Last week, President Medvedev signed certain amendments to the Russian law on personal data, which hardened the legal obligations on all organizations – both corporate and state sector – dealing with personal data. Although the law was voted by the Russian parliament in 2006 – one year after Russia ratified the Council of Europe’s 1981 Strasbourg Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Data – the application of many of its provisions had been postponed several times due to an absence of precise rules and principles of regulation.

The law, which came into full force on July 1, 2011, as well as the recent amendments, has raised serious concerns among some businesses due to the anticipated administrative burdens and high implementation costs.

It seems clear that, in light of the new law, [companies operating with data] will have to work hard to revise their internal policies and measures related to personal data processing and security,” say Natalya Oleynikova and Leonid Zubarev of CMS Russia. “This work is critically required in the context of the contemplated stricter liability for failure to comply with personal data legislation and the regulator’s greater focus on personal data protection.”

Proving approval for data use

Personal data can be collected or used only upon approval of the concerned person or his/her representative – in which case the operator must check and be able to prove this approval.

An exception is for personal data collected and used exclusively for the purpose of implementing a contract – for instance, to provide a service or a good to an individual. No approval is required in this case, but the company cannot make any further marketing or commercial use of the data.

According to the law, approval must be voluntary. This means, in particular, that when ordering a service or good, a customer should not feel bound to accept further use of his personal data.

Approval can be received in any form that can be verified, according to the new amendments. Non-written forms of approval are thus implicitly allowed – an important issue when it comes to online commercial and marketing activities.

“While many transactions are made in an oral or electronic form, e-merchants will have to create and store supporting information that provides evidence of approval,” Otto Group Russia’s legal adviser Mikhail Chentsov said to East-West Digital News. “This may be difficult for many e-commerce players, especially the small ones.”

Heavy requirements for data protection

The law is particularly demanding when it comes to the protection of stored personal data. Only duly certified means of protection can be used. Moreover, a special license is required to handle the technical tasks related to storing personal data, unless these tasks are outsourced to licensed technical providers.

In this last case, the concerned person must approve the outsourcing, according to the new amendments.

In addition, organizations storing personal data are required to:

  • Assess the potential threats to data protection as well as the efficiency of the protection measures even before data starts being collected or used;
  • Establish precise rules for accessing the data and record any action related to the data;
  • Uncover any unauthorized access to data and bear responsibility, should data be altered or deleted following unauthorized access.

A flurry of criticism

Many provisions of the amended law – lobbied for by the Federal Security Service (FSB) and other state security bodies – have been severely criticized by the business and legal communities for containing excessively stringent requirements and involving considerable costs while lacking clear implementation mechanisms.

“Seven million organizations dealing with personal data must now abide by slightly adapted, 20 year-old state secret protection rules,” Russian business daily Vedomosti quoted a group of IT experts as saying. The rules will apply not only to banks, mobile operators, and government bodies dealing with passport information, but to any organization having employees and storing related personal information about those employees, according to Alexander Lukatsky, one of these experts.

In response to the new law, MTS, a leading mobile operator, expects to spend $40 million on additional equipment plus $2 to $5 million per year in operational expenses merely to serve the new equipment, Vedomosti quoted MTS Vice-president Ruslan Ibragimov as saying.

The legislation could be particularly difficult to implement for international companies and Internet players, since their information systems were designed to comply with the legislation of other countries, warned Dmitry Kuznetsov of IT security company Positive Technologies in an exchange with news agency RIA Novosti.

The new legislation applies equally to small businesses. “For them, the new rules may impose unbearable consulting or outsourcing costs,” Alexander Sanin of Russian information security agency LETA told RIA Novosti. “Less than 10% of businesses are fully ready to implement the law, and perhaps just 1% of small businesses are prepared.”

Alternatives to fully applying the law will still be available. “Since many requirements for certification are outdated or simply irrelevant, many organizations will build a double data protection system: an official one to show in case of inspections and a real one to ensure effective protection,” Alexander Kovalev of information security company SecurIT said to RIA Novosti.

As a less costly alternative, some businesses could opt to pay fines rather than implement certain rules. This is not to mention bribes, a very common way of avoiding administrative hassles in Russia.

Sources: Vedomosti, RIA Novosti