Processing of Personal Data. What’s new? by Anton Kabakov Hellevig, Klein & Usov November 21, 2014 1
Jul 07, 2015
Processing of Personal Data. What’s new?
by Anton KabakovHellevig, Klein & Usov
November 21, 2014
1
2 2
From 1.1.2015 all Russian citizens’ personal data should be stored only in Russia!
3 3
Amendments to the law:
Russian citizens’ personal
data need to be recorded,
compiled, stored, refined
(updated, modified), extracted
using databases located in
Russia with certain
exceptions.
1. What is considered to be “personal data” and what is
not?
2. Is it currently allowed to transfer personal data abroad?
3. What are the changes to the law and what do they really
state?
4. When these changes are expected to come into force?
4 4
• Russian definition of "personal data" is "broad" and borrowed fromEuropean Union law
5 5
Russia(Art. 3 (1)(1) of the Federal Law On Personal Data
dated July 27, 2006)
European Union(Art. 2 Directive 95/46/EC of the European Parliament and of
the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data)
Any information related to directlyor indirectly identified or identifiablenatural person.
Any information relating to an identifiedor identifiable natural person. Anidentifiable person is one who can beidentified, directly or indirectly, inparticular by reference to an identificationnumber or to one or more factors specificto his physical, psychological, mental,economic, cultural or social identity.
Vadim Ampelonsky (official representative of state controlling body- Roskomnadzor): "The minimum set of personal data necessary forthe identification of the person is a combination of the first and lastname and photograph of the subject”.(http://lenizdat.ru/articles/1124854/).
Physiological and biological features of a person on the basis ofwhich one can identify him (Part 1, Art. 11 of the Law On PersonalData).
Can a person be identified by the IP-address of his computer, his e-mail account, or Skype account?
6 6
Which data are sufficient to identify a person?
7 7
Mr. SimpsonMr. Homer Jay SimpsonMr. Homer Jay Simpson, Safety Inspector at the Springfield Nuclear Power Plant
Information considered to be personal data identifying a person:
Passport data
Fingerprinting information
Name together with photograph
Name together with the date of birth, and information about the parentsand their dates of birth
Information not sufficient to identify a person and not considered personaldata:
Solely the name or registered address of the person
Blood group, etc.
Nationality
8 8
Public
Biometric
Special ("sensitive"), i.e., data relating to racial or ethnicorigin, political opinions, religious or philosophical beliefs,health, private life
Depersonalized? Is it still personal data if the naturalperson is not any longer identifiable?
NEW REGULATION WILL APPLY TO ALL KINDS OF PERSONALDATA
9 9
Kinds of personal data.
10
Law On Personal Data:Cross-border transfer of personal data to foreign states that are parties tothe Convention for the Protection of Individuals with regard to AutomaticProcessing of Personal Data, as well as other foreign countries ensuringadequate protection of the rights of subjects of personal data is carried outin accordance with this federal law, and may be prohibited or limited inorder to protect the constitutional system of the Russian Federation,morality, health, rights and lawful interests of citizens, national defenseand state security.
Convention on the Protection of Individuals with regard to
Automatic Processing of Personal Data:A party shall not prohibit or subject to special authorization cross-borderflows of personal data going to the territory of another party, for the solepurpose of protecting privacy.
11
Ministry of
Labor guidelines
Amendments to
Administrative Offenses
and Criminal Codes
Sure, if personal data is transferred in foreign countries:
a) Parties to the on the Protection of Individuals with regard to AutomaticProcessing of Personal Data (which Russia is a party to) OR
b) Ensuring adequate protection of the rights of the subjects of the personaldata OR
c) Any of the countries with the written consent of the individual
Exceptions: Race, political opinion, religious convictions or other beliefs, health orprivate life, criminal record.
Russian citizens’ personal data will need tobe recorded, compiled, stored, refined(updated, modified), extracted usingdatabases located in Russia.
12 12
State authorities will be entitled to blockthe site violating the law On Personal Data.
Companies will be required to notify thestate agency of the location database withpersonal data.
