Beginning March 1, 2021, Russia will impose restrictions on the processing of personal data publicly available on the internet and offline. The legislative changes are aimed at fighting the uncontrolled dissemination of personal information.
Change of lawful basis
Under current Article 6(1)(10) of the federal law "On Personal Data" No.152-ФЗ dated July 27, 2006, any data operator (the Russian equivalent of the term controller) may process personal data if the data subject made it publicly accessible or instructed another person to do so. In contrast with Article 6(1) of the EU General Data Protection Regulation, there is no need to ground the processing on legitimate interests, the performance of a contract, data subject's consent or other common lawful bases. When "Amendments to the Federal Law on Personal Data" No.519-ФЗ dated Dec. 30, 2020, goes into effect, this rule and the term publicly accessible data will disappear.
The amendments introduce a new term, "personal data permitted for dissemination by the data subject," and define it as personal data, access to which is granted to the public by the data subject giving their consent to the processing of this data. In simple words, the data subject's consent will become the only lawful basis according to which personal data may be placed in publicly accessible sources and, thereafter, used by any interested data operator.
According to the explanatory note to the amendments, their purpose is to prevent "the collection and uncontrolled use of such personal data on websites for purposes different from the initial purpose for which it was disseminated." However, the amendments' legal text does not exclude their application to offline publications of data (e.g., specifying professional bios in printed marketing bulletins).
Drafting data subject's consent
Under the amendments, consent to the processing of personal data permitted for dissemination by the data subject must be documented separately from other consent forms if the data operator asks for several consents simultaneously. Consent must be drafted in a way that data subjects can:
- Clearly express their willingness to make personal data public.
- Choose specific data categories for dissemination.
- Limit the methods of dissemination, except for the provision of access to data.
- Set conditions and prohibitions for the processing of disseminated data by data operators that access such data in public sources.
The said limitations, conditions and prohibitions will not apply to the data processing in the state and other public interests.
Russia's data protection authority, Roskomnadzor, has drafted more specific requirements to the content of consent, but they have not yet been adopted.
Obtaining data subject's consent
The data subject may either personally grant the consent to the data operator seeking to disseminate personal data or submit it through a special IT system of Roskomnadzor. For now, it is unclear how the IT system will work. Roskomnadzor must put it into operation on July 1, 2021.
Under new Article 10.1(10) of the Personal Data Law, the data operator must publish the limitations, conditions and prohibitions specified in the consent within three business days of receiving it. The amendments do not clarify what the publication should look like and whether it should be placed near the published data (e.g., on the same page). Data operators accessing personal data in public sources must search for the said limitations, conditions and prohibitions and obey them. They bear the burden of proof that they process the data lawfully.
Informing data subjects
In contrast with Article 14 of the GDPR, the current edition of Article18(4)(3) of the Personal Data Law does not require that data operators inform data subjects of the processing of their data from public sources. After the amendments go into effect, data operators will be relieved from this obligation only if they obey the conditions and prohibitions for the processing of disseminated data determined in the consent.
Ceasing data dissemination
The amendments establish the data subject's right to recall the consent at any time and with immediate effect by giving notice to the data operator without explanation. In this situation, the data operator may continue the processing except disclosing data categories listed in the notice. The amendments do not explain to whom data subjects may address their notices — to the data operator who made the data public for the first time, subsequent operators or all of them.
Additionally, the new Article10.1(14) of the Personal Data Law states that data subjects may contact anyone who processes their data and prohibit them from disseminating, transferring, providing and accessing their data or even sue for such prohibition in the event of a breach of legal requirements introduced by the amendments. The data operator that received a prohibitory notice must cease these activities within three business days. The legal text gives no clues on the principal difference between this procedure and the mentioned recall of consent. It is likely case law will make it more answerable.
What to do?
The new rules concern online businesses, especially big data companies and social media, recruiters collecting CVs on the web, companies placing their employees' bios and profiles on corporate websites, marketing agencies and other enterprises disseminating personal data or using public sources of any kind. It seems reasonable for such companies to do the following:
- Audit their processing activities connected with publicly accessible data, including operations on their corporate websites.
- Draft new consent templates when Roskomnadzor adopts the requirements to their content.
- Accompany all publications of personal data with a description of processing conditions, limitations and prohibitions specified in the relevant consent.
- Instruct employees to obey the processing conditions, limitations and prohibitions if they use personal data from public sources.
- Update data subject response procedures with a focus on the amendments.
- Update other privacy procedures and documents if they mention the processing of publicly accessible data based on outdated legislation.
- File an updated personal data notice with Roskomnadzor if the previous notice mentioned the processing of publicly accessible data.
- Keep monitoring Roskomnadzor's updates on the new IT system for processing the consents and expect the roll-out around July 1, 2021.
Photo from Unsplash