Processing of Personal Data. What’s new?

by Anton KabakovHellevig, Klein & Usov

November 21, 2014

1

2 2

From 1.1.2015 all Russian citizens’ personal data should be stored only in Russia!

3 3

Amendments to the law:

Russian citizens’ personal

data need to be recorded,

compiled, stored, refined

(updated, modified), extracted

using databases located in

Russia with certain

exceptions.

1. What is considered to be “personal data” and what is

not?

2. Is it currently allowed to transfer personal data abroad?

3. What are the changes to the law and what do they really

state?

4. When these changes are expected to come into force?

4 4

• Russian definition of "personal data" is "broad" and borrowed fromEuropean Union law

5 5

Russia(Art. 3 (1)(1) of the Federal Law On Personal Data

dated July 27, 2006)

European Union(Art. 2 Directive 95/46/EC of the European Parliament and of

the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data

and on the free movement of such data)

Any information related to directlyor indirectly identified or identifiablenatural person.

Any information relating to an identifiedor identifiable natural person. Anidentifiable person is one who can beidentified, directly or indirectly, inparticular by reference to an identificationnumber or to one or more factors specificto his physical, psychological, mental,economic, cultural or social identity.

Vadim Ampelonsky (official representative of state controlling body- Roskomnadzor): "The minimum set of personal data necessary forthe identification of the person is a combination of the first and lastname and photograph of the subject”.(http://lenizdat.ru/articles/1124854/).

Physiological and biological features of a person on the basis ofwhich one can identify him (Part 1, Art. 11 of the Law On PersonalData).

Can a person be identified by the IP-address of his computer, his e-mail account, or Skype account?

6 6

Which data are sufficient to identify a person?

7 7

Mr. SimpsonMr. Homer Jay SimpsonMr. Homer Jay Simpson, Safety Inspector at the Springfield Nuclear Power Plant

Information considered to be personal data identifying a person:

Passport data

Fingerprinting information

Name together with photograph

Name together with the date of birth, and information about the parentsand their dates of birth

Information not sufficient to identify a person and not considered personaldata:

Solely the name or registered address of the person

Blood group, etc.

Nationality

8 8

Public

Biometric

Special ("sensitive"), i.e., data relating to racial or ethnicorigin, political opinions, religious or philosophical beliefs,health, private life

Depersonalized? Is it still personal data if the naturalperson is not any longer identifiable?

NEW REGULATION WILL APPLY TO ALL KINDS OF PERSONALDATA

9 9

Kinds of personal data.

10

Law On Personal Data:Cross-border transfer of personal data to foreign states that are parties tothe Convention for the Protection of Individuals with regard to AutomaticProcessing of Personal Data, as well as other foreign countries ensuringadequate protection of the rights of subjects of personal data is carried outin accordance with this federal law, and may be prohibited or limited inorder to protect the constitutional system of the Russian Federation,morality, health, rights and lawful interests of citizens, national defenseand state security.

Convention on the Protection of Individuals with regard to

Automatic Processing of Personal Data:A party shall not prohibit or subject to special authorization cross-borderflows of personal data going to the territory of another party, for the solepurpose of protecting privacy.

11

Ministry of

Labor guidelines

Amendments to

Administrative Offenses

and Criminal Codes

Sure, if personal data is transferred in foreign countries:

a) Parties to the on the Protection of Individuals with regard to AutomaticProcessing of Personal Data (which Russia is a party to) OR

b) Ensuring adequate protection of the rights of the subjects of the personaldata OR

c) Any of the countries with the written consent of the individual

Exceptions: Race, political opinion, religious convictions or other beliefs, health orprivate life, criminal record.

Russian citizens’ personal data will need tobe recorded, compiled, stored, refined(updated, modified), extracted usingdatabases located in Russia.

12 12

State authorities will be entitled to blockthe site violating the law On Personal Data.

Companies will be required to notify thestate agency of the location database withpersonal data.

When are these changes expected to come into force?

Who fall under its scope? Territorial or extraterritorialprinciple of operation of the new law?

