Last week, the upper house of Russia’s federal legislature approved amendments to the country’s federal data protection law. The amendments impose detailed information security requirements on businesses that process personal data and revise some of the statute’s data subject consent provisions.The amended law will come into force when it is published in the official newsletter.
Russia originally enacted a comprehensive federal data protection law in 2006, but the statute has faced major headwind. While the law is similar in its approach to the EU Data Protection Directive 95/46/EC, it is much more restrictive regarding personal data processing. After several delays, the law came into effect on July 1, 2011. Commentators, however, continue to view the law unfavorably, arguing that it’s unworkable.
The amended security provisions include the requirements to:
- Conduct an assessment of threats to the safety of personal data and the effectiveness of the measures that the business has in place to safeguard personal data;
- Employ only verified methods of protecting personal data;
- Implement controls for access to personal data;
- Log all actions takes with respect to personal data;
- Detect and record incidents of unauthorized access to personal data; and
- Implement measures to restore information that is lost, destroyed or damages as a result of an information security breach.
The amended law directs the government to develop regulations that will set forth appropriate levels of information security protections. The regulations will also establish the security requirements for processing biometric data.
The federal law’s privacy provisions were amended to allow individuals to consent to the processing of their personal data through a representative. When this occurs, the recipient of the consent will need to verify the consent. Similarly, businesses will be able to obtain personal data from third parties on the condition that they verify that the third party had a valid basis for obtaining and sharing the information.
While the privacy enforcement picture in Russia has been at most oblique, the country’s data protection authority — the federal agency for oversight of communications, information technology and mass media (in Russian, "Роскомнадзор") — has shown strong interest in privacy enforcement. It is being reported this week that the agency is investigating the circumstances surrounding the exposure on the web of mobile text messages from the customers of the Russian carrier Megafon. Initial investigation suggests that an error on the carrier’s website made the messages publicly accessible. The data protection agency stated that it’s investigating whether the incident violated the federal data protection law.
With privacy enforcement in on the rise throughout the world, businesses should be prepared to review and adjust as necessary their privacy and data security practices in the markets in which they operate. In the past, some of the strict foreign data protection laws have not been rigorously enforced, giving businesses breathing room. The enforcement landscape is likely to tighten in the near future, however, increasing the risk of investigations and sanctions for privacy violations.