n this browser, the site may not be displayed correctly. We recommend that You install a more modern browser.

Chrome Safari Firefox Opera IE  
Меню
x
 
 
print version

Data Protection & Privacy Laws 2017 / Russian Federation

25 November 2017

Do you believe companies fully understand their duties of confidentiality and data protection in an age of evolving privacy laws?

Data protection and cyber security have become the trendiest and most discussed topics in the information technology (IT) sector worldwide in the last few years. Russian jurisdiction is not an exception in this regard. Indeed, in the age of the development of the digital economy and evolving privacy laws, companies, including those that are present in the Russian market as well as foreign investors, tend to generally assess their data protection strategies in order to mitigate the associated risks. In my personal opinion, not all of them are fully aware of their rights and obligations in this particular area, especially their confidentiality duties when processing personally identifiable information (Pll). For many companies, indeed this might be a challenge, especially following tougher sanctions for data breaches on a local and global level. More specifically, I am talking about local privacy policy rules, general data security measures, the recently implemented data localisation requirements and the effectuation of the General Data Protection Regulation (GDPR), which can also affect cross-border data flows related to Russia.

As companies increase their data processing activities, including handling, storage and transfer, what regulatory, financial and reputational risks do they face in the Russian Federation?

In Russia, companies that illegally or wrongly manipulate data can face different regulatory, financial as well as reputational risks. For example, an online platform or website that is collecting the Pll of Russian citizens can be blocked, provided that the operator of such a platform or website does not store the collected Pll in a database located in Russia. As a result, such an online block may damage the company's reputation. Also, failure to publish the company's privacy policy on the website or make it public can result in an administrative fine of up to R30.000. Further, electronic marketing, mailing and other communications should be sent out only with the explicit consent of the recipients, along with an option to opt-out, to avoid criminal prosecution. In addition, violating data protection rules in general, including breaching licence terms, if applicable, using non-certified IT systems, and failing to observe the requirements for protecting state secrets, can lead to various other administrative penalties.

What penalties might arise for a company that breaches or violates data or privacy laws in the Russian Federation?

Prior to 1 July 2017, from a purely Pll enforcement perspective, penalties for data breaches and privacy violations were insignificant. In practice, the maximum fine a company might have faced in the past for a typical data infringement was R10,000. Since then, sanctions for various types of privacy violations have been substantially increased by the Russian government, at least on the administrative side. Certain administrative penalties for corresponding data breaches may reach a maximum of R70,000, for example. In addition to administrative sanctions, there are, of course, civil and criminal liabilities set forth by law, which companies should note to avoid data infringement.

What insights can we draw from recent cases of note? What impact have these events had on the data protection landscape?

In re Telegram, the Russian Court fined the instant messaging service R800.000 for a failure to provide the Federal Security Service (FSS) with the information necessary to decode messages, as prescribed by Article 10.1 (4.1) of the Russian Data Protection Act. The law requires all messaging services to ensure the confidentiality of their users' communications. In this case, FSS, although entitled to see such communications, was refused access by Telegram, which argued that it lacked control over the encoding and decoding processes. Therefore, the Telegram case, which may be appealed in the near future, clearly shows that if the relevant technology of the messenger does not allow state authorities to get access to the decoded information, this may be deemed a data breach. According to the provisions of Article 10.1 of the Russian Data Protection Act, instant messaging services must be registered in the first place, and are required to collect users' data, and store the content of users' communications in Russia within statutory periods.

In your experience, what steps should a company take to prepare for a potential data security breach, such as developing response plans and understanding notification requirements?

A company must take the appropriate legal, organisational and technical measures to protect personal data against any illegal or accidental access.

To avoid or to prepare for a potential data security breach, a company must take all necessary and sufficient measures to comply with the data protection legislation. This may include appointing a competent data protection officer, applying for and securing relevant legal, organisational and technical security measures, performing regular internal control and audits to ensure data processing compliance, evaluating damage that may be caused to data subjects in the event of data breaches and disclosing the relevant provisions of data protection law to employees. Apparently, additional security measures, such as the location of security threats, the use of certified methods of data protection such as encryption, and notifying data subjects about any unauthorised access to PII. should be established by the company. In any event, a company must take the appropriate legal, organisational and technical measures to protect personal data against any illegal or accidental access, destruction or modification, copying or distribution, as follows from the law.

What can companies do to manage internal risks and threats arising from the actions of rogue employees?

When processing the personal data of employees, it is very important to have a clear 'picture' of general data protection requirements set forth by the labour and employment legislation, in addition to requirements provided by the Russian Data Protection Act and Russian Personal Data Protection Act. In particular, companies should collect employees' data by carefully defining its volume and content and by obtaining it directly from respective employees. Also, companies should provide employees with an opportunity to become familiar with internal data protection documents, as well as their own rights and obligations - in advance and confirmed by signature. Companies and employees should together develop data enforcement strategies against actual or potential data infringements. Training sessions should be conducted on a regular basis. When transferring employees' data to third parties, companies should not use such data for any commercial purposes or without employees' consent, as recent court practice has demonstrated.

Would you say there is a strong culture of data protection developing in the Russian Federation? Are companies proactively implementing appropriate controls and risk management processes?

A strong culture and public awareness of the data protection regime is now developing in Russia. When approving the national IT strategy for 2017-2030, the Russian president put privacy at the top of the state's current focus in terms of the emergence and distribution of new digital technologies, including Big Data, artificial intelligence, cloud computing, the Internet of Things (loT) and robotics. The Ministry of Telecom and Mass Communications of the Russian Federation, together with the Federal Service for Supervision of Communications, Information Technology and Mass Media - the local IT 'watchdogs' - are currently acculturating businesses and individuals in this respect by sending news, organising conferences and responding to questions from the public. Court practice on data infringement issues is progressing through new precedents reconfirming that appropriate and constant IT controls as well as data risk management processes are a must when doing business in Russia.

Share:
Back