The Draft Law appears extensive. It takes up 34 pages, and the personal data legislation has never seen so many amendments.

The following significant amendments already seem notable:

• They make the Personal Data Federal Law applicable outside Russia, in particular, its provisions will apply to foreign persons processing personal data of Russian citizens.
• They establish a direct ban on denying service to individuals if they refuse to provide their personal data, unless it is mandatory.
• They impose an obligation on personal data operators to notify the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), within 24 hours, of any computer incidents involving personal data. They also require personal data operators to ensure uninterrupted interaction with the GosSOPKA^[1] system, in order to inform, among other things, of any computer incidents that led to a "leak" of personal data.
• The response time to requests from Roskomnadzor and personal data subjects is reduced by two thirds – to 10 work days. The amendments also establish the maximum response time to requests from personal data subjects to stop personal data processing or to clarify, block or destroy personal data – 30 days following the receipt of such request.
• They eliminate a number of grounds which allowed to process personal data without giving a notice to Roskomnadzor, including personal data processing under the labor law and personal data processing only for purposes of performing an agreement with the personal data subject.
• They introduce a ban on processing biometric personal data of minors.
• They require consent to personal data processing to be given in a “concrete, substantive, informed, willful and explicit manner,” instead of the previous “concrete, informed and willful manner.”
• Public access to information on real estate owners from the Unified State Register of Real Estate is now limited.

We would also like to highlight the significant changes which affect operators carrying out cross-border transfer of personal data:

• A new procedure for notifying Roskomnadzor of the cross-border transfer of personal data is established:
  • For transferring abroad personal data of Russian citizens, the appropriate notification must be given to Roskomnadzor (in form of a paper or electronic document);
  • Such notification is to be considered by different state agencies (Roskomnadzor, FSB and Ministry of Defense) within 30 days;
  • Based on the results of consideration, cross-border transfer of personal data may be prohibited for a number of reasons, e.g. in order to protect the constitutional order of the Russian Federation, morality, health, rights and legitimate interests of citizens or to ensure the security and protection of the state;

• Until the notification procedure described above is completed, an operator is not allowed to transfer personal data to states that do not provide adequate protection of rights of personal data subjects. This concerns, in particular, the US and China. However, an operator's ability to carry out cross-border transfer of personal data to the states that do provide adequate protection of rights of personal data subjects (in particular, EU countries) is not limited;
• If Roskomnadzor decides to ban or limit the cross-border transfer of personal data, an operator must ensure that the personal data received earlier is destroyed by the recipient.

Proposals to amend the Draft Law are to be submitted by June 22, 2022, and then it will be considered in the second reading.

We would like to note that amendments to Article 16 of the Law on protection of consumers' rights as pertains to collection of consumers' personal data were adopted on May 01, 2022. New Clause 4 of the said Article prohibits sellers/providers/owners of aggregators from refusing to enter into, perform, amend or terminate an agreement if the consumer refuses to provide their personal data. An exception to the above is when the provision of personal data is required by the Russian law or connected directly with the performance of an agreement with the consumer.

In addition, corresponding amendments were made to Article 14.8 of the Administrative Offenses Code of the Russian Federation: according to new Section 7 of the said Article, a refusal to enter into, perform, amend or terminate an agreement if the consumer refuses to provide their personal data in the absence of the above mentioned exceptions may lead to a fine for officials in the amount up to RUB 10,000 and for legal entities up to RUB 50,000.

These new amendments will take effect on September 01, 2022.

We will continue to monitor the developments of the law and will keep you updated.