HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA

Transcription

1 HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA Ksenia Andreeva Anastasia Dergacheva Vasilisa Strizh November 27, Morgan, Lewis & Bockius 2017 Morgan, Lewis & Bockius

2 Contents News from the Russian data protection authority (Roskomnadzor) New laws and legislative initiatives in the data privacy field Obtaining data subjects consents: views of the regulator Formalizing cross-border transfers from Russia and to Russia Localization rules: views of the regulator 2

3 General Background Federal Law No. 152-FZ On Personal Data (the PD Law ) of 2006: personal data is any information directly or indirectly related to an identified or identifiable individual no concepts of data controller and data processor concept of data operator, a person that organizes or carries out (alone or together with other persons) the processing of personal data and determines the purposes of processing data processing can be delegated to a third party, who will be acting under the authorization or instruction of the data operator Certain provisions of the PD Law apply to the data operators and third parties that have no legal presence in Russia but target Russian customers Federal Service for Supervision of Communications, Information Technology and Mass Media, or Roskomnadzor, is the data protection authority 3

4 SECTION 01 NEWS FROM ROSKOMNADZOR

5 News from Roskomnadzor Investigations of Roskomnadzor in 2018: 728 inspections revealed violations of the PD Law Administrative fines imposed on the following grounds: processing of personal data without proper legal grounds warning or fine in the amount up to approximately USD 760 failure to obtain a written consent of an individual fine in the amount up to approximately USD 1,140 failure to inform an individual on the processing of his personal data warning or fine in the amount up to approximately USD 610 failure to publish a personal data processing policy warning or fine in the amount up to approximately USD 455 failure to file a notification to Roskomnadzor warning or fine in the amount up to approximately USD 76 5

6 SECTION 02 NEW LAWS AND LEGISLATIVE INITIATIVES IN THE DATA PRIVACY FIELD

7 New laws and legislative initiatives Additional Protocol to Council of Europe Convention No. 108 improvement of the Russian legislation to address the new concept of EU laws new categories of personal data (such as genetic data ) new data subjects rights (e.g., data portability right) new data operators obligations (e.g., to notify on the data leakage) Russia is still not an adequate level of protection country under EU laws The Russian Ministry of Digital Development, Communications and Mass Media introduces new legislative initiatives on personal data anonymization processes 7

8 New laws and legislative initiatives (2) Proposed amendments introducing the big data regulation: big data is a set of information regarding natural persons or their behavior, that (a) does not include any personal data and does not allow to identify person, (b) is collected from a range of sources, including Internet, and (c) exceeds one thousand network addresses obligatory notice to the user required to initiate collection obligatory notification to Roskomnadzor prohibition to use the collected data to identify users The Russian Ministry of Economic Development is preparing its own draft law on the big data 8

9 New laws and legislative initiatives (3) Form of notification to Roskomnadzor regarding personal data processing would likely be amended in 2019 Amendments to various Russian laws expected in the course of Digital Economy program of the Russian Government, including on data transfers in relation to: introduction of electronic sick leave certificates introduction of electronic employment record books data exchange with the Russian tax authorities and the Pension Fund 9

10 SECTION 03 OBTAINING DATA SUBJECTS CONSENTS

11 Individuals consent on data processing Data subjects consent on data processing: must be informative and explicit (no implied consent concept) forms: simple (including electronic) and written qualified must specify the period it is given for must specify - in detail - the purpose of processing (no broad or generic language is allowed) must provide all details on the future sub-operators or sub-processors of personal data (e.g., company names and addresses) Roskomnadzor: A separate consent is required for each processing purpose in instances where the PD Law expressly requires a written qualified consent for this type of processing 11

12 SECTION 04 FORMALIZING CROSS-BORDER TRANSFERS FROM AND TO RUSSIA

13 Cross-border data transfers Cross-border data transfers are allowed No special rules on transfers to the countries providing adequate protection of individuals privacy rights, namely: signatories of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data; and countries included in a publicly available list of countries that provide adequate protection, maintained by Roskomnadzor (e.g., Canada, New Zealand) Cross-border transfer to non-adequate countries is allowed only subject to: written qualified consent of an individual, performance of an agreement to which an individual is a party to, or international treaty Russia is a party to 13

