Russian Privacy Law 152-FZ

Federal Law 152-FZ was passed in July 2006 by the Russian State Duma. This was the most comprehensive privacy law passed to date in Russia, with implications across all forms of personal data collection. The most recent amendment, 266-FZ, was implemented on September 1, 2022. 266-FZ clarifies the previous requirements of 152-FZ (and subsequent amendments) to ensure that personal data processing via contract shall not restrict the rights of the data collection target due to the sharing of personal information [1].

Russian law describes personal data as any information about an individual “including first and last names, year, month, date and place of birth, address, marital, social and property status, education, occupation, income, and other information.” [2]. The original 152-FZ law covered any governmental body, legal entity, or organization that collects data about a Russian individual, including those processing data for commercial purposes. This does include foreign entities operating in Russia.

152-FZ is not considered to apply to personal data collected for personal familial purposes nor activities associated with Russian Federation State Archives. The Russian intelligence apparatus is also exempt as data collection is permitted in state secrets cases. Additionally, data collection on behalf of a Russian court is allowed without consent [3].

Additional guidance was provided by the Russian Ministry of Digital Development, Communications, and Mass Media in 2014 to clarify that an entity is viewed to be targeting Russian citizens for data collection if they utilize a .ru, .su, .moscow top-level domain or provide a Russian language localized version of their website [4]. This will invoke the protections in 152-FZ and require a lawful basis for data collection.

Russian law defines a lawful basis as:

1)    Data processing by a party that requires consent under the provisions of 152-FZ.

2)    Required by the Russian government.

3)    Required by a Russian court (criminal, civil, administrative, arbitrative)

4)    Required to perform a government function (including the judiciary)

5)    Required for a contract where the principal is a beneficiary.

6)    Related to professional journalistic, academic, or media need so long as the rights of the principle are not infringed upon.

7)    Required for the subject's interests is permissible if consent cannot be obtained.

Consent must be freely given and specific to the collection purpose. This consent must have unambiguous ramifications and requires informing the principle of the nature of the collection.

Consent can be revoked, which requires the data to be destroyed within ten working days.

Written consent is required for cross-border data transfer, sensitive personal data collection, biometric data, automated decision-making with data, and data transfer.

Data that is widely distributed may be subject to additional consent requirements. [5]

[1]        “Russia: Amendments to Law on Personal Data enter into effect,” DataGuidance. Accessed: Jan. 13, 2024. [Online]. Available: https://www.dataguidance.com/news/russia-amendments-law-personal-data-enter-effect

[2]        “Federal Law No. 152 FZ on personal data, 2006.” Accessed: Jan. 13, 2024. [Online]. Available: https://ihl-databases.icrc.org/en/national-practice/federal-law-no-152-fz-personal-data-2006

[3]        Federal Law No. 152 FZ on personal data.

[4]        G. & PARTNERS, “Data protection in the Russian Federation: overview.” Accessed: Jan. 13, 2024. [Online]. Available: https://www.gorodissky.com/publications/articles/data-protection-in-the-russian-federation-overview-2021/

[5]        “What To Know About The Russian Federal Law No. 152-FZ,” Securiti. Accessed: Jan. 13, 2024. [Online]. Available: https://securiti.ai/russian-federal-law-no-152-fz/