This article has been written by Nehal Misra, from Nirma University, Ahmedabad and Yash Kapadia. In this article, the author discusses the lack of jurisprudence in data protection laws in India and draws a compariosn with Russia.

Introduction 

“Data is the new oil” is popularly said. In the 21st century, data has replaced oil to become the most valuable commodity. It can be derived from the fact that the data sector belongs to 5 of the world’s most valuable companies, namely Amazon, Google, Apple, Microsoft, and Facebook. If we look closely at the two commodities we understand that data and oil are very similar. The crude oil which is found in the world is unusable due to its raw form and is required to be refined and filtered through various processes for the production of petroleum, diesel, kerosene, gasoline and the like, the raw information is also required to be processed as well as analyzed for the purpose of converting it into usable data, such as for health information, geolocation browsing information, etc.

The legal system in Russia is based on continental civil law and a code-based system. Both federal and regional legislation exist in its system. However, federal legislation over regional is preferred and prioritised in cases wherein conflicts arise. The work related to data protection and privacy is regulated at the federal level. The Constitution of Russia, which provides that each individual has a right to privacy and personal and family secrets, was adopted in 1993.

Data protection laws in Russia are rapidly developing which were enacted back in the years 2005 and 2006. Most importantly, Russia adopted its first major law regulating data privacy issues, the Russian Federal Law on Personal Data dated 27th July 2006 (the Personal Data Law) which is the backbone of Russia’s privacy legislations. The Personal Data Law covers almost all aspects of data protection i.e. 

• The concept and meaning of personal data.
• The types of data that can be collected and processed.
• How and in what cases can data be collected and processed, and 
• What technical and organisational measures must be applied by companies or individuals that collect data.

In the course of this article, we shall understand various important segments of Russia’s data protection laws and Russia posing legal trouble in terms of violation of data privacy to big-tech companies like WhatsApp. 

Background

Data may be divided differently into public data and personal data. Public data, such as court records, birth records, is what is accessible to the general public. No clear guidelines are regulating Personal Data processing. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, however, state that a corporate body or any person processing personal information on behalf of the corporate body should provide a privacy policy. The Personal Data Protection Bill in Parliament in 2006 proposes seven processing principles to have complied for the purpose of processing personal data, namely: (i) the processing of personal data must be fair and reasonable; (ii) it should be for a specific purpose; (iii) only the personal data necessary for that purpose should be collected; (iv) it should be lawful; (v) the individual should be given adequate notice of the processing;(vi) processed personal data should be complete, accurate and not misleading; and (vii) personal data may only be stored for as long as reasonably necessary to fulfil the purpose for which it is processed.

Also, sensitive personal data as the definition of sensitive personal data, or information, exists under the Law. It means personal information consisting of: (i) passwords; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health status; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any data relating to the things referred to above provided to a corporate body to achieve results. Sensitive personal data or information may not include freely available or accessible information on the public domain or given under the Access to Information Act, 2005, or any other applicable legislation. The PDP Bill proposes a broad definition of personal sensitive data and also defines income, caste, race, religious and political views or association as sensitive personal data.

On the other hand, private data is confidential to an individual/organization and can not be disseminated openly by others without the subject’s prior permission. It includes financial details, family details, psychological characteristics, locations, and history of travel, behaviour, abilities, photographs, aptitudes, etc.

India has adopted a special, biometric identification number for citizens, named ‘Aadhaar.’ Aadhaar is governed by the Aadhaar Act, 2016 and its rules and regulations (Targeted Delivery of Financial and Other Subsidies Act). Entities in controlled sectors such as financial services and telecommunications are subject to confidentiality obligations under sectoral laws which require them to keep personal customer information confidential and use it for specified purposes or only in the manner agreed with the customer.

Lastly, personal data is protected utilizing indirect safeguards developed by common law courts, equity principles, and trust breach law. In the judgment of Justice K.S Puttaswamy & Another vs. Union of India, which was delivered in August 2017, the Supreme Court acknowledged the right to privacy as a constitutional right under Article 21 of the Constitution. “Informative privacy” was accepted as a facet of the right to privacy and the court held that privacy protection (“Privacy Judgment”) also had to be given to a person’s information and the right of access to that information. The court declared that each and every individual should have the right to control the commercial use of his or her identity and that from this right emanates the “right of individuals to use their identity and personal information exclusively commercially, to control the information available on the Internet about them and to distribute such personal information for restricted purposes only.”

Fundamental rights may only be enforced against the state and the instrumentalities of the state and accepted by the Supreme Court in the same judgment that protection of the right to privacy against private individuals can require legislative intervention. Consequently, the Government of India formed a committee to propose a draft data protection statute. The committee proposed draft legislation, and the Indian government issued the Personal Data Protection Bill, 2019 (“PDP Bill”) based on the committee’s proposal. It will be India’s first personal data privacy law, which will repeal S. 43A the IT Act. 

Entry into force

• Section 43A and Section 72A of the IT Act -27 October 2009 
• Aadhaar Act- 12 September 2016.

