On December 30, 2020, a law¹ was adopted establishing new rules for the disclosure of personal data to an indefinite circle of persons and processing personal data from open sources. The changes will take effect on March 1, 2021.
The new rules apply to all operators of personal data and affect both the distribution of data online and offline.
These rules have a special impact on operators of online resources and services which allow for the sharing of information with the public, as well as operators using information from open sources (e.g. the media, social networks, companies using activity (behavior) monitoring systems).
MAIN CHANGES
The law introduces conditions for processing personal data that were made publicly available by a data subject, and enables individuals to provide and withdraw consent to such processing.
1. A separate and a specific consent must be obtained
Consent to disclosure of personal data to an indefinite circle of persons (hereinafter – the “disclosure”) must be executed separately from other consents of the individual. The consent must directly permit the disclosure and contain the list of personal data allowed for disclosure. Detailed requirements to the content of the consent will be established by the regulator (Roskomnadzor) (the draft act is undergoing public discussions).
Ambiguous and unclear wording will be interpreted in favor of the individual. Silence or inaction of an individual may not be considered consent.
Consent to the disclosure can be given to the operator directly or by using a special information system of Roskomnadzor (it is not in operation yet).
Special attention to the new requirements should be paid by operators of online resources and services allowing users to share information with an unlimited number of people. For example, social networks, advertising sites, etc. may be forced to either limit access to their user/customer profiles, or obtain the required consent.
2. An individual may prohibit further processing or set conditions / restrictions for the processing of personal data
The consent to the disclosure may prohibit further transfer of personal data to an unlimited number of persons (except access to the data), as well as establish conditions / restrictions for their processing. This means, in particular, that users of social networks will be able to prohibit processing their published personal data by other persons or for certain purposes.
The consent to the disclosure should clearly indicate which pieces of personal data are subject to conditions / restrictions for processing. Absence of such conditions / restrictions should clearly follow from the wording of the consent. Information on conditions / restrictions for data processing shall be published by the operator.
Conditions / restrictions for data processing established by an individual do not apply to cases of processing data in the state and public interests determined by the legislation of the Russian Federation.
3. Each operator is obliged to prove the lawfulness of processing personal data from open sources
Before processing personal data from open sources, it will be necessary to check that the data subject has given consent to the disclosure of his / her personal data (or that there are other legal grounds for processing the data) and check conditions / restrictions for data processing.
4. The right to be forgotten
The law introduces the ‘right to be forgotten’, enabling individuals to request the deletion of their personal data and to prevent its public circulation, regardless of whether such personal data has been processed unlawfully or not. Data operators must stop processing data within three working days upon the receipt of the request.
RECOMENDATIONS
- Evaluate procedures and solutions used in processing personal data for their compliance with new requirements and, if necessary, adjust them.
- Monitor acts and recommendations of the regulator and enforcement practice.
Authors: Counsel Elena Agaeva, Associate Elena Kvartnikova, Paralegal Marina Petrova
¹ Federal Law of December 30, 2020 No. 519-FZ "On Amendments to the Federal Law "On Personal Data."