Administrative violations under new Article of Russian Administrative Offences Code 13% 5% Processing of personal data without legal grounds or in a manner that is incompatible with the purposes of their collection Failure to comply with the requirements for obtaining written consent of individuals 21% 10% 51% Failure to publish or otherwise make publicly available the personal data processing policy Failure to amend, block access to or destroy personal data at the legitimate request of a data subject or competent authority Breach of the secure storage rules for tangible media objects 12

13 SECTION 03 CONSENT ON DATA PROCESSING AND OTHER LEGITIMATE GROUNDS FOR PERSONAL DATA PROCESSING

14 Individual s Consent on Data Processing Data subject s consent on his/her data processing informative and explicit (no implied consent concept) forms: simple, written and electronic what are the differences? Term (consents must specify the period they are given for) retroactive consents are they possible? consents to process data indefinitely are they allowed? Purposes of data processing clear and specified, no broad or generic language is allowed separate consent for each processing purpose separate consent for direct marketing activities Roskomnadzor s advice on the best practices for obtaining consents on paper in electronic form 14

15 Other Legitimate Grounds for Data Processing Limited grounds for legitimate data processing without individual s consent (Article 6 of the PD Law): for performance of a contract to which the data subject is a party to, or where the data subject is the beneficiary or guarantor to protect data operator s or third parties rights and interests, or for public purposes, provided there are no violations of rights and freedoms of the individuals if the data processing purposes are explicitly defined by an international treaty for certain judicial purposes to protect life, health or other vital interests of the individual as a part of professional journalistic, media, scientific, literary or other creative activities for statistical or other scientific purposes (provided the relevant personal data has been made anonymous) if data has been made publicly available by the individual or at his request (caution: not all publicly available data will qualify) if data includes data which must be made publicly available or disclosed under Russian law 15

16 SECTION 04 TRANSFERS OF PERSONAL DATA TO THIRD PARTIES

17 Transfers of Personal Data to Third Parties All countries that are signatories to the Strasbourg Convention are considered to be jurisdictions that provide adequate protection of the rights and interests of data subjects Transfers to the countries that do not provide adequate protection require written consent of individual, unless one of the exemptions applies Transfers from Russia to any third party whether in Russia or outside Russia are allowed based on the instruction from data operator (= data transfer agreement) Roskomnadzor s advice on the best practices on the scope of instruction (= data transfer agreement): clear and detailed rules on data processing by a third party purposes of processing organizational measures security measures regular audits by the data operator additional grounds for liability No recommended form from Roskomnadzor 17

18 GDPR regulations Impact on Data Transfers According to Roskomnadzor, GDPR requirements will not be applicable to data processing conducted in Russia, except for the limited cases of specifically targeting EU customers Registration as a data operator approach of EU regulations v. Roskomnadzor practice Russian law requirements generally applicable to any transfers to the EU operator s instruction / data transfer agreement no special rules on transfers between group companies (means the general rules apply) 18

19 SECTION 05 LOCALIZATION OF DATA STORAGE: RECENT TRENDS

20 Main Compliance Strategies Companies that process significant amount of personal data transfer all data of Russian citizens into a local data center: rent space in existing data center or create own data center hire third party vendor providing localization services Other businesses create a database containing employees personal data on the local computer (e.g. in HR department); and formalize transfer of data to other companies of the group by entering into a data transfer agreement; and include protective language into contracts with IT vendors re compliance with personal data laws, including localization requirements. 20

21 Follow Us! Morgan Lewis s Tech & Morgan Lewis blog highlights the latest developments and trends affecting technology, outsourcing, and other commercial transactions. ML on and #MLGlobalTech November 17: Hot Topics in Data Privacy Regulation in Russia in Russian 21

22 Biography Ksenia Andreeva Moscow T E ksenia.andreeva@morganlewis.com Ksenia Andreeva specializes in intellectual property (IP) matters. She advises on a wide range of transactional, regulatory, and commercial IP matters as well as disputes and enforcement of IP rights. Ksenia is a registered trademark lawyer and is admitted to represent clients before the Russian Patent and Trademark Office (Rospatent). She also has experience with IP disputes in the Chamber for Patent and Disputes and the Russian commercial courts. Her clients include companies in media, technology, telecommunications, and many other industries. 22

23 Biography Anastasia Dergacheva counsels diverse clients on a variety of matters relating to intellectual property, regulatory, and antitrust matters. Anastasia represents major Russian and multinational companies in a broad spectrum of industries, including entertainment, engineering, information technologies and telecommunications industries. Anastasia Dergacheva Moscow T E anastasia.dergacheva@morganlewis.com 23

24 Biography Vasilisa Strizh Moscow T E vasilisa.strizh@morganlewis.com Vasilisa Strizh represents global and domestic strategic and financial investors across multiple industries, including financial services, mass media and telecommunications, energy, and pharmaceuticals and life sciences. Vasilisa s practice focuses on cross-border investment, joint venture, and merger and acquisition transactions. Vasilisa also counsels on corporate governance and compliance. She has served as lead lawyer on complex corporate projects, including acquisitions, divestitures and joint ventures, public and private equity offerings, financing, and structured settlements. 24

25 Biography Brian Zimbler Moscow/Washington DC T Brian L. Zimbler advises on cross-border investment and financial matters, primarily in emerging markets. He has more than 25 years of experience with transactions involving Russia, Kazakhstan, and other countries in the former Soviet Union. Brian serves as the Managing Partner of the Moscow office, and has advised on some of the largest foreign investments in the region. Brian represents clients in a wide range of industries, including energy, manufacturing, media, pharmaceuticals and life sciences, real property, retail, and technology. T E brian.zimbler@morganlewis.com 25

26 Our Global Reach Our Locations Africa Asia Pacific Europe Latin America Middle East North America Almaty Astana Beijing* Boston Brussels Century City Chicago Dallas Dubai Frankfurt Hartford Hong Kong* Houston London Los Angeles Miami Moscow New York Orange County Paris Philadelphia Pittsburgh Princeton San Francisco Shanghai* Silicon Valley Singapore Tokyo Washington, DC Wilmington *Our Beijing and Shanghai offices operate as representative offices of Morgan, Lewis & Bockius LLP. In Hong Kong, Morgan Lewis operates through Morgan, Lewis & Bockius, which is a separate Hong Kong general partnership registered with The Law Society of Hong Kong as a registered foreign law firm operating in Association with Luk & Partners. 26

27 2017 Morgan, Lewis & Bockius LLP 2017 Morgan Lewis Stamford LLC 2017 Morgan, Lewis & Bockius UK LLP Morgan, Lewis & Bockius UK LLP is a limited liability partnership registered in England and Wales under number OC and is a law firm authorised and regulated by the Solicitors Regulation Authority. The SRA authorisation number is Our Beijing and Shanghai offices operate as representative offices of Morgan, Lewis & Bockius LLP. In Hong Kong, Morgan Lewis operates through Morgan, Lewis & Bockius, which is a separate Hong Kong general partnership registered with The Law Society of Hong Kong as a registered foreign law firm operating in Association with Luk & Partners. This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Attorney Advertising. 27