The Russian Personal Data Law refers to an official list of countries deemed to provide the adequate level of data protection (the “List”). The List is maintained by the competent regulatory authority, Roskomnadzor.
The significance of the List is that cross-border transfer of personal data of Russian citizens is allowed to countries from the List, and to the states that have ratified the Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data, which is a total of 51 countries, including all EU countries, without a specific consent for such a transfer.
On August 16, 2017, Roskomnadzor officially announced that the list was amended by including Costa Rica, Qatar, Mali, Singapore, Republic of South Africa, Gabon and Kazakhstan, and excluding Senegal (which ratified the Council of Europe Convention in 2016 and is now exempt from the consent requirement on that basis, rather than because of being in the List). Notably, the United States is not on the List.
