The act requires operators to notify Roskomnadzor in case personal data have been transferred abroad and ensure an adequate level of protection.
Government Resolution No. 6 “On the approval of the Rules for making a decision on the prohibition or restriction of cross-border transfers of personal data by the authorized body for the protection of data subjects’ rights as well as the rules for informing operators of the decision made” has been published on the official website. This normative legal act was prepared pursuant to new legal requirements for personal data protection, the draft bill prepared back in September 2022. The act will come into force on March 1.
Personal data (PD) operators have been obliged to notify Roskomnadzor of cross-border transfers since September 1, 2022. The forms needed to submit such reports are already available on the agency’s website. Before a cross-border transfer starts, the operator must make certain that the foreign state whose territory serves as the destination for the PD transfer offers an adequate level of data subjects’ rights’ protection. Also, on grounds of the information submitted by federal executive bodies, Roskomnadzor can decide to prohibit or restrict cross-border transfers of PD.
“The key point is that the powers of Roskomnadzor have once again been broadened, or rather, it has gained some new ones. Essentially, monitoring of cross-border data transfers is nothing new, just think of the requirement that data be stored exclusively on Russian servers. However, controls are now being tightened both information- (notification is required) and administration-wise (Roskomnadzor will be watching),” believes Pavel Katkov, lawyer, economist and member of the Committee on Entrepreneurship in Media Communications of the Chamber of Commerce and Industry of the Russian Federation. “It will be clear how thorough the document is when it’s first put into practice. If there are any arguments, including those reaching trial, they will reveal inconsistencies, in case there are any.”
According to Sergey Nazarenko, head of the Big Data division of Reksoft, the document brings clarity to the procedure itself, sets a time frame and rules for imposing these restrictions and regulates the interaction with PD operators directly. To give a full-fledged assessment of the normative legal act, one should have legal expertise in law enforcement practice in PD transfer restriction cases and examine all the laws and procedures related to PD in a holistic manner.
Ilya Tikhonov, head of compliance and audit at the Information Security Department of Softline Holding, notes that organizations must substantiate the need to transfer personal data abroad to the regulator. That said, cross-border transfers to countries that do not offer an adequate level of data subjects’ rights’ protection can be restricted or prohibited, which can cause serious financial losses to businesses or even bring their operations to a halt.
Head of a division of the Competence Center for Information Security at T1 Integration Valery Stepanov points out that the document does not specify the criteria that Roskomnadzor officials will use to make decisions about the restriction or prohibition of cross-border transfers of personal data. Also, the document indicates that an operator must ensure an adequate level of the data subject’s rights’ protection but does not describe the toolkit that would allow to meet the requirement. It is worth noting that Resolution No. 6 does not change the procedure in a significant way but rather fleshes it out and appoints persons responsible at each phase of the process.