Legal Alert: Review of new requirements for the processing of personal data

On May 24, 2022, the draft Federal Law No. 101234-8 was adopted by the State Duma in the first reading. According to the explanatory note to the bill, more than 2.5 thousand personal data operators (the “Operators”) carry out cross-border transfer of personal data of Russian citizens (the “Personal Data”) to unfriendly countries where their proper protection is not provided. This prompted the legislator to give the regulations of the Russian law (152-FZ) an extraterritorial character and impose a number of additional restrictions on Operators, in particular related to cross-border data transmission.
Let's consider the main amendments that may be adopted very soon:

1. Obligation to notify Roskomnadzor

1.1.Notify Roskomnadzor will have to start processing personal data in cases when this information:
- is processed in connection with labor law,
- belongs to the Operator's contractors, and he uses personal data to execute and conclude agreements,
- is needed for a single pass of a citizen to the Operator’s territory or for similar purposes.
Now, in these and some other cases, it is not necessary to notify the agency. 

1.2. Roskomnadzor will also have to be notified of its intention to carry out cross-border transfer of personal data. At the same time, cross-border transfer may be prohibited or restricted in order to protect the foundations of the constitutional system of the Russian Federation, morality, health, rights and legitimate interests of citizens, ensuring the defense of the country and the security of the state. The period to consider the notification is 30 days;

2. State system for detecting, preventing and eliminating the consequences of cyber attacks Operators will have to learn how to work with the system for detecting, preventing and eliminating the consequences of cyber attacks. In particular, it will be necessary to report incidents through this system, due to which there was a leak of personal data, if the Operator detects, for example, accidental transmission of such information. It will be required to notify Roskomnadzor not later than 24 hours from the moment of the incident. In his message, the Operator, among other things, will have to indicate the causes of the leak and what harm it caused to citizens. It is assumed that Roskomnadzor will keep a register of incidents with improper processing of personal data.

3. Biometric data
3.1. The Operator will be prohibited from refusing to provide services to citizens, if they refuse to provide biometric data and/or consent to the processing of personal data, in cases where such consent is not mandatory.
3.2. A general rule is being introduced prohibiting the processing of biometric data of minors. It will be possible to process biometric data of children under 18 years of age only when such processing is expressly provided for by law.

4. Reducing the response time to requests
The time for the operator will be reduced from 30 days to 10 working days: 
- to inform the subject of the personal data (his representative) about the availability of his personal data and gave him the opportunity to get acquainted with them,
- to send a written reasoned refusal to provide information,
- to inform Roskomnadzor of the data requested by him.

5. Clarification of the requirements for consent to the processing of personal data
Currently, the subjet's consent to the processing of personal data must be specific, informed and conscious. The draft law introduces two new requirements: objectivity and unambiguity;
Behind this, at first glance, extremely vague theoretical requirement, there is a general tendency of the legislator to reverse the prevailing conservative practice, when operators are reinsured and collect consent “just in case”, without analyzing the applicability of other grounds (conditions) for processing retakes. Along with the changes described in paragraph 3, the new requirements shall push Operators to a more informed choice of grounds for data processing.

We will be happy to help you in choosing the correct basis for processing personal data, if necessary, to help prepare applications to Roskomnadzor about the start of processing personal data, as well as about the desire to carry out cross-border transfer of personal data. Develop and (or) bring into compliance with the new requirements your local regulations governing the processing of personal data. Our lawyers are closely monitoring the changes in the current law and will notify you as soon as the above draft law is adopted.