Personal data is one of those areas of law which started to develop rapidly following the development of electronic communication. Increasing technical capabilities for fast and efficient transfer of large amounts of data posed new threats to privacy which resulted in appearance of new legal institutions supplementing old-fashioned privacy rules.
Many legal systems adopted specific provisions on protection of personal data, and the Russian Federation, for which the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data eventually became effective on September 1, 2013, does not form exclusion.
Both current rules, set forth by the Federal Law of July 27, 2006 No. 152-FZ “On Personal Data” (hereinafter, the “Personal Data Law”), and forthcoming amendments are worthy to be taken into consideration not only for those who are entering Russian market with straightforward corporate representation, such as a local subsidiary or accredited branch, but also for those who target Russian market from abroad through Internet platforms.
Definition of Personal Data
The Personal Data Law sets forth rules which may resemble the rules effective in the European Union to a great extent with one important yet apparent exception: Russia is a separate jurisdiction where many things are different comparing to Europe. The general principles though are nearly the same.
The Personal Data Law defines personal data as ‘any information which pertains to an individual who is directly or indirectly identified or identifiable’ (Item 1 Article 3). This definition is apparently very broad, but as recent court practice suggests not all data which falls within its verbal scope is actually considered as personal data.
As a general rule, the practical interpretative trend shows that data is personal only when it allows identifying a specific individual without use of additional information. For example, full passport details could be considered as personal data in any case, while an address stripped from the name and date of birth – not necessarily. However, in Russia court decisions do not have the same effect on legal system as in UK or USA, and this approach may change in future. In addition, any conclusion on whether particular set of data is personal or not is heavily dependent on details of the situation, specific industry sector and business processes implemented.
With the aforementioned reservations in mind, it can nevertheless be concluded that if a video game company operates only with specific user data which does not allow to reliable identifying of an individual, most likely it does not require compliance with personal data legislation, as there is formally no personal data in such a situation. In this respect, if personal data is operated by a third party (e.g. payment processor), a video game company which does not have access to such information is also out of scope of the law. These considerations have a great impact on the recent amendments which are discussed further.
Article 6 of the Personal Data Law determines situations where it is possible for an operator to process personal data. The most business-relevant cases are the following:
- personal data is processed under consent of an individual;
- personal data is processed to fulfill an agreement, a party / beneficiary / guarantor whereto is an individual, including cases where operator assigns its right under such an agreement, or cases where individual just shows his/her initiative to enter such an agreement.
Thus, while most of the companies which do online sales and operate with personal data themselves need to comply with personal data legislation, sometimes they do not need to obtain a specific consent of an individual buyer – for instance, in cases where the interaction between the seller and the buyer is limited to contractual relationships only. However, it is apparent that many companies prefer to use user data for marketing goals to the largest extent possible, and this would require specific consent.
The Personal Data law sets forth cases where simply a ‘consent’ is needed and cases where a ‘written consent’ is needed. In any case, the burden of proof of the fact that the consent has been received pertains to the operator, and it is generally recommended that a simple consent will resemble written consent by level of detail as much as possible. That said, a written consent should contain the following details:
- full name of the individual and his/her passport details;
- full name of a representative of the individual and his/her passport details (if applicable);
- name and address of the operator;
- aim of processing of personal data;
- list of personal data to be processed;
- name and address of the processor (if applicable);
- list of actions to be performed over the personal data and general description of methods;
- time period for validity of the consent;
- signature of the individual.
It is important that, pursuant to the Personal Data Law, an individual may recall his/her consent at any time (Item 2 Article 9), and operator will be bound to delete personal data unless there are grounds to process such data without specific consent.
Article 12 of the Personal Data Law allows cross-border transfer of personal data from the territory of the Russian Federation to the territories of countries which are parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data without specific restrictions.
The same rule works for those countries which are included into the specific list approved by Roskomnadzor of the countries which are not parties to the aforementioned convention but provide appropriate protection. A noteworthy fact is that USA is neither a party to the convention nor it is mentioned in this list. However, such countries/regions as Australia, Canada, Hong Kong, Switzerland and others are considered as providing appropriate protection of personal data.
