Privacy Advisor

Global Privacy Dispatches- Belgium- Russias Data Protection Act

October 1, 2008

By Jan Dhont

Enforcing Russia's Data Protection Act

The enforcement of Russia's Data Protection Act (DP Act) is a fact. Further to the Russian Regulation No. 419 on Federal Service for Oversight of Communications and Mass Media of June 2, 2008, enforcement is carried out by the Federal Service for Oversight of Communications and Mass Media (Rossvyazcomnadzor) (DPA). Mr. Boris Antnovich Boyarskov was designated as president of the DPA on the same date. Prior to assuming the DPA presidency, Mr. Boyarskov served as an intelligence service officer, CEO of a financial institution, and director of the Department for Licensing under the Russian Ministry of Culture and Mass Media.

With the formation of the DPA, the registration of information practices has become an important "to-do" item on the task list of Russian companies. The registration procedure is delocalized and companies need to register via local DPA offices. For information on the process, visit: www.rsoc.ru/main/about/ territorial/. Registrations may be completed in writing or electronically (in which case an electronic signature is required). For the data processing notification form and guidelines, in Russian, please go to: www.rsoc.ru/cmsc/upload/ documents/20080813181242hi.pdf.

Data operators (i.e. data controllers) are required to provide the following information upon registering:

  • name (surname, name, and patronymic name) and address;
  • the purpose(s) of the company's processing of personal information;
  • categories of the personal information processed;
  • categories of the data subjects;
  • legal basis for personal information processing;
  • data processing actions and modalities, general description of personal information processing methods used;
  • description of measures implemented to ensure information security and confidentiality;
  • start date of the personal information processing;
  • date on which personal information processing ceases.

The DPA maintains a public register of registrations: http://pd.rsoc.ru/.

The DPA has broad investigatory powers and can block or destroy unreliable or unlawfully obtained personal information. It can also impose administrative sanctions. The Russian DP Act follows—at least on paper—a philosophy similar to the European 1995 Data Protection Directive, setting forth strict data processing requirements such as prior consent for information processing. Furthermore, the DP Act contains international data transfer restrictions for countries that do not provide adequate protection. The countries deemed to offer adequate protection have not yet been defined. As is the case with the EU and a growing number of other jurisdictions, Russian corporations are required to carefully assess their data flows and to take measures to secure their international information practices.

Jan Dhont is head of the data privacy practice at Lorenz in Brussels. Reach him at j.dhont@lorenz-law.com.