Although, unlike the GDPR, Russia’s Personal Data Law does not clearly distinguish the concepts of data controller and data processor, there is a draft amendment to Russia’s law which, if adopted, would introduce these concepts.
So, what does the Russian Personal Data Law say about the roles of personal data controller and processor and how these concepts could help manage the Russian personal data localization requirement, especially in regards to cross-border personal data transfers?
In determining the parties involved in personal data processing, Russia’s Personal Data Law refers only to a “data operator,” which it defines as a person who, independently or in cooperation with others, organizes and/or processes personal data as well as determining the purposes and scope of personal data processing. This definition is rather unhelpful, because it suggests that with respect to the same set of personal data a company could be regarded as both controller and processer within the GDPR’s meaning of these concepts (although it is unusual, under the GDPR, to have one company act in both roles simultaneously with respect to the same set of personal data).
Furthermore, Russia’s Personal Data Law, while setting out the requirements on personal data processing and the relevant obligations of the parties involved, usually refers only to the obligations of a data operator, suggesting, at first sight, that it does not distinguish between a controller and a processor in the GDPR-sense.
However, the Law, though in a rather non-evident manner, provides that apart from a personal data operator there might be a de facto separate data processor. The Russian Personal Data Law allows a personal data operator to “assign” the processing of personal data to a third person based on a contract and provided that the consent of the data subject is obtained. It is notable that, at the same time, the Law requires that any such processor follow all the requirements of the Personal Data Law.
This ambiguity in the separation of the legal roles between a data operator (controller) and a data processor, as well as the absence of comprehensive regulation of relations between the two, results in many complications in practice. A clearer distinction between the concepts of data operator and data processor would help resolve many practical issues.
For instance, there is a rather unique feature in the Russian personal data regulations – the data localization requirement. Although the Russian Personal Data Law does not per se prohibit the cross-border transfer of personal data, according to the localization requirement during the process of the collecting of personal data, including collection via Internet, a data operator must provide that a record, and the organization, accumulation, storage, update, and retrieval of personal data of citizens of the Russian Federation is held on databases located within the Russian Federation. In certain cases, this obligation also applies to those foreign companies who do not have a corporate presence in Russia but who target the Russian market and Russian customers via the Internet.
Although the Russian personal data regulator has announced that the Russian Personal Data Law does not have exterritorial effect, and that once personal data has crossed the Russian border, it shall be regulated by the jurisdiction of the place of destination, recent developments in the Twitter case – in which Twitter Inc. (California, USA) was fined for failing to localize the personal data of Russian citizens in Russia – confirmed that Russian authorities intend to apply this specific requirement extraterritorially.
Thus, if a foreign company wishes to comply with the Russian localization requirement, engaging a local data processor with a clear role and legal status to ensure that the personal data of Russian citizens are first processed locally and only then transferred abroad to a data operator might be an option. Moreover, introducing the concept of data processor to Russian law would not only help eliminate the current legal ambiguity but would also promote local data processing business.
By Eldar Mansurov, Leader of Regulatory and Compliance, Peterka & Partners Moscow
This Article was originally published in Issue 7.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
