News Archives

Tuesday, March 13, 2018

Update on Data Protection Enforcement in Russia

English-language information on data protection in Russia is hard to come by, thanks to the latest iteration of the Cold War, so an update by Hogan Lovells is worth highlighting.  The Russian DPA, Roskomnadzor, held a recent open house to publicize its 2017 enforcement activities.  If there was ever any doubt that Russian entities were paying attention to DP law, Roskomnadzor reported that over 400,000 data operators had registered with the authority through the end of 2017.  The majority of data subject complaints received by the DPA were directed against banks, housing services providers and debt collection agencies, with general website operators also a significant focus of complaints.  In a uniquely Russian approach to the latter, Roskomnadzor maintains a register of websites that violate data subjects rights.  In 2017, 453 websites were added to the register, with 176 blocked because of the seriousness of their violations, an increase in enforcement activity consistent with Roskomnadzor’s shift to systemic monitoring of entities as opposed in individual inspections.

Of particular note to US-based companies operating in Russia, the Roskomnadzor clarified that data operators should obtain separate written consent for each purpose of processing.  Such guidance is consistent with the GDPR’s requirements around granular consent, although compelling it to be in writing is not.  Finally, in contrast with the weaker protections provided by US law, Roskomnadzor stated that personal data posted by social media users should not be treated as publicly available data and should only be processed on the basis of a lawful ground.

No comments:

Post a Comment