What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
Russia has a number of laws relating to the collection and use of personal data. Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (Personal Data Law) sets the general rules and principles of personal data processing in the country. The Labour Code of the Russian Federation No. 197-FZ of December 30, 2001 includes rules relating to processing employee data.
There are also related regulations and state authority guidance relating to personal data protection, including:
- Regulation No. 1119 of November 1, 2012, of the Government of the Russian Federation On Approval of the Requirements to Personal Data Protection in the course of Its Processing in Personal Data Information Systems: This Regulation includes general guidelines on determining security threats and the required level of data protection.
- Order No. 21 of February 18, 2013 On Approval of the Types and the Content of Organizational and Technical Measures for Personal Data Protection in the course of its Processing in Personal Data Information Systems: This contains guidelines relating to determining the appropriate technical and organizational security measures with respect to the required level of data protection.
- Order No. 378 of July 10, 2014, of the Federal Security Service, Scope and Composition of Organizational and Technical Measures to Ensure Security of Personal Data Processed in Information Systems of Personal Data with Use of Cryptographic Protection of Information Required to Comply with Personal Data Security Requirements Stated by the Government of the Russian Federation with respect to each Security Level: This includes general guidance on the choice of cryptographic (encryption) for protection of personal data.
Russia also uses international instruments relating to data protection and is a party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dd. 1981 (Convention 108). On October 10, 2018, Russia signed a Protocol modernizing Convention 108. Once this Protocol goes into effect, Russia will have to incorporate the amendments and ensure their enforcement.
There is no single authority responsible for data protection in Russia. Current authorities responsible for enforcement of data privacy law and regulations include the:
Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor): This is the supervisory data protection authority, which carries out functions through central and regional offices who supervise data controllers in their respective regions.
Russian Ministry of Digital Development, Communications, and Mass Media: This authority is generally responsible for state policies in data protection, communications and information technology.
Russian Federal Service for Technical and Export Control: This is the authority responsible for supervising the protection of confidential information with use of technical tools.
Russian Federal Security Service: This authority is responsible for supervising the protection of confidential information with use of encryption tools.