14 Data transfer agreements No concept of intra-group data transfers and no exceptions with respect to such data transfers Data transfers to any third party - whether in Russia or outside Russia are allowed based on the instruction from a data operator (= data transfer agreement) Roskomnadzor s advice on the best practices on the scope of data transfer agreement: clear and detailed rules on data processing by a third party, including limited purposes of data processing requirements of the data operator to the organizational and security measures to be taken by the third party regular audits by the data operator contractual liability of the third party for failure to protect the data transferred to it 14

15 SECTION 05 LOCALIZATION RULES: VIEW FROM ROSKOMNADZOR

16 Main compliance strategies Companies that process significant amount of personal data transfer all data of Russian citizens into a local data center: rent space in an existing data center or create its own data center hire third party vendor providing localization services Other businesses create a database containing employees personal data on a local computer (e.g., in Russian HR department) formalize transfer of data to other companies of the group, by entering into a data transfer agreement include protective language into contracts with IT vendors concerning their compliance with personal data laws including localization requirements 16

17 Follow Us! Morgan Lewis s Tech & Morgan Lewis blog highlights the latest developments and trends affecting technology, outsourcing, and other commercial transactions. ML on and #MLGlobalTech November 29: Hot Topics in Data Privacy Regulation in Russia in Russian 17

18 Biography Ksenia Andreeva Moscow T E ksenia.andreeva@morganlewis.com Ksenia Andreeva specializes in intellectual property (IP) matters. She advises on a wide range of transactional, regulatory, and commercial IP matters as well as disputes and enforcement of IP rights. Ksenia is a registered trademark lawyer and is admitted to represent clients before the Russian Patent and Trademark Office (Rospatent). She also has experience with IP disputes in the Chamber for Patent and Disputes and the Russian commercial courts. Her clients include companies in media, technology, telecommunications, and many other industries. 18

19 Biography Anastasia Dergacheva counsels diverse clients on a variety of matters relating to intellectual property, regulatory, and antitrust matters. Anastasia represents major Russian and multinational companies in a broad spectrum of industries, including entertainment, engineering, information technologies and telecommunications industries. Anastasia Dergacheva Moscow T E anastasia.dergacheva@morganlewis.com 19

20 Biography Vasilisa Strizh Moscow T E vasilisa.strizh@morganlewis.com Vasilisa Strizh represents global and domestic strategic and financial investors across multiple industries, including financial services, mass media and telecommunications, and energy. Vasilisa s practice focuses on cross-border investment, joint venture, and merger and acquisition transactions. Vasilisa also counsels on corporate governance and compliance. She has served as lead lawyer on complex corporate projects, including acquisitions, divestitures and joint ventures, public and private equity offerings, financing, and structured settlements. 20

21 Our Global Reach Our Locations Africa Asia Pacific Europe Latin America Middle East North America Almaty Astana Beijing* Boston Brussels Century City Chicago Dallas Dubai Frankfurt Hartford Hong Kong* Houston London Los Angeles Miami Moscow New York Orange County Paris Philadelphia Pittsburgh Princeton San Francisco Shanghai* Silicon Valley Singapore Tokyo Washington, DC Wilmington *Our Beijing and Shanghai offices operate as representative offices of Morgan, Lewis & Bockius LLP. In Hong Kong, Morgan Lewis operates through Morgan, Lewis & Bockius, which is a separate Hong Kong general partnership registered with The Law Society of Hong Kong as a registered foreign law firm operating in Association with Luk & Partners. Morgan Lewis Stamford LLC is a Singapore law corporation affiliated with Morgan, Lewis & Bockius LLP. 21

22 2018 Morgan, Lewis & Bockius LLP 2018 Morgan Lewis Stamford LLC 2018 Morgan, Lewis & Bockius UK LLP Morgan, Lewis & Bockius UK LLP is a limited liability partnership registered in England and Wales under number OC and is a law firm authorised and regulated by the Solicitors Regulation Authority. The SRA authorisation number is Our Beijing and Shanghai offices operate as representative offices of Morgan, Lewis & Bockius LLP. In Hong Kong, Morgan Lewis operates through Morgan, Lewis & Bockius, which is a separate Hong Kong general partnership registered with The Law Society of Hong Kong as a registered foreign law firm operating in Association with Luk & Partners. Morgan Lewis Stamford LLC is a Singapore law corporation affiliated with Morgan, Lewis & Bockius LLP. This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Attorney Advertising. 22