Federal Law No.266-FZ was signed and published on 14.07.2022, introducing large-scale changes to the regulation of personal data processing. The draft law after being considered by the State Duma has changed substantially as compared to its previous version we reviewed earlier.

The most important changes affect the cross-border transfer of personal data:

• The previously proposed procedure for notifying Roskomnadzor of the cross-border transfer of personal data has been clarified:
  • As before, an appropriate transfer of personal data abroad requires a notification to be given to Roskomnadzor (in form of a paper or electronic document). It is now explicitly stated that such notification must be submitted separately from the notification of the intent to process personal data;
  • NEW! A personal data operator intending to carry out cross-border transfer of personal data now has the following obligations:
    • Before submitting the notification, the personal data operator must obtain from foreign persons/entities being transferred the personal data the information on the measures they take to protect personal data and conditions for termination of its processing;
    • If the recipient of personal data does not fall within the jurisdiction of a state being a party to the Council of Europe's Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data or a state included in the list of states that provide adequate protection of rights of personal data subjects, the personal data operator needs to obtain information on legal regulation of personal data processing in such state;
    • The personal data operator must provide such information to Roskomndadzor, if requested.
• Roskomnadzor will consider the notification within 10 work days, rather than the initially proposed 30 work days;
• Based on the results of consideration, cross-border transfer of personal data may be prohibited or limited for a number of reasons, e.g. in order to protect the constitutional order of the Russian Federation, morality, health, rights and legitimate interests of citizens or to ensure the security and protection of the state.
• The personal data operator may transfer personal data to states that do not provide adequate protection of rights of personal data subjects only after 10 work days following the date the notification is submitted to Roskomnadzor, unless a decision is made to prohibit or limit such transfer (the only exception is when personal data is needed to protect the life, health or other vital interests of the personal data subject). Such states include, in particular, the US and China. However, the personal data transfer to states that do provide adequate protection of rights of personal data subjects (e.g. EU countries) is allowed immediately after the notification is submitted to Roskomnadzor.
• If Roskomnadzor decides to prohibit or limit the cross-border transfer of personal data, the operator must ensure that the recipient destroys the personal data received earlier.
• NEW! The final text of the draft law also contains a new regulatory provision establishing that the requirements to notify of the cross-border transfer of personal data do not apply in cases when the personal data operator transfers data for purposes of fulfilling functions and duties of state bodies and the Russian Federation. The list of such cases is to be determined by the Russian Government.
• NEW! New requirements to cross-border transfer of personal data apply retroactively, meaning that persons already transferring such data must notify Roskomnadzor by March 1, 2023 in accordance with the said requirements.

In addition, there are the following amendments:

• The law imposes an obligation for personal data operators to interact with the State system for detecting, preventing and eliminating effects of computer attacks on information resources located in the Russian Federation (GosSOPKA)),[1] but the word “continuously” was deleted from the description of the personal data operator’s obligation to continuously interact with this system. As we see, this is because personal data operators would incur significant costs in ensuring continuous interaction with GosSOPKA. The final procedure for interaction with GosSOPKA will be developed by the FSB.
• The principle of extraterritoriality for applying the Federal Law "On personal data" is set out in its new version: provisions of the Federal Law "On personal data" will apply to personal data of Russian citizens being processed by foreign persons under an agreement or other arrangements between foreign persons and a Russian citizen or a separate consent from a Russian citizen to process their personal data.
• The final text sets a substantially shorter period for personal data operators to reply to requests from Roskomnadzor and personal data subjects, namely, now personal data operators must reply to all requests and demands (including to terminate processing of, clarify, block or destroy personal data) within 10 business days. This period may be extended by 5 business days if a motivated notification is given to Roskomnadzor or personal data subject.
• The newly introduced provision on narrowing down grounds for operators to process personal data without notifying Roskomnadzor remained unchanged. In other words, now, in most cases, the operator must notify Roskomnadzor in order to process personal data.
• Moreover, regulation of biometric data has changed, namely, now any person, regardless of age, may refuse to provide their biometric personal data for processing, unless it is required by law.
• NEW! Requirements as to the content of the personal data processing policy has been changed, namely, now categories and types of personal data being processed, the categories of subjects whose personal data is being processed, methods and timeframes of processing and storage of, the procedure for destroying personal data must be specified for each purpose of personal data processing.
• NEW! Provisions have been added to amend the Consumer Rights Protection Law and impose the obligation to pre-install the Unified Application Store on mobile devices.

Once the Russian President signs the federal law, most of the provisions will take effect on September 1, 2022, except for the following:

• New requirements for notification of cross-border transfer of personal data;
• Provisions on the interaction of personal data operators with GosSOPKA;
• Provisions on amendments to the procedure for providing information from the Unified State Register of Real Estate;
• Provisions obliging personal data operators to act in compliance with additional rules not yet developed by Roskomnadzor,

which will take effect starting from March 1, 2023.