We would like to inform you that on 10th October 2018, the Russian Federation signed a protocol modernizing the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dd. 1981 (“Protocol” and “Convention 108” respectively).
The Convention 108, that has been adopted by the Council of Europe is the only legally-binding multilateral agreement in the field of personal data protection. Convention 108 provides a legal framework, and requires the parties to incorporate into their respective national laws, necessary measures to ensure protection of human rights in the area of personal data processing. Convention 108 was a source of inspiration for the EU data protection laws. Its provisions were also a guidance for Russian lawmakers.
Convention 108 was opened for signatures in 1981, long before technological breakthrough and globalization in IT area. The purpose of this Protocol is the modernization of the Convention 108 in the light of new challenges.
Russia, being the party to the Convention 108, will have to incorporate the amendments and ensure their proper enforcement. Below, you will find a brief overview of the key changes under the Protocol, which will likely be incorporated into Russian legislation in the near future.
The Protocol significantly increases the level of data protection and specifies principles and requirements already implemented in the GDPR, which has recently come into force.
In this sense, incorporation of the Protocol’s provisions into national legislation will be a step forward for the harmonization of Russian data protection legislation with the European one.
The updated Convention 108 ensures a higher level of protection by introducing some fundamental changes, such as
Data breach notification. Under the Protocol, a data controller shall, without delay, notify its data protection authority of any data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects. Russian laws currently do not require data controllers to notify the data protection authority of security incidents.
New types of sensitive data. The Protocol expands the categories of sensitive personal data to those recognized as sensitive data under the GDPR. e.g., it relates to genetic, trade union membership and ethnic origin.
New roles in data processing. Apart from the data controller, Convention 108 regulates data recipients (parties to whom data are disclosed, or made available) and data processor (a party processing data on behalf of the data controller).
Strengthening proportionality and data minimization principles. In accordance with the Protocol, data processing shall be proportionate in relation to the legitimate purpose pursued and reflect, at all stages of the processing, a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake.
New data subjects’ rights. In particular, the Protocol specifies the right not to be subject to a decision, based exclusively on an automatic processing, without having data subjects’ views taken into consideration, the right to obtain knowledge of the reasoning underlying the processing and the right to object.
Additional safeguards protecting data subjects. Data controllers are obliged to examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing and implement relevant technical and organizational measures.
Privacy by design principle. Data controllers and data processors shall design the data processing in such a manner as to prevent, or minimize, the risk of interference with data subjects’ rights and fundamental freedoms.
Please note that this is not a full list of legislative novelties set out by the Protocol.
In accordance with the established procedure, the Protocol shall enter into force on the first day of the month following the expiration of a period of three months, after the date on which all parties to the Convention 108 have expressed their consent to be bound by the Protocol. Currently, only 21 parties to the Convention 108 (of 53) have signed the Protocol and therefore it has not entered into force yet. If all 53 parties do not sign the Protocol within 5 years after the date on which it was opened for signature (i.e. after June 25, 2018), then it will come into force automatically for those parties who have signed it.
Officials of the Russian data protection authority (Roskomnadzor) already announced that they were working on a draft bill to amend legislation in accordance with the amended Convention 108. This means that Russia will implement the GDPR standards in its national legislation.
If Russia efficiently implements provisions of the Convention 108, it will have more chances to be recognized, under the EU law, as a jurisdiction providing adequate level of data protection. This will remove many restrictions regarding international data transfers. The final decision in this regard will be made by the European Commission.
We hope that the information provided herein will be useful for you. If you or any of your colleagues would like to receive our newsletters via e-mail, please fill in the 'Subscribe' form at the bottom of the page.
Practices: Data Protection and Cybersecurity
Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter bear any liability for consequences of any decisions made in reliance upon this information.