A strengthening of the legislation on data protection

15.03.2017
|By krsvmedia

On 1 July 2017 a new law will come into effect which makes changes to the liability for breaching legalisation on data protection. The changes were made by the federal law dated 2 February 2017 number 13-F3 titled ‘About the introduction of changes to the Code of the Russian Federation for Administrative Offences’.

The law relates only to an increasing of administrative liability, despite the fact that a breach of the law for processing personal data can result in not only administrative liability, but also in civil and criminal liability.

The driving force behind the change in law was the Ministry of Economic Development which presented changes back in 2012, which include a proposal to create a consolidated law in respect of personal data and establish thirteen new offences.

At present, the Code for Administrative Offences (referred to here as the Code) provides for only one offence in respect of personal data. In accordance with 13.11 of the Code, a breach of the procedure for the collecting, storing, using or sharing of personal data can result in a warning or an administrative fine calculated depending upon whether the breach was committed by an individual, government official or body or a legal entity.

With the new law coming into force, the current offence is replace and divided into seven offences which provide administrative liability for:

  • the processing of personal data for purposes no provided for by legislation or the processing of data not in accordance with reasons for its collection;
  • the processing of data without a data subject’s consent in writing or the processing of personal data in breach of the established demands, included those in the consent of the subject for the personal data to be processed;
  • failure by a data controller to publish or otherwise provide unrestricted access to a document that defines a data controller’s policy regarding the processing of personal data about the requirements for the protection of personal data;
  • failure by a data controller of personal data to fulfil a request of a data subject regarding the processing of its personal data;
  • failure by a data controller to clarify on or to obstruct or destroy personal data within the required period following an enquiry of the data subject, its representative or an authorised body for data protection in cases where the personal data is incomplete, outdated, inaccurate, illegally received or are not necessary for the stated purpose;
  • failure by a data controller of personal data to comply with the requirements to ensure the save-keeping of personal data, its storage and prevent unauthorised access to them when processing personal data without the use of automated processes, if it results in the unauthorised or accidental access to personal data, its destruction, modification, blocking, duplication, publication or distribution or any other unauthorised action;
  • failure of a governmental department or local authority who is the data controller of personal data to make data de-personalised so, that a data subject cannot be identified when the governmental department or local authority is required to do so or a failure to comply with established requirements or methods for the de-personalising of data.

The liability which an entity can incur for breaching data protection legislation is also to be increased substantially, the maximum size of the fine for legal entities will be 75,000 roubles, compared with 10,000 roubles under the current law. The increase in the fines seems to have been set through a compromise, as the draft law proposed by the Ministry of Economic Development stated that fines could be up to 700,000 roubles (which would have been imposed when the offence related to a special category of personal data, including information on nationality and racial background, political and religious convictions, health or private matters).

Provisions put forward by the Ministry for Economic Development for the introduction of separate liability for repeat offences or for fines to be imposed as proportion of the sales made following the unauthorised use of personal data were not passed.

Additionally to the changes listed above, amendments were made to the procedure for enforcing the law on data protection. From 1 July 2017, the authority tasks with identifying administrative offences under Article 13.11 of the Code will be transferred from the prosecutor to Roskomnadzor, which in accordance with the current legislation is the government department responsible for data protection and exercises control over the processing of personal data in accordance with the legislative in Russia.