Among business-relevant cases where cross-border transfer of personal data is possible in respect of countries which are not parties to the convention and not on the list are cases where personal data is transferred under a written consent of the individual or where it is necessary to fulfill an agreement whereto the individual is a party.
It is important to have in mind that the Personal Data Law also sets forth general requirements for data security which should be observed by the operators of personal data (Chapter 4 of the Personal Data Law). This may include adopting proper internal regulations, managerial decisions, technical and other measures.
Those companies which are registered in Russia or have an accredited representative office and/or branch there, should they be in breach of the personal data legislation, may face administrative liability. In special cases where law enforcement agencies find intent to make a breach of legislation, the management of a company may also be subject to criminal liability, e.g. for breach of privacy. That said, companies in Russia can be subject to administrative liability, while individuals can be subject both to administrative and criminal liability.
Additionally, there is a general risk of website blocking may loom over any Internet company. However it is important to stress that by this date there is no specific provision on administrative website blocking (although such a provision will come into effect with other important amendments on September 1, 2016), and the website which is officially considered to be used with breach of personal data legislation can be restricted further to a court decision.
Forthcoming Amendments (“Data Localization”)
As indicated in the prior note in this blog, the Personal Data Law will be supplemented by the Federal Law of July 21, 2014 No. 242-FZ (hereinafter, the “Amending Law”) with new Item 5 Article 18 which shall set forth that while collecting personal data, in particular by means of information and telecommunication network “Internet”, the operator shall ensure that record, systematizing, accumulation, storage, specification (renewal, change), extraction of personal data of the citizens of the Russian Federation shall be carried out with the use of databases located on the territory of the Russian Federation. There are a few exceptions, but generally they are not business-relevant as they include statutory/treaty goals, execution of justice, state services, journalists, mass-media, academic, literature and other creative activity.
In the wake of many incorrect media reports it could not be stressed more that it is far from being decided that the Amending Law will come into effect earlier than on September 1, 2016 as explicitly provided by this statute. Indeed, the Russian Parliament discussed change of the date to January 1, 2015, but by this date the change of the date when the Amending Law is effective passed only second hearing and no further hearing is yet scheduled (in all fairness though, the situation can change in future).
Irrespective of many contemplations which may be found over the Internet, both on Russian and English-speaking websites, the most crucial aspects of this law are not clear and cannot be objectively clarifies by this date. It can reasonably expected that closer to the date the Amending Law becomes effective drafts of subordinate legislation will appear, but by this date there is no appropriate reference point. Even though some of the officials already expressed their opinion on the Amending Law, such opinions are not legally binding and may be changed in future. The aspects which are not clear include, for example, such crucial questions as whether this law will affect only Russian registered/accredited companies or foreign as well (in case the latter aim to the Russian market through the Internet), whether it is possible to mirror personal data of the Russian citizens abroad and, finally, what is the scope of ‘Russian citizen’ concept in this context, e.g. does it include those Russian citizens who permanently reside abroad as well.
There are just three clear things which can be said about the Amending Law. First, if a company does not operate with data which could be qualified as personal, it is definitely out of scope of the new Item 5 Article 18 of the Personal Data Law. Second, if a company indeed limits its operations with the personal data of the Russian citizens to the Russian jurisdiction, it does not entail any particular risks in this specific respect. Third, if a foreign company uses a third party provider which operates with personal data of the Russian citizens instead of such company, it would be the duty of such a third party provider to comply with the forthcoming rules.
Personal data legislation in the Russian Federation does not specifically target video game industry, but as the latter increasingly operates with big chunks of user data, it can be subject to regulation shall this data be qualified as personal data. In closest future it could also be expected that the respective rules will be applied to foreign companies which aim Russian consumers through the Internet as well. It is not possible to craft a universal solution here, and it is highly advisable to include personal data issues in any risk-assessment and risk-mitigation procedures preceding entering the Russian market.
This post is not a legal advice and in no case can be used as grounds for making a business decision. In case you need a legal assistance it is recommended to get an individual custom-tailored legal advice. Author expresses his individual and independent opinion which may not coincide with the position of any parties with whom the author is affiliated.