Short FAQ about the Federal Law N 242-FZ

Not later than September 1, Roskomnadzor published the results of the implementation of the federal law on the localization of personal data bases of Russian citizens in Russia. The full version of the article is located at: https://rkn.gov.ru/news/rsoc/news49466.htm

Since the implementation of Federal Law No. 242-FZ, Roskomnadzor employees have conducted 2,256 planned inspections, 192 unscheduled inspections and more than 3,000 systematic observation measures, which resulted in 56 violations of requirements related to the localization of personal data, which is about 1% of the total number of violations detected .

Infographics from the article, also presented by Roskomnadzor:

So, what will be discussed? Yes, about the notorious Federal Law number 242. We will try to answer the most typical questions, and we will try to answer the question: "What to do, so as not to get into these percentages?"

For those who do not know - under the cut short FAQ.

As of September 1, 2015, in the Russian Federation, the provision on the localization of storage and individual processes for the processing of personal data, as defined in Federal Law No. 242 of July 21, 2014 “On Amendments to Certain Legislative Acts of the Russian Federation Regarding the Clarification of the Procedure for Processing Personal Data in information and telecommunication networks.

242 th law made, including changes on issues of interest to us. Federal Law No. 242 in Article 1 supplemented the Federal Law of July 27, 2006 No. 149 “On Information, Information Technologies and Information Protection” with a new article 15.5 “Procedure for restricting access to information processed with violation of the legislation of the Russian Federation in the field of personal data”.

In accordance with Part 1 of Article 1, an automated information system, the Register of Violators of Rights of Personal Data Subjects, was created, the purpose of which is to restrict access to information on the Internet, processed in violation of the legislation of the Russian Federation in the field of personal data. The basis for entering into the "Registry of Violators" of the domain name, the URL of the Internet page, the legislator established the court’s effective decision on the recognition of the dissemination of information containing personal data that violates the requirements of the Federal Law No. 152, as well as the rights of the subject of personal data to privacy, personal and family secrets.

As we know, this whole system is already working. As an example, we give one of the many similar judgments.

By the decision of the Simonovsky District Court of Moscow dated 02.06.2016 in case No. 2-5818 / 16, the activity of the Internet resource http://zvonki.octo.net, providing access for an unlimited circle of persons to the personal data of citizens in the amount of: full name, telephone number, address , passport details, without appropriate consent, is recognized as illegal. The court also ordered Roskomnadzor to take measures to restrict access to information on the Internet, processed in violation of the legislation of the Russian Federation in the field of personal data, by entering this site into the Registry of Violators.

The same article, part 3, Roskomnadzor is defined as the body authorized to create, create and maintain the Register of violators.

The statistics of the “Registry of Violators” shows that 50% of the owners of sites included in the “Registry of Violators” voluntarily eliminate violations of the legislation of the Russian Federation in the field of personal data.

The second article introduces changes to two articles (Art. 18, 22) of Chapter 4 “Operator Responsibilities” and one article (Art. 23) of Chapter 5 “Control and Supervision of the processing of personal data. Responsibility for violation of the requirements of this federal law "(Federal Law № 152).

Also, the legislator introduced amendments to Article 18 “Operator Responsibilities when Collecting Personal Data” of Federal Law No. 152, part 1 of the second article, according to which the operator is obliged to perform certain types of personal data processing in databases that are located in Russia when collecting personal data . Certain types of processing are: recording, systematization, accumulation, storage, refinement (update, change), extraction of personal data of citizens of the Russian Federation. Those. virtually any actions with PD, the operator is obliged to perform using the databases located in the territory of the Russian Federation.

This requirement will be discussed further.

Who does this measure concern?

Let us reply with the comment of the Ministry of Communications and Mass Media: "... the responsibilities for localizing individual personal data processing processes apply to foreign operators, provided they carry out targeted activities on the territory of the Russian Federation and there are no exceptions expressly indicated in Part 5 of Article 18 of the Federal Law" On Personal Data "(for example, international treaty, for which purposes the processing is carried out). "
Yes, in general, everyone who works with our fellow citizens, i.e. and ours and yours.

And what to do if we have already collected data and stored abroad?

You can store them there, but if you need to work with this data, then the database, along with the processing results, will have to be placed in Russia. So it is now interpreted.

What if the data is physically stored in Russia, but processing is carried out abroad?

The law, with certain reservations, allows it (cross-border transmission and all that). But, the main thing is to remember that the results of this processing must also first get to the base on our territory. That is, roughly speaking, the base in our territory should always be "fuller, higher, stronger"!

How will it determine that a foreign site works with Russia?

At this stage, work with Russia is defined as follows:

1) use of a delegated domain name associated with the Russian Federation (.ru, .., .Su) and / or
2) the presence of a Russian-language version of the Internet site created by the owner of such a site or on his behalf by another person (the use of plug-ins on the site or by the user, providing functionality of automated translators from different languages, should not be taken into account);
3) the possibility of executing an agreement concluded on such an Internet site on the territory of the Russian Federation (delivery of goods, provision of services or use of digital content in Russia).

In general, while this issue is being worked out and wait for the next versions! How it looks like our lawmakers!)

We have already filed a notice to Roskomnadzor as the operator of PD, do we need to do something else?

It is high time!

... Operators, details of which have already been entered in the Registry of Operators, in accordance with Part 7 of Article 22 of Federal Law No. 152-FZ, should send an Information Letter on amending the Operator’s information in the Registry of Operators with information on the location of the database of information containing personal data of citizens of the Russian Federation ...

So what to do?

If your databases are stored in Russia, then first of all, submit a notification to Roskomnadzor and enter the address of the location of these databases in additional fields. Just be careful. Many errors due to the fact that the name of the country is entered, and the detailed address is forgotten.

Below is a link to the electronic form of notification, so that you are not looking for a long time.

"Information letter on making changes to the information in the register of operators engaged in the processing of personal data": https://rkn.gov.ru/personal-data/forms/p333/

If the bases are still abroad, then it is time to at least think about their localization, for example, in the cloud . Many giants of the industry (Microsoft, Samsung, Lenovo, Aliexpress, Ebay, PayPal, Uber, Booking.com), as we know from the media, have long done. I do not think that users are pleased to see this inscription when accessing your favorite site.

However, not all foreign companies are in a hurry with this. Earlier, the head of Roskomnadzor, Alexander Zharov, told reporters that Facebook will stop working in Russia by analogy with the social network Linkedin, if it does not fulfill the law on personal data, this can happen in 2018. Later, a representative of the department Vadim Ampelonsky added that in 2017 no control measures regarding Facebook activities in Russia were planned.

“Facebook has a significant audience in Russia, but it is not a unique resource. Roskomnadzor takes this into account when interacting with the company, leaving the priority of its own activities to strictly comply with the Russian legislation by all market participants, ”he said in a conversation with TASS.

It is also worth remembering that if personal data is transferred abroad for a specific task, then the receiving party (if it is not in a member state of the Council of Europe Convention No. 108 on personal data protection adopted by most European countries, including Russia, and in particular not ratified by the United States) must provide written confirmation that ensures the security and proper use of the information received. Moreover, in accordance with the comment of the Director of the Legal Department of the Ministry of Communications and Mass Media, Roman Kuznetsov, the conditions for confirming safety completely coincide with the terms of the Convention.

Many issues that organizations have about 242-FZ. are closely related to the specific conditions of its activities and it is difficult to highlight them within the article. Ask your questions in the comments, we will try to answer them in as much detail as possible.