Russia Postpones Enforcement of Data Protection Law; Considers Revisions

On December 23, 2010, Russia's President Dmitry Medvedev signed legislation delaying until July 1, 2011 the enforcement of the country's omnibus data protection law (the Federal Law Regarding Personal Data). Pursuant to the new legislation, the revised effective date for the country's data protection law is January 1, 2011, but operators have until July 1, 2011 to bring their personal data information systems into compliance with the law.

Russia's data protection law originally was slated to come into effect on January 26, 2007, but enforcement was delayed several times. Although the law is similar in style to data protection law in the European Union, it is more strict than the EU law in many respects. Businesses have long complained that the law contains restrictions on data processing that are unworkable. For example, the law requires affirmative written consent for most types of personal data processing. In the online context, this means seeking a consumer’s digital signature rather than, for example, relying on a check box to obtain consent (which is an acceptable mechanism in Europe).

In response to the criticism, the Russian government and legislature are considering revisions to the  law. The latest delay in the enforcement likely is an interim solution before a more workable legislation can be put in place.