Personal Data Protection Bill

In July 2017 a committee was established by the Ministry of Electronics and Information Technology to study data protection issues. The Committee was headed by Justice B. N. Srikrishna, a former Supreme Court judge. In July 2018, the committee tabled the draft Personal Data Protection Bill, 2018. The Bill was approved by India’s cabinet ministry on 4 December 2019 as the Personal Data Protection Bill 2019 and tabled in the Lok Sabha on 11 December 2019, after further deliberations. The PDP Bill has been debated by a Joint Parliamentary Committee, and a revised draft PDP Bill is scheduled to be released in 2020. The PDP bill will then need to be approved by both legislative houses and published in the official gazette before it becomes law. On 11 December 2019, the Personal Data Protection Bill 2019 was tabled in the Indian Parliament. A Joint Parliamentary Committee (JPC) is analyzing the Bill as of 17 December 2019, in consultation with various groups. The Bill covers mechanisms for personal data protection and proposes the establishment of an Indian Data Protection Authority for the same. The 2019 Bill includes some crucial provisions for which the 2018 draft Bill did not provide such that the central government could exclude any government agency from the Bill, and the right to be forgotten. The legislation is likely to be enforced in a staggered way, even after implementation. There is currently no information regarding that timeline for implementation. 

The revised Bill was criticized by Justice B. N. Srikrishna, for turning India into an “Orwellian state”. Justice Srikrishna said, “Government can access data from private data or government agencies on grounds of sovereignty or public order at any time. That has dangerous implications. “In their comment, a think tank shares this view. Apar Gupta of the Internet Freedom Foundation notes that “Privacy is mentioned only once in this voluminous document[b] — 49 references to ‘security’ and 56 references to ‘technology'” imply that the Bill does not do enough to protect the privacy of an individual. Internationally, fresh criticism stems from an advisor to a group proposing an alternative text. A reasonably critical review is available from a scholar working with an American co-author in India. On several fronts, the role of social media intermediaries is being more tightly regulated. 

Governing laws on data protection in Russia

Fundamental provisions of data protection law in Russia can be found in the Russian Constitution, international treaties and specific laws enacted over the years. The following are some of the major laws on data protection: 

Russian Federal Law on Personal Data

This is the key law governing the concept of data protection in Russia. It was adopted way back in 2005 following the ratification of the Strasbourg Convention. “This Federal Law regulates activities related to the processing of personal data by federal state government bodies, state government bodies of constituent entities of the Russian Federation and other state bodies, by local government bodies, by legal entities and physical persons, both automatically, including in data telecommunications networks, and manually, provided that manual data processing is by its nature similar to automatic data processing, i.e. allows users to search personal data recorded intangible medium or contained in card-catalogues or other systematized collections of personal data in accordance with the specified algorithm and (or) to have access to such personal data.”

In general, it requires data operators to take all sorts of necessary measures required to protect personal data against unlawful or accidental access. 

The Personal Data Law was amended and came into force on 1st September 2015 that requires data operators that collect Russian citizens’ personal data to store and process such personal data using databases located in Russia. It further required non-Russian companies that stored information about Russia’s citizens to comply with these new laws or face the necessary penalties as provided.1 

Article 23 and 24 of the Constitution of Russian Federation

Article 23 states that everybody shall have the right to privacy, personal and family, of correspondence, of telephonic conversations, and other communications, which may be limited on the basis of a court order. 

Article 24 states that collecting, disseminating the data of someone else without their consent is not permitted and the state and local government bodies shall help the citizens in acquiring information or data directly affecting their freedom and rights.

Federal Law on Information, Information Technologies, and Protection of Information

This law enacted in 2006 contains the principal national data protection and privacy laws. This Act provides the definitions for general terms used in the field of data protection and privacy, rights of people to access information and the restrictions to access them, documenting and supply of information and other state-related use of information in Russian. 

Russian Labour Code

Chapter 14 of this Code provides for the protection of employees’ personal information. Russian labour laws require employers to have the written consent of their employees if they need to transfer their personal data to third parties, for example when such a transfer is necessary to share data with the group or merging companies. However, if the employer has a legitimate interest or when required by law to know some information, the transfer can be made without the consent of the employee, as provided by law. 

Data protection laws in India

Data Protection refers to a set of privacy laws, policies, and procedures aimed at minimizing the intrusion into one’s privacy caused by personal data collection, storage, and dissemination. Personal data generally refers to the information or data relating to a person identifiable from that information or data whether it is collected by any government or private organization or agency. India’s Constitution does not patently grant the basic right to privacy. However, the courts have read the right to privacy in the other fundamental rights that exist, i.e. freedom of speech and expression under Art. 19(1)(a) and the right to life and freedom under Art. 21. However, under the Constitution of India, these Fundamental Rights are subject to reasonable restrictions laid down in Article 19(2) of the Constitution which the State may impose. Previously in the landmark case Justice K S Puttaswamy (Retd.) & Anr. Vs. Union of India and Ors., the constitutional bench of the Honorable Supreme Court held the right to privacy as a fundamental right, subject to certain reasonable restrictions.

