COMPARING PRIVACY LAWS: GDPR V. RUSSIAN LAW ON PERSONAL DATA

Introduction

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Federal Law of 27 July 2006 No. 152-FZ on Personal Data ('the Law on Personal Data') both aim to guarantee protection for individuals' personal data and apply to organisations that collect, use, or share such data.

In particular, both laws share similar provisions, for example, in relation to legal basis for processing. Under both the GDPR and the Law on Personal Data, data processing shall only be lawful if the data subject has given consent to processing, where processing is necessary for the performance of a contract, as well as for compliance with a legal obligation, among other things. In addition, the GDPR and the Law on Personal Data both outline fairly consistent cross-border data transfers obligations, providing that such transfers only take place to countries ensuring an adequate level of protection. Moreover, both laws are fairly consistent in relation to the appointment of a data protection officer ('DPO').

However, the Law on Personal Data differs from the GDPR in some significant ways, particularly with regard to definitions, controller and processor obligations, and territorial scope. Where the GDPR provides for the definition of both data controller and processor, the Law on Personal Data only refers to operators. The GDPR also grants special protection to children's personal data and sets out the minimum age of consent with regard to information society services, as well as appropriate measures for providing information to children. The Law on Personal Data does not grant special protection to children's personal data or outline similar specific requirements on the same.

Unlike the GDPR, the Law on Personal Data does not provide particular provisions on territorial scope. The GDPR outlines specific provisions on extraterritorial scope and applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the offering of goods or services or the monitoring of behavior.

The GDPR and the Law on Personal Data also differ greatly in terms of penalties, both financial and otherwise. The GDPR provides significantly larger financial penalties, of up to €20 million or 4% of global turnover, compared to those provided by the Code of Administrative Offences of the Russian Federation of 30 December 2001 No. 195-FZ ('the Code of Administrative Offences'), in which the maximum single administrative fine for violation of the Law on Personal Data is RUB 18 million (approx. €260,000). In addition, unlike the GDPR, the Law on Personal Data establishes that DPOs may incur administrative liability for non-compliance with the Law on Personal Data.

Notably, the Parliament of Russia adopted, in December 2020, Federal Law of 30 December 2020 No. 519-FZ on Amendments to the Federal Law on Personal Data, which amends the Law on Personal Data to introduce the concept of publicly available data. These amendments will enter into force partly on 1 March 2021 and partly on 1 June 2021.

This guide aims to assist organisations in understanding and comparing the relevant provisions of the GDPR and the Law on Personal Data, to ensure compliance with both pieces of legislation.

Structure and overview of the Guide

This Guide provides a comparison of the two pieces of legislation on the following key provisions:

1. Scope
2. Key definitions
3. Legal basis
4. Controller and processor obligations
5. Individuals' rights
6. Enforcement

Each topic includes relevant articles and sections from the two laws, a summary of the comparison, and a detailed analysis of the similarities and differences between the GDPR and the Law on Personal Data.

Key for giving the consistency rate

Consistent: The GDPR and Law on Personal Data bear a high degree of similarity in the rationale, core, scope, and the application of the provision considered.

Fairly consistent: The GDPR and Law on Personal Data bear a high degree of similarity in the rationale, core, and the scope of the provision considered; however, the details governing its application differ.

Fairly inconsistent: The GDPR and Law on Personal Data bear several differences with regard to scope and application of the provision considered, however its rationale and core presents some similarities.

Inconsistent: The GDPR and Law on Personal Data bear a high degree of difference with regard to the rationale, core, scope and application of the provision considered.

Usage of the Guide

This Guide is general and educational in nature and is not intended to provide, and should not be relied on, as a source of legal advice.

The information and materials provided in the Guide may not be applicable in all (or any) situations and should not be acted upon without specific legal advice based on particular circumstances.