8 Jul 2022 16:47

Senators back bill on possibly banning transmission of Russians' personal data abroad

MOSCOW. July 8 (Interfax) - The Federation Council on Friday approved a bill that obligates operators to report incidents with databases containing personal data belonging to them and regulates issues relating to the transmission of such data abroad.

The current legislation practically does not regulate transborder transmission of personal data, which creates a considerable threat in the current external political situation, the authors of the bill said.

In particular, the accessibility of compromised databases containing personal data on the Internet is one of the key problems of protection of the rights of personal data subjects, Russian State Duma Information Policy Committee head Alexander Khinshtein, who co-authored the bill, said earlier. Such services are usually placed on foreign Internet websites, to which the requirements of Russian legislation on personal data do not apply, he said.

The document outlines conditions for stopping transborder personal data transmission to the territories of countries that do not provide appropriate protection, or to unfriendly countries.

Under the document, the Russian government can determine categories of communications operators to which the moratorium on transborder personal data transmission will not apply. For example, China will be included in the list of countries where appropriate personal data protection is provided, and operators thus will just need to notify Russia's telecoms watchdog Roskomnadzor of transborder data transmission to this country, Khinshtein said earlier.

The moratorium on transborder transmission does not apply if data needs to be provided to protect citizens' life, health, and vital interests. Additionally, the government can determine categories of operators to which the moratorium does not apply.

Under the document, the government will determine procedures for drafting a decision to ban transborder transmission both on the basis of notifications and on recommendations of the Russian Federal Security Service, the Defense Ministry, and the Foreign Ministry and agencies authorized by the president or the government.

The possible exterritorial use of the Russian law on personal data is also envisaged.

Besides personal data operators, the document envisages administrative liability for third persons whose actions or lack thereof led to violations of citizens' rights.

The document obligates operators to inform Roskomnadzor about personal data processing, including information on the legal grounds, information systems of personal data, procedures governing transborder transmission of personal data and other provisions applicable to every purpose of personal data processing.

As regards transborder personal data transmission, the document reduces the period for Roskomnadzor to consider notifications from operators from 30 to 10 working days.

Also, the largest materials, such as materials on the assessment by an operator of his foreign counterparts, as well as a list of such counterparts, will not need to be sent to Roskomnadzor. However, Roskomnadzor has the right to request such data separately.

The document also concerns reporting personal data leaks. Operators will be obligated to report within 24 hours from the moment a leak was found, that is, when the operator or Roskomnadzor learned about the leak, not from the moment the leak took place.

As regards regulation of personal data processing outsourcing, operators will be allowed to include in agency contracts requirements to observe the confidentiality and safety of personal data, and also to demand that the person involved confirm the observance of the requirements envisaged by the law, including before actual personal data transmission.

As regards the coordination of personal data processing acts with the Digital Development Ministry and Roskomnadzor, the document empowers bodies of state authority, the Bank of Russia and local self-government bodies to issue acts on specific issues concerning personal data processing if that is envisaged by federal laws. Coordination applies only to processing that poses an increased risk of violations of the rights of personal data subjects.

The document provides that transmission of personal data on the Internet be allowed only with the consent of personal data subjects.

The document also envisages that the period for operators to respond to inquiries from citizens and Roskomnadzor be reduced from 30 calendar days to 10 working days. At the same time, the possibility of extension of the period is envisaged, but by no more than five working days, if an operator sends a motivated notice stating the reasons for the prolongation to a personal data subject and Roskomnadzor.

The document also envisages the possibility of receiving personal data from the Unified State Register of Real Estate (EGRN) only with the consent of real estate owners.