When are these changes expected to come into force?
Who fall under its scope? Territorial or extraterritorialprinciple of operation of the new law?
Are all categories of personal data of Russian citizens (public,biometric, special) prohibited from being stored using adatabase located abroad?
Will it not be possible to store personal data abroadduplicating if on the Russian databases (mirrors)?
If personal data is stored on mobile device (phone, laptop)how to comply with the requirement to keep it in Russia?
13 13
14
Personal data may recorded and stored abroad in cases whereprocessing of personal data is necessary for inter alia:
achieving the goals of an international treaty of the RussianFederation or the law, for fulfillment of operator’s obligations /function set out by law
Does this mean that mandatory HR information may be storedabroad as previously?
If data is transferred cross border, apparently itwill be stored abroad.
As long as cross-border transfer of personal datais allowed, there could be no prohibition tostore data abroad.
It is possible to have solely mirror-databases inRussia 15
Questions Responses
How do the restrictions correlatewith the Convention of the Councilof Europe?
Can be personal data be stored inRussia and abroad?
Can one store depersonalizedpersonal data abroad?
Opinion of Roskomnadzor:- Personal data may be transmitted
abroad. After use it must bedeleted;
- Personal data may not be storedabroad.
Opinion of presidentialadministration: No. It must be storedonly in Russia.
Technically, yes.
16
A public authority may require the hostingprovider to block the site on the basis of acourt decision.
Fine on the offending company of up to RUB10,000
17 17
18
Получение объяснений
Применение дисциплинарного
взыскания
Individual files a claim together with the court
decision to state agency
Court rules that site violates Law on Personal
Data
Hosting provider sends notice to owner of
resource
State agency sends notice to
hosting provider
Owner of resource must remove the violation
Hosting provider limits access
19
Применение дисциплинарного
взыскания
State agency opens access Owner of resource or
hosting provider contacts state agency
Owner of resource removes violation/
Court cancels earlier decision
American and European models of cross-border transfer of personal data
The Russian model for cross-border transfer of personal data leans towardthat of the EU.
20 20
USA European Union
There are no restrictions oncross-border transfer ofpersonal data
Is not a country thatprovides the appropriatelevel of protection ofpersonal data from the EUperspective
Safe Harbor Regulations
Cross-border transfer of personal data isallowed only in countries that ensure anadequate level of protection of these data
Requirements for the cross-border transferof personal data can be applied to theirsubsequent transfer (art. 40 of the Proposalfor a General Data Protection Regulation)
Planned transition from territorial toextraterritorial model (item 19 of thePreamble of the Proposal for a General DataProtection Regulation)
21
Recommendation:
Notify state authorities of personal data processing. If thecompany plans to process personal data, we recommend thatprior to the entry into force of the law it notify the state authority.In that case, it does not need to specify the location of thedatabases with personal data.
Duplicate personal data in Russia, keeping original data abroad?
Transfer depersonalized data abroad?
Audit HR documents to identify those which may be storedabroad
Duplicate personal data stored on mobile devices on servicerslocated in Russia?
• Measures must be necessary and sufficient to protect personal data against unauthorized access,destruction, copying, distribution or other misuse.
• The operator independently determines the composition and the list of measures that arenecessary and sufficient to fulfill the requirements of the Law.
22 22
Legal and organizational Technical
Consent to process personal data, Local policy documents in relation to the
processing of personal data, Evaluation of the harm that may be caused to
citizens in the case of the processing of theirpersonal data in violation of the law,
Ensure unlimited access to policy documents ofthe operator in respect of the processing ofpersonal data which meet the requirements forthe protection of personal data.
Accounting for machine storage devices ofpersonal data,
Application of approved procedures forassessment of means of information protection,
Recovery of personal data, modified or destroyedby unauthorized access to it.
15.1.2012 23
Offices in 3 countries:
RussiaUkraine
Finland
150 professionals at your service
Partnerships:
AEBAmCham
AHKSVKK
SPIBA
Call-center for all offices:
+7 495 225 30 38
Anton Kabakov
+7 (921) 397 1193
24