Russian and international companies alike must comply with strict rules around the way that data is managed in, and in relation to, the Russian Federation and Russian citizens. Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media) has made it clear that these issues will be of increasing importance in the future.
Entities that are part of the Russian “critical information infrastructure” have onerous cybersecurity and breach reporting obligations under the Federal Law on the Security of the Critical Information Infrastructure of the Russian Federation (187-FZ of 2017), which passed into law in July 2017. This law regulates how domestic and foreign operators in the financial services, telecoms, transportation (including ports), energy, extractives, healthcare, chemicals and other sectors must protect their data. Persons covered by the law are required to establish adequate information security protections, and to report certain cyberattacks and similar incidents to regulatory agencies. This law is similar, but not identical, to similar laws passed in the European Union and China: companies must therefore ensure their global cybersecurity programmes are compliant with Russian law.
Equally, there are significant restrictions on the gathering and processing of personal information of Russian citizens or residents. In particular, the Federal Law on Personal Data (152-FZ of 2006) regulates the conduct of those who process and use personal data within Russia and/or in relation to Russian citizens. A strong emphasis is placed on registration with the regulator, obtaining data subjects’ consent, and providing the data subjects access to the data upon request.
Eversheds Sutherland gives its clients practical compliance advice in this area. Where local regulations are ambiguous, we leverage firm’s experience in other jurisdictions. This allows our clients to have defensible compliance policies in line with international best practice.