Are all categories of personal data of Russian citizens (public,biometric, special) prohibited from being stored using adatabase located abroad?

Will it not be possible to store personal data abroadduplicating if on the Russian databases (mirrors)?

If personal data is stored on mobile device (phone, laptop)how to comply with the requirement to keep it in Russia?

13 13

14

Personal data may recorded and stored abroad in cases whereprocessing of personal data is necessary for inter alia:

achieving the goals of an international treaty of the RussianFederation or the law, for fulfillment of operator’s obligations /function set out by law

Does this mean that mandatory HR information may be storedabroad as previously?

If data is transferred cross border, apparently itwill be stored abroad.

As long as cross-border transfer of personal datais allowed, there could be no prohibition tostore data abroad.

It is possible to have solely mirror-databases inRussia 15

Questions Responses

How do the restrictions correlatewith the Convention of the Councilof Europe?

Can be personal data be stored inRussia and abroad?

Can one store depersonalizedpersonal data abroad?

Opinion of Roskomnadzor:- Personal data may be transmitted

abroad. After use it must bedeleted;

- Personal data may not be storedabroad.

Opinion of presidentialadministration: No. It must be storedonly in Russia.

Technically, yes.

16

A public authority may require the hostingprovider to block the site on the basis of acourt decision.

Fine on the offending company of up to RUB10,000

17 17

18

Получение объяснений

Применение дисциплинарного

взыскания

Individual files a claim together with the court

decision to state agency

Court rules that site violates Law on Personal

Data

Hosting provider sends notice to owner of

resource

State agency sends notice to

hosting provider

Owner of resource must remove the violation

Hosting provider limits access

19

Применение дисциплинарного

взыскания

State agency opens access Owner of resource or

hosting provider contacts state agency

Owner of resource removes violation/

Court cancels earlier decision

American and European models of cross-border transfer of personal data

The Russian model for cross-border transfer of personal data leans towardthat of the EU.

20 20

USA European Union

There are no restrictions oncross-border transfer ofpersonal data

Is not a country thatprovides the appropriatelevel of protection ofpersonal data from the EUperspective

Safe Harbor Regulations

Cross-border transfer of personal data isallowed only in countries that ensure anadequate level of protection of these data

Requirements for the cross-border transferof personal data can be applied to theirsubsequent transfer (art. 40 of the Proposalfor a General Data Protection Regulation)

Planned transition from territorial toextraterritorial model (item 19 of thePreamble of the Proposal for a General DataProtection Regulation)

21

Recommendation:

Notify state authorities of personal data processing. If thecompany plans to process personal data, we recommend thatprior to the entry into force of the law it notify the state authority.In that case, it does not need to specify the location of thedatabases with personal data.

Duplicate personal data in Russia, keeping original data abroad?

Transfer depersonalized data abroad?

Audit HR documents to identify those which may be storedabroad

Duplicate personal data stored on mobile devices on servicerslocated in Russia?

• Measures must be necessary and sufficient to protect personal data against unauthorized access,destruction, copying, distribution or other misuse.

• The operator independently determines the composition and the list of measures that arenecessary and sufficient to fulfill the requirements of the Law.

22 22

Legal and organizational Technical

Consent to process personal data, Local policy documents in relation to the

processing of personal data, Evaluation of the harm that may be caused to

citizens in the case of the processing of theirpersonal data in violation of the law,

Ensure unlimited access to policy documents ofthe operator in respect of the processing ofpersonal data which meet the requirements forthe protection of personal data.

Accounting for machine storage devices ofpersonal data,

Application of approved procedures forassessment of means of information protection,

Recovery of personal data, modified or destroyedby unauthorized access to it.

15.1.2012 23

Offices in 3 countries:

RussiaUkraine

Finland

150 professionals at your service

Partnerships:

AEBAmCham

AHKSVKK

SPIBA

Call-center for all offices:

+7 495 225 30 38

Anton Kabakov

Anton.Kabakov@awaragroup.com

+7 (921) 397 1193

24