Understanding the New Personal Data Law: Real Risks and Common Misconceptions

Starting September 1st, amendments to the Personal Data Law will take effect, impacting all citizens to varying degrees. We consulted with legal experts and internet industry representatives to uncover the essential details of this legislation.

The amendments themselves are concise, spanning just one and a half standard A4 pages, and are accessible for anyone to review. The two main updates are:

• From September 1st, all organizations handling personal data of citizens must store databases within the country's territory—on their own or leased servers.
• An automated system called the "Register of Violators of Personal Data Subject Rights" will be established.

Personal data includes any information tied to an individual, such as full name, date and place of birth, address, social status, education, passport details, profession, income, and more.

Let's delve into what this new "Register" entails, the risks the law poses for internet businesses, the costs of compliance, and the penalties for violations.

What Is the "Register of Violators of Personal Data Subject Rights"?

This register will list websites and internet pages where personal data processing breaches occur. This can include any type of website—online stores, hotels, airlines, media outlets, and others. "Since the law doesn't specify the exact violations that would result in inclusion in the register, any breach of personal data regulations could qualify," explains Daria Sukhikh, Senior Lawyer at Team 29. "The government will define the rules for maintaining the register. Importantly, sites can only be added following a valid court ruling confirming the violation."

Personal data processing involves actions such as collection, storage, updating, use, dissemination, transfer, anonymization, blocking, and destruction of personal data.

Who Is Affected by the Law?

Businesses in e-commerce, transportation, tour operators, booking systems, recruitment agencies, telecommunications, banking, and payment systems are included. According to a July meeting between RAEC, the Russian-British Chamber of Commerce, and Roskomnadzor, over 54% of IT companies are prepared to fully comply, 27% partially ready, and 19% not ready at all. Key challenges include financial constraints and insufficient technical resources.

Main Risks for Businesses

"We do not see significant risks for businesses," states Yana Barash, Senior Legal Counsel at OZON Group. "The amendments do not affect cross-border data transfers, so transferring personal data of citizens to foreign service providers remains possible." Kirill Mityagin, partner at Nevsky IP Law, adds, "The main risk lies in misunderstanding the law's requirements and data processing rules, such as failing to notify Roskomnadzor or committing violations during data handling, which can lead to civil, administrative, or even criminal liability."

Potential Threats for Regular Internet Users

The primary concern for users is that their favorite platforms may struggle with compliance costs and potentially shut down. "Compliance increases our project costs by 45%," says Oleg Gribanov, Executive Director of darenta.ru. "These are unavoidable expenses if we want to adhere to the law, which we absolutely intend to do. Exact costs for servers and staff training remain confidential." Alexander Trifonov, Chief Expert at 48Prav.ru, notes, "Servers can range from approximately $500 to $7,500, with quality solutions generally costing over $1,250, depending on data volume. Leasing options start at around $75 monthly, which may suit companies with limited budgets."

Personal data protection encompasses administrative measures and technical methods to prevent unauthorized use.

Consequences for Non-Compliance

Failure to comply with data protection laws can result in criminal and administrative penalties. "Unauthorized access to protected computer information is punishable under Article 272 of the Criminal Code," explains Anton Tolmachev, Managing Director at YurPartner. "However, most violations are administrative, such as disclosing restricted information or breaching protection rules." Currently, fines range from $70 to $140 for procedural violations and $140 to $210 for protection breaches, with proposed amendments suggesting minimum fines of $700 and maximum fines up to $4,200.

International Perspectives on Personal Data Protection

In the European Union, personal data protection is governed by Directive 95/46/EC and related regulations. Following the Snowden revelations, reforms are underway to strengthen data privacy, introducing concepts such as data processors, recipients, unique identifiers, and sensitive data categories including genetic and biometric information.

Summary

Countries worldwide are updating laws to regulate personal data processing and protection. Russia's approach emphasizes state authority, contrasting with Western countries' focus on individual rights. This has sparked concerns that the new law prioritizes governmental control over genuine data protection.

Discover the latest news and current events in Technologies as of 20-11-2021. The article titled " Understanding the New Personal Data Law: Real Risks and Common Misconceptions " provides you with the most relevant and reliable information in the Technologies field. Each news piece is thoroughly analyzed to deliver valuable insights to our readers.

The information in " Understanding the New Personal Data Law: Real Risks and Common Misconceptions " helps you make better-informed decisions within the Technologies category. Our news articles are continuously updated and adhere to journalistic standards.