New Russian Legislation May Contradict GDPR

Xenia Melkova
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

In July 2016, two bills became law as part of a package of amendments designed to protect Russian citizens’ data against terrorism.  The measures were dubbed as the “Yarovaya Law” or “Yarovaya Package” after one of its authors, the State Duma Deputy Irina Yarovaya, who is known for her other initiatives mainly aimed at restriction of information distribution.  The counter-terror measures come into force on July 1, 2018.

The regulation requires Russian operators of communication networks (mobile operators and internet providers) to record and store records of communications between all users for at least six months, and provide such data to the authorities at their request.  The new provisions also expand the powers of Russian enforcement officers with respect to monitoring of data.

As the new provisions make no exceptions for data pertaining to foreign citizens, the personal information of EU citizens visiting Russia or residing in Russia may become part of such recorded communications, be stored in Russia, and be provided to Russian authorities without the consent of the relevant data subjects.  Such use and disclosure is very likely to contradict the provisions of the new European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”).  The GDPR includes significantly enhanced protections for EU citizens with regard to the processing of personal data and the free movement of such data outside of the EU to third countries—including Russia—where adequate protections for that data are not in place.  The GDPR comes into force in May 2018.

The issue was raised by the Internet Research Institute, an association of industry experts.  The Russian government has refrained from making comment on the issues, while local operators note that in the case of serious breaches of the fundamental principles of the GDPR, the relevant Data Protection Authority has legislative authority to impose fines for serious contraventions of the fundamental requirements of the GDPR of up to EUR 20,000,000, or up to four percent of an organization’s total worldwide annual turnover or revenues for the preceding financial year.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide