Russian Federation

[RU] Statute on Personal Data Adopted

IRIS 2006-10:1/29

Nadezhda Deeva

Moscow Media Law and Policy Centre

On 29 July 2006 a new Federal Statute “On Personal Data” was adopted (it will come into force on 25 January 2007). This was done to comply with the international obligations of the Russian Federation, since in January 2006 Russia ratified the European Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (signed in Strasbourg on 28 January 1981).

The problem of personal data protection had been discussed in Russia since 1997 when the first draft law was worked out. In 1999 the Model Statute on Personal Data of the Commonwealth of Independent States was adopted. Nevertheless, the provisions of that Act did not comply with the provisions of the Convention and needed revision.

The new Statute contains basic notions which are very similar to those that can be found in the Convention. The main concepts of the Act correspond with those set out in the Convention. The Statute clarifies and itemizes the general provisions of the Convention and adapts them to the needs of Russian society.

The Statute provides effective legal mechanisms for the protection of personal data. For example, personal data can normally be used or processed only on condition of confidentiality; it means that the data on a person (in case he/she is identified or identifiable) may not be processed unless the operator had received the person’s prior written consent. The cases when data can be used without consent are enumerated in the Statute.

According to the Statute, processing of personal data should comply with the clearly stated legal aims of the processing. The new Statute also provides appropriate safeguards for the processing of special categories of data, such as data revealing racial origin, political opinions, religious or other beliefs, as well as personal data concerning health or sexual life, as well as data relating to criminal convictions.

The Statute contains provisions on transfrontier flow of personal data. According to the Statute, it is possible only in cases where the other state provides the appropriate standard of data protection. In cases where this condition is not fulfilled, the transfer of data is possible if the written consent of the person is obtained, in matters of national security or defense of the Russian Federation, or there is an international obligation of the Russian Federation in the sphere of legal cooperation, or the data concern a party of the contract, or in visa affairs, or if the life, health and other key interests of the person or other people need protection and it is impossible to receive the otherwise necessary consent.

According to the Statute, the functions of supervision over compliance with legislation on personal data are fulfilled by the competent governmental agency.

A breach of the Statute would incur in civil, administrative, criminal or disciplinary liability.