India does not have clear regulations on data security or privacy. There exist a few regulations which are related to data security regulations in India, such as the Information Technology Act, 2000, and the Indian Contract Act, 1872. There lies an urgency for a codified law on data protection. The IT Act, 2000 deals not only with civil issues pertaining to the payment of compensation but also the punishment (Criminal) in cases of breach and violation of personal data through misrepresentation or misuse of personal data. Under Section 43A of the IT Act, 2000, a corporate body is held liable by the court of law, if the corporate body owns any personal data, and distributes any confidential personal data due to its negligence in implementing and maintaining fair security practices, the corporate body is liable for paying damages to the individual concerned.

The Government has notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. The Rules only deals with the protection of “Sensitive personal data or information of a person”, including personal information related to:

• Passwords;
• Financial information such as bank account or credit card or debit card or other payment instrument details;
• Physical, physiological and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric information.

The rules provide reasonable security practices and procedures to be followed by the corporate body or any person who collects, receives, possesses, stores, deals or handles information on behalf of the corporate body. In the event of any breach, the corporate body or any other person acting on behalf of a corporate body, the corporate body may be held responsible for paying damages to the person so affected. The Rules provide that every corporate body needs to maintain reasonable safety practices and procedures. A corporate entity or individual operating on its behalf shall be considered to have adopted appropriate security practices and procedures where they have established these security practices and standards and have a comprehensively recorded information security policy and information security policies including commensurate management, technological, operational and physical security control measures. The Ministry listed the IS/ISO/IEC 27001 International Standard on “Information Technology-Security Techniques-Information Security Management System-Requirements” as one of those standards. Corporate bodies that follow other standards are required to have their safety practices and standards notified and approved by the Ministry for effective implementation. A corporate body is expected to have its security practices and procedures accredited and audited by an independent auditor who is authorized by the central government at least once a year, or when its computer resource is substantially upgraded.

According to Section 72A IT Act, 2000, disclosure of information, intentionally and deliberately with knowledge of the same is punishable by imprisonment for a period of up to three years and a fine of up to Rs 5,00,000, without the permission of the individual concerned and in breach of the lawful contract. It is required to be noted that Section 69 of the IT Act, which constitutes an exception to the general rule of privacy and confidentiality of records, provides that if the Government is satisfied that it is in the interests of:

• the sovereignty or integrity of India,
• defense of India,
• security of the State,
• friendly relations with foreign States,
• public order,
• for preventing incitement to the commission of any cognizable offense relating to above,
• for investigation of any offense, or
• It can, by order, direct any appropriate government agency to intercept, track or decrypt or trigger the interception or monitoring or decryption of any information produced, transmitted, obtained, or stored in any computer resource. 

Where the information is such that it should be disclosed in the public interest, disclosure of such information may be required by the government. Details concerning anti-national activities which are against national security, infringements of the law, or statutory obligation or fraud that fall under this category.

The latest amendment to the Russia’s Personal Data Law, 2021

Russia’s Personal Data Law, as we discussed above, has been recently amended and came into force as of March 2021. This amended version now provides better data security rights to Russian citizens. The previous version gave data operators the freedom to collect information from the data subjects without their consent.

As per the new amendments, only after receiving the consent is received from the data subject to disseminate their personal data can a data operator make personal data publicly accessible and use it after the original publication. A new category of data “personal data available to the public” is defined as personal data to which an unlimited number of persons may have access based on a data subject’s specific consent for the dissemination of the data.

The rights of data subjects (the citizens) have also significantly been expanded like now they have the right to access information, right to be forgotten, right to object to direct marketing and profiling, right to object to data processing, right to restriction, right to be compensated for the harm and right to revoke consent. All of these rights can be studied in detail here. 

The new law includes Article 10.1 which specifically provides for certain conditions and restrictions to process personal data that is to be made publicly available and the same can be read in detail here. 

On 24 February 2021, the President of Russia signed Federal Law No. 19-FZ on Amendments to the Russian Code of Administrative Offences that came into force on 27th March 2021, increasing penalties for the breach of personal data laws. The administrative penalties for personal data processing reasons like processing in the absence of a legitimate legal basis or a privacy policy is now up to RUB 150,000 (approx. €1,700) for the first offence and RUB 500,000 (approx. €5,600) for any repeated offence. On this subject, it is pertinent to understand that separate penalties are imposed for different types of offences and such fines can also be imposed repeatedly for example like if separate administrative proceedings are initiated on individuals’ complaints).

The Amendments also state that the form and the content of the consent are to be established by the authorized agency responsible for the protection of the rights of personal data subjects. The Federal Service for the Supervision of Communications, Information Technology and Mass Communications (‘Roskomnadzor’), the principal local data protection regulatory authority, has the right to apply for a court order that allows blocking access to a website through which the relevant person processes personal data in violation of Russian data protection laws. Roskomnadzor has also published a draft order which describes the form and the content of the consent with more clarity and detail. Unfortunately, to date, the order has not been formally approved.  It is expