© 2017 Morgan, Lewis & Bockius

HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIAKsenia AndreevaAnastasia DergachevaVasilisa StrizhBrian Zimbler

November 14, 2017

Contents

• Year in review: new laws, initiatives and recent cases in the data privacy field

• News from the Russian data protection regulator, Roskomnadzor

• Hottest topics:

– Consents and other legitimate grounds for personal data processing

– Transfers of personal data to third parties including cross-border transfers as the new EU regulations (GDPR) become effective

– Localization of data storage: recent trends

2

General Background

• Federal Law No. 152-FZ “On Personal Data” (the “PD Law”) of 2006:

– based on the EU Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

– personal data is any information directly or indirectly related to an identified or identifiable individual (data subject)

– no concepts of “data controller” and “data processor”

– concept of “data operator”, a person that organizes or carries out (alone or together with other persons) the processing of personal data and determines the purposes of processing

– data processing can be delegated to a third party, who will be acting under the authorization or “instruction” of the data operator

• It applies to all data operators and third parties acting under the authorization of data operators. Certain provisions of the PD Law apply to the data operators that have no legal presence in Russia but target Russian customers

• Federal Service for Supervision of Communications, Information Technology and Mass Media, or Roskomnadzor, is the data protection authority

3

YEAR 2017 - NEW LAWS, INITIATIVES AND COURT CASES IN THE DATA PRIVACY FIELD

SECTION 01

Administrative Fines Effective as of 1 July 2017

• New version of Article 13.11 of the Russian Administrative Offences Code is effective from 1 July 2017:

– Before: 1 violation (generic) with maximum fine of 10,000 Rubles (about US$170)

– Now: 7 violations with different fines up to 75,000 Rubles for each (about US$1290)

• Streamlined enforcement procedure

– Roskomnadzor may directly issue notices of administrative violations and impose fines

– Roskomnadzor does not need to involve the general prosecutor’s office

• No clarity on how to calculate fines

– one fine per individual whose rights are violated?

– one fine per violation, regardless the number of individuals affected?

• Who is liable – data operator or third party processing data under the operator’s instruction?

• What if the data operator or third party processor has no legal presence in Russia?

5

New Guidelines from Roskomnadzor

• Roskomnadzor’s Code of Good Practices (available at Roskomnadzor’s official website)

• May 2017: new Guidelines for notifying Roskomnadzor on the commencement of personal data processing (= registration with Roskomnadzor)

• June 2017: list of countries providing for “adequate” protection of personal data:

+ New: Costa Rica, Qatar, Mali, Singapore, South Africa, Gabon, Kazakhstan

• July 2017: Roskomnadzor published recommendations for drafting personal data policies

• November 2017: Roskomnadzor offered new interpretation of certain important concepts, during its VIII Annual Conference on Personal Data

6

New Legislative Initiatives

• Draft Law No. 305068-7: introduced to State Duma on November 3, 2017

– personal data of minors = special sensitive data category

– additional complex rules for processing of personal data of minors

• Draft Law No. 157752-7 (amendments to Anti-Money Laundering Law): approved in the 1st hearing on September 27, 2017

– biometric personal data of banks’ clients will be available in the Unified System of Identification and Authentication

– further processing of such biometric data by other banks is subject to consent of the data subject signed by simple e-signature

• Draft Law on Big Data:

– Roskomnadzor may release the draft by the end of 2017

– expected to reflect Roskomnadzor’s position on non-traditional personal data, including IP addresses, log files, login details, cookies, or any other information or technology (e.g., website analytics, targeted online advertising)

7

Old Initiative (Still on the Table)

• Draft Law No. 416052-6 “On Introduction of Changes to Personal Data Law and Article 28.3 of the Russian Administrative Offences Code”

– new definition of “data processor”

– express provisions on electronic form of data processing consent

– additional ground for cross-border transfer to “inadequate” countries

– obligation to notify leakage of personal data to Roskomnadzor

• Status of the Draft Law:

– introduced to the State Duma in 2013

– approved in the 1st hearing on May 26, 2017

– revised draft law for the 2nd hearing is still pending…

8

Court Practice: Vkontakte v. Double Data

• January 2017: Vkontakte filed a lawsuit against Double Data and National Bureau of Credit Histories for the alleged

– violation of IP rights of the manufacturer of the social network users’ database

– unauthorized commercial use of users’ personal data

• August 2017: Settlement agreement with National Bureau of Credit Histories

– concept of “publicly available data” and limits of its collection/use

• October 2017: Moscow City Arbitrazh Court ruled in favor of Double Data

– respondent’s software retrieves only public data of users and cannot access “private” profiles

– owners of information contained in the users’ profiles are users themselves, not the database owner

– legal grounds for personal data processing have not been assessed by the court

9

NEWS FROM ROSKOMNADZORSECTION 02

News from Roskomnadzor

• Roskomnadzor encourages companies that process large volumes of personal data to have their strategy on data processing “approved” by the regulator

• As a part of “systematic monitoring” of the market, Roskomnadzor determines companies that are not yet registered with Roskomnadzor and requests explanations on the grounds of data processing (approximately 12,000 requests circulated in Y2017)

• Scheduled inspections list for Y2018 will be published at the beginning of December 2017

• Unscheduled inspections – 3 working days’ notice + possible extension, at the request of the operator

• In Y2018 most of the inspections are expected to be documentary and on-site

11

Roskomnadzor Inspections:From July 2017 to date

51%

10%

21%

13%5%

Administrative violations under new Article 13.11 of Russian Administrative Offences Code

Processing of personal data without legal grounds or in a manner that is incompatible with the purposes of their collection

Failure to comply with the requirements for obtaining written consent of individuals

Failure to publish or otherwise make publicly available the personal data processing policy

Failure to amend, block access to or destroy personal data at the legitimate request of a data subject or competent authority

Breach of the secure storage rules for tangible media objects

12

CONSENT ON DATA PROCESSING AND OTHER LEGITIMATE GROUNDS FOR PERSONAL DATA PROCESSING

SECTION 03

Individual’s Consent on Data Processing

• Data subject’s consent on his/her data processing

– informative and explicit (no “implied consent” concept)

– forms: “simple”, “written” and “electronic” – what are the differences?

• Term (consents must specify the period they are given for)

– retroactive consents – are they possible?

– consents to process data indefinitely – are they allowed?

• Purposes of data processing

– clear and specified, no broad or generic language is allowed

– separate consent for each processing purpose

– separate consent for direct marketing activities

• Roskomnadzor’s advice on the best practices for obtaining consents

– on paper

– in electronic form

14

Other Legitimate Grounds for Data Processing

• Limited grounds for legitimate data processing without individual’s consent (Article 6 of the PD Law):

– for performance of a contract to which the data subject is a party to, or where the data subject is the beneficiary or guarantor

– to protect data operator’s or third parties’ rights and interests, or for public purposes, provided there are no violations of rights and freedoms of the individuals

– if the data processing purposes are explicitly defined by an international treaty

– for certain judicial purposes

– to protect life, health or other vital interests of the individual

– as a part of professional journalistic, media, scientific, literary or other creative activities

– for statistical or other scientific purposes (provided the relevant personal data has been made anonymous)

– if data has been made publicly available by the individual or at his request (caution: not all publicly available data will qualify)

– if data includes data which must be made publicly available or disclosed under Russian law

15

TRANSFERS OF PERSONAL DATA TO THIRD PARTIES

SECTION 04

Transfers of Personal Data to Third Parties

• All countries that are signatories to the Strasbourg Convention are considered to be jurisdictions that provide “adequate protection” of the rights and interests of data subjects

• Transfers to the countries that do not provide adequate protection require written consent of individual, unless one of the exemptions applies

• Transfers from Russia to any third party – whether in Russia or outside Russia – are allowed based on the “instruction” from data operator (= data transfer agreement)

• Roskomnadzor’s advice on the best practices on the scope of instruction (= data transfer agreement):– clear and detailed rules on data processing by a third party

– purposes of processing

– organizational measures

– security measures

– regular audits by the data operator

– additional grounds for liability

• No recommended form from Roskomnadzor

17

GDPR regulations – Impact on Data Transfers

• According to Roskomnadzor, GDPR requirements will not be applicable to data processing conducted in Russia, except for the limited cases of “specifically targeting EU customers”

• Registration as a data operator – approach of EU regulations v. Roskomnadzor practice

• Russian law requirements generally applicable to any transfers to the EU

– operator’s instruction / data transfer agreement

– no special rules on transfers between group companies

(means the general rules apply)

18

LOCALIZATION OF DATA STORAGE: RECENT TRENDS

SECTION 05

Main Compliance Strategies

• Companies that process significant amount of personal data

– transfer all data of Russian citizens into a local data center: rent space in existing data center or create own data center

– hire third party vendor providing localization services

• Other businesses

– create a database containing employees personal data on the local computer (e.g. in HR department); and

– formalize transfer of data to other companies of the group by entering into a data transfer agreement; and

– include protective language into contracts with IT vendors re compliance with personal data laws, including localization requirements.

