New rules for cross-border data transfer in Russia

PrintMailRate-it

published on 26 May 2020 | reading time approx. 3 minutes

 

On 14 July 2022 extensive and major amendments were adopted by means of Federal Legal Act no. 266 ("Act in New Version") to the Federal Act: On Personal Data (no. 152-FZof 27 July 2006) ("Act no. 152-FZ"). In particular, the amendments concerned the procedure for the cross-border transfer of personal data. These innovations will take effect on 1 March 2023. 

 


 

Thus, a mandatory notification procedure will be introducedfor the data controller, beginning on 1 March 2023, for cross-border data transfers. This notification procedure is additional and does not exempt the personal data controller from the obligation to notify the beginning of personal data processing according to the procedure prescribed by Article 22 of Act no. 152-FZ.

 

Prior to notifying cross-border data transfer, the data controlleris obliged to receive the following information from the authorities of the foreign state, foreign individuals, foreign entities that are the recipients of the intended cross-border transfer of personal data:

 

1) information on the measures taken by the authorities of that foreign state and those foreign individuals andforeign entities that are the recipients of the intended cross-border transfer of personal data to protect the personal data to be transferred, and on the conditions for terminating the processing thereof;

2) information on the legal regulations in the field of personal data of the foreign state with jurisdiction overthe foreign authorities, foreign individuals, foreign entities that are the recipients of the intended cross-border transfer of personal data (where it is expected to transfer personal data across the border to foreign authorities, foreign individuals and foreign entities under the jurisdiction of a foreign state that is not party to the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data and is not included in the list of foreign states that ensure adequate protection of the rights of personal data subjects);

3) information about the foreign state authorities, foreign individuals and foreign entities that are the recipients of the intended cross-border transfer of personal data (their full name as well as contact phones, postal addresses and e-mail accounts).

 

Roskomnadzor can additionally request the above information and data from the data controller to decide on the prohibition or restriction of the cross-border data transfer. The term for the provision of such information and data is 10 working days and may be extended by max. 5 working days for a substantiatedreason.

 

The choice of the procedure for the data transfer depends on whether the state that is the recipient of the personal data to be transferred ensures adequate data protection. It should be remembered that the list of foreign states that ensure adequate protection of the rights of personal data subjects includes states that are party to as well as foreign states that are not party to the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data, in the latter case - provided that the local legal regulations of and the measures taken by the relevant state to ensure the confidentiality and security of personal data during processing thereof comply with the provisions of the aboveConvention. 

 

The notification procedure applies where personal data are transferred to a state that ensures adequate protection of personal data, i.e. the data controller may begin cross-border transfer of personal data upon submission of the notification (Article 12 Clause 10 of the Act in New Version). It should be pointed out that Roskomnadzor can restrict or prohibit the transfer of data based on the outcome of the noticeconsideration process. 

 

The approval procedure applies where personal data are transferred to a state that does not ensure adequate protection of the rights of personal data subjects. The transfer of personal data is deemed prohibited until expiry of the term for the consideration of the notice.

 

The term for the consideration of the notice of the intendeddata transmission is 10 working days. Based on the noticeconsideration outcome, a decision can made "to prohibit or restrict the cross-border transfer of personal data for theprotection of the constitutional order as well as public morals,health, rights and legitimate interests of citizens". If such a decision is made, the data controller is obliged to ensure that the foreign state authority, foreign individual and foreign entity concerned erase the personal data previously transferred to it.

 

It should be noted that data controllers already carrying on cross-border transfers of personal data as of the enactment date of the Legal Act concerned are under an obligation to notify their cross-border transfers of personal data to the RKNby or on 1 March 2023.

 

Many questions have already been asked regarding the application of the new legal rules because no detailed explanations have been received from the competent authorities regarding the introduced amendments.

 

In particular, the following questions are still open:  

  • In what way will the decisions be formalized to approve cross-border transfers of personal data or, rather, will the absence of a response prohibiting or restricting the cross-border transfer of personal data be deemed an approval of itself?
  • What is the form for the submission by the data controller of the information on the measures taken by the foreign state authorities, foreign individuals and foreign entities that are the recipients of the intended cross-border transfer of personal data to protect the personal data to be transferred, and on the conditions for discontinuing the processing thereof? 
  • How does the provision of information with contact details, phone numbers, addresses of the individuals who are the recipients of the intended cross-border transfer comply with the laws and regulations of the country to which the transfer of personal data is intended? Isn't this a conflict of law situation?
  • How often should information on the cross-border transfer of personal data be notified? What exactly does this rule apply to - data sets with a single purpose (project environment or information about employees transferred to the parent company) or each individual cross-border transfer of data? 

The requirement to give such notices and the possibility of the resultant prohibition or restriction on cross-border data transfers will certainly create additional administrative obstacles for businesses. The materiality of the involved costs is directly dependent on the quality of the subordinate laws and regulations, automation of the notification procession processes and general transparency of the procedures.

Deutschland Weltweit Search Menu