Personal Data Protection in Russia: Trends of the Last Decade State University – Higher School of Economics, Russia Software Engineering Department Alexandra A. Savelieva Prof. Sergey M. Avdoshin

Higher School of Economics Personal Data in the World of Globalization and Digitization

Higher School of Economics Main Regulations Federal laws Governmental Regulations Normative Documents of the Regulatory Authorities On Ratifying the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data The Federal Law of the Russian Federation of 19 December 2005 No. 160-FZ On Ratifying the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data On Personal Data The Federal Law of the Russian Federation of 27 June 2006 No. 152-FZ On Personal Data Government Regulation No. 781 of November 17, 2007 Government Regulation No. 687 of September 15, 2008 Government Regulation No. 512 of July 6, 2008 Supervision Agency for Information Technologies and Communications (aka Roskomnadzor) Federal Service for Technical and Export Control Federal Security Service

Higher School of Economics Major Provisions of the Law  Operator should take the appropriate security measures to ensure personal data protection against accidental or unauthorized access, alteration, destruction or dissemination.  Personal Data subject has an excusive right to decide whether to submit their personal data to an operator for processing  A documentary evidence of data subject’s agreement on their personal data processing should be in operator’s disposal  Data subject has a full authority to access their personal data stored within any operator’s information system.  The State creates a designated authority to ensure the data subject rights protection

Higher School of Economics Affected Domains Business IT Individuals FinanceEducation Security

Higher School of Economics Social Networking % Reach of Country’s Total Internet Audience * Research of Russian Social Media – 2010 // ROSE agency in cooperation with HeadHunters.ru, March – April ** 2010 Social Networking Report // Experian Simmons, June networking-report.htmlhttp:// networking-report.html *** Social Networking Has Banner Year in France, Growing 45 Percent // ComScore Press Release, February *** Steven Van Belleghem. Social Media around the world // InSites Consulting, Dec 2009 – Jan

Higher School of Economics Web Search for ‘Personal Data’ Blue: ‘персональные данные’, Region: Russia Grey: ‘personal data’, Region: Worldwide Source:

Higher School of Economics Designated Authority for Protection of Personal Data Subject’s Rights is obliged:  to organize protection of the rights of subjects of personal data  to control that protection of personal data is in accordance with the requirements of the present Federal Law and other Federal Laws  to consider the complaints and applications of citizens or legal entities on questions connected with the processing of personal data  to keep the Register of Operators  to take measures aimed at improving protection of the rights of subjects of personal data;

Higher School of Economics Number of Appeals from Personal Data Subjects Sources:  Roskomnadzor. Public summary report – 2009 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications  Report on the activities of Designated Authority for Protection of Personal Data Subject’s Rights in 2008 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications

Higher School of Economics Operators of Personal Data – ‘Leaders’ by the Number of Complaints Source: Roskomnadzor. Public summary report – 2009 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications

Higher School of Economics Appeals from ‘bad guys’  Tax-dodgers and debtors failing to pay rent can prosecute media that publish personal data

Higher School of Economics Operator’s Responsibilities Within 3 days! Destroy the Personal Data Detection of inadequate personal data Detection of operator misconduct with regard to personal data Processing of personal data after the revocation of subject’s consent Eliminate the Violation Within 7 days Motivated Refusal Request from Personal Data Subject about the presence and contents of their data in Operator’s information system Detailed Response Within 10 days

Higher School of Economics Violation of the Law  Civil, criminal, administrative and disciplinary liability of physical and legal entities  Penalty up to RUR (~$17K)  Suspension of operator business activities for a period of up to 90 days  Arrest for a period of up to 6 months / corrective labor for a period of up to 1 year  Discharge / Revocation of the right to hold a position for a period of up to 5 years

Higher School of Economics FZ in IT Industry Source: Personal Data in Russia – 2008 // Perimetrix Research Paper IT Staff and Management Awareness Influence on Personal Data Protection

Higher School of Economics Justification of Investments in Security  “Up to 5% of IT budget in western companies is allocated to information security, while in Russia it is only 0.5%” [2008 ]  “If we used the same language with CFO to explain them why Information Security investments are important, we would be able to reach the 5% level of expenditures” Vladimir Mamykin Microsoft Director on information security at Microsoft Russian Federation

Higher School of Economics Conclusions  The awareness of people about their rights for personal data has significantly improved  The State designated an authority to ensure the data subject rights protection  CSOs received a sound argument to justify investments into information security  Lawyers became involved in IT projects focused on personal data protection  The law acts as a powerful stimulus for the development of information security culture in Russia in accordance with international standards

Higher School of Economics References  The Federal Law of the Russian Federation of 19 December 2005 No. 160-FZ On Ratifying the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data  Roskomnadzor. Public summary report – 2009 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications  Report on the activities of Designated Authority for Protection of Personal Data Subject’s Rights in 2008 //Ministry of Communications and Mass Communications of the Russian Federation, Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications  Portal on Personal Data // Designated Authority for Protection of Personal Data Subject’s Rights  Research of Russian Social Media – 2010 // ROSE agency in cooperation with HeadHunters.ru, March – April  2010 Social Networking Report // Experian Simmons, June  Social Networking Has Banner Year in France, Growing 45 Percent // ComScore Press Release, February  Steven Van Belleghem. Social Media around the world // InSites Consulting, Dec 2009 – Jan  Personal Data in Russia – 2008 // Perimetrix Research Paper

Personal Data Protection in Russia: Trends of the Last Decade