Russia adopts new rules on cross-border data transfers
17 March 2023
Scope of application
Transfer impact assessment
Adequacy decisions
TIA request
Cross-border transfer notice
Suppressing transfers
Standard contractual clauses
Comment
On 1 March 2023, amendments to article 12 of the Federal Law on Personal Data No.152-ФЗ dated 27 July 2006 (PDL) established transfer impact assessments and filings with the data protection authority as the pre-conditions for cross-border personal data transfers. In certain cases, Russia may suppress outgoing data flows in an extra-judicial procedure. This article outlines the legislative changes and suggests how the affected companies should comply.
Scope of application
The amendments to article 12 of the PDL apply to any data exporter that intends to transfer personal data from Russia to any importer (governmental body, natural person or legal entity) situated outside that country (The amendments were established by Federal Law No.266-ФЗ, dated 14 July 2022). The nationality of data subjects does not matter. The new rules do not affect personal data flowing into the territory of Russia.
Transfer impact assessment
The amendments require that the data exporter perform a transfer impact assessment (TIA) prior to conducting a cross-border transfer for the first time. This TIA will cover the subsequent transfers unless their conditions (eg, data importer, destination country, purpose, data categories) are changed.
The Russian TIA procedure is different from those described in the European Data Protection Board's recommendations. The data exporter must assess how the data importer "ensures personal data confidentiality and security in the course of processing" based on the information received from the importer (Article 12(5) of the PDL). The amendments establish no assessment criteria or methodology. Consequently, the exporter should decide how to carry out and document the assessment on its own.
Adequacy decisions
The data exporter must perform a TIA in all cases and for all destination countries with rare exceptions not applicable to business purposes. If there is an adequacy decision regarding the destination country, performing a TIA will not require analysing the laws of that country. There are adequacy decisions in respect of all signatories to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and several other countries shortlisted by the data protection authority (the Roscomnadzor) including, among other countries:
- China;
- Singapore;
- Japan;
- South Korea;
- Israel; and
- Canada.
TIA request
Under article 12(5) of the PDL, the data exporter must receive from the data importer the following information:
- the data importer's full name, postal address, phone number and email address;
- a description of how the data importer protects personal data to be received from the exporter (data protection measures) and under what conditions the data processing will be terminated; and
- a general description of the privacy laws in the data importer's jurisdiction if there is no adequacy decision in respect of the destination country.
The exporter must disclose the information received from the data importer at the request of Roscomnadzor.
Cross-border transfer notice
The data exporter must notify Roscomnadzor prior to conducting a cross-border transfer. Under article 12(4) of the PDL, the notice must contain:
- the exporter's company name and address, date and number of the previously filed data processing notice (this is a general notice describing all data processing operations and security measures to be filed by everyone who processes personal data within Russia);
- the name of the data protection officer (DPO), phone number, postal address and email address;
- the lawful basis and purpose of the cross-border transfer and further data processing;
- the data categories;
- the types of data subjects;
- the destination countries; and
- the date of completing the TIA.
A notice must be filed prior to conducting a cross-border transfer for the first time. The notice will cover subsequent transfers until the details specified above become outdated.
If there is an adequacy decision regarding the destination country, personal data may flow right after the exporter files the relevant cross-border transfer notice.
If there is no adequacy decision, the exporter must not conduct a cross-border transfer until the Roscomandzor reviews the relevant cross-border transfer notice. As a rule, the exporter must wait for 10 business days from filing the notice.
Suppressing transfers
The Roscomnadzor has the power to restrict or prohibit a cross-border transfer for protecting morality, citizens' health, rights and legal interests within 10 business days following the day of receipt of the relevant cross-border transfer notice.
At the request of competent state authorities, the Roscomnadzor has the power to restrict or prohibit a cross-border transfer for:
- protecting the constitutional system;
- ensuring the state security and national defense; and
- protecting national, economic and financial interests.
For these purposes, a cross-border transfer may be suppressed anytime (even upon the expiry of the 10-business-day period).
If a cross-border transfer is restricted or prohibited, the data exporter must cease the affected cross-border transfer and ensure that the data importer destroyed previously received personal data (Article 12(14) of the PDL).
The restrictions and prohibitions should be imposed without recourse to court, but the exporter may challenge them in a judicial procedure.
Standard contractual clauses
In contrast with the General Data Protection Regulation, the PDL does not provide for concluding standard contractual clauses (SCC) or their equivalent. It seems reasonable that the data exporter and data importer agree on their obligations to provide the necessary information for a TIA, conduct a TIA and destroy personal data (if a cross-border transfer is suppressed) in a data transfer agreement.
Comment
The new cross-border transfer rules may hamper the exchange of information between Russian and foreign companies. To mitigate this risk, such companies should agree on backing up their communication channels and updating force-majeure and termination clauses in their contracts. Russian offices of multinational companies should figure out how to continue routine operations autonomously if their intra-group data flows are restricted (eg, they may use local internet technology solutions if global systems become unavailable).
It may be practical to add Russia-specific clauses to data transfer agreements. The new rules do not preclude Russian companies from entering into the SCC if their partners request it.