20

Follow Us!

• Morgan Lewis’s Tech & Sourcing @ Morgan Lewis blog highlights the latest

developments and trends affecting technology, outsourcing, and other

commercial transactions.

https://www.morganlewis.com/blogs/sourcingatmorganlewis

• ML on Twitter: @MLGlobalTech and #MLGlobalTech

• November 17: Hot Topics in Data Privacy Regulation in Russia – in Russian

21

Biography

22

Ksenia Andreeva

Moscow

T +7.495.212.2527

E ksenia.andreeva@morganlewis.com

Ksenia Andreeva specializes in intellectual property (IP) matters. She advises on a wide range of transactional, regulatory, and commercial IP matters as well as disputes and enforcement of IP rights. Ksenia is a registered trademark lawyer and is admitted to represent clients before the Russian Patent and Trademark Office (Rospatent). She also has experience with IP disputes in the Chamber for Patent and Disputes and the Russian commercial courts. Her clients include companies in media, technology, telecommunications, and many other industries.

Biography

23

Anastasia Dergacheva

Moscow

T +7.495.212.2516

E anastasia.dergacheva@morganlewis.com

Anastasia Dergacheva counsels diverse clients on a variety of matters relating to intellectual property, regulatory, and antitrust matters. Anastasia represents major Russian and multinational companies in a broad spectrum of industries, including entertainment, engineering, information technologies and telecommunications industries.

Biography

24

Vasilisa Strizh represents global and domestic strategic and financial investors across multiple industries, including financial services, mass media and telecommunications, energy, and pharmaceuticals and life sciences. Vasilisa’s practice focuses on cross-border investment, joint venture, and merger and acquisition transactions. Vasilisa also counsels on corporate governance and compliance. She has served as lead lawyer on complex corporate projects, including acquisitions, divestitures and joint ventures, public and private equity offerings, financing, and structured settlements.

Vasilisa Strizh

Moscow

T +7.495.212.2540

E vasilisa.strizh@morganlewis.com

Biography

25

Brian Zimbler

Moscow/Washington DC

T +7.495.212.2511

T +1.202.739.5650

E brian.zimbler@morganlewis.com

Brian L. Zimbler advises on cross-border investment and financial matters, primarily in emerging markets. He has more than 25 years of experience with transactions involving Russia, Kazakhstan, and other countries in the former Soviet Union. Brian serves as the Managing Partner of the Moscow office, and has advised on some of the largest foreign investments in the region. Brian represents clients in a wide range of industries, including energy, manufacturing, media, pharmaceuticals and life sciences, real property, retail, and technology.

Africa

Asia Pacific

Europe

Latin America

Middle East

North America

Our Global Reach Our Locations

Almaty

Astana

Beijing*

Boston

Brussels

Century City

Chicago

Dallas

Dubai

Frankfurt

Hartford

Hong Kong*

Houston

London

Los Angeles

Miami

Moscow

New York

Orange County

Paris

Philadelphia

Pittsburgh

Princeton

San Francisco

Shanghai*

Silicon Valley

Singapore

Tokyo

Washington, DC

Wilmington

*Our Beijing and Shanghai offices operate as representative offices of Morgan, Lewis & Bockius LLP. In Hong Kong, Morgan Lewis operates through Morgan, Lewis & Bockius, which is a separate Hong Kong general partnership registered with The Law Society of Hong Kong as a registered foreign law firm operating in Association with Luk & Partners.

26

© 2017 Morgan, Lewis & Bockius LLP© 2017 Morgan Lewis Stamford LLC© 2017 Morgan, Lewis & Bockius UK LLP

Morgan, Lewis & Bockius UK LLP is a limited liability partnership registered in England and Wales under number OC378797 and is a law firm authorised and regulated by the Solicitors Regulation Authority. The SRA authorisation number is 615176.

Our Beijing and Shanghai offices operate as representative offices of Morgan, Lewis & Bockius LLP. In Hong Kong, Morgan Lewis operates through Morgan, Lewis & Bockius, which is a separate Hong Kong general partnership registered with The Law Society of Hong Kong as a registered foreign law firm operating in Association with Luk & Partners.

This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Attorney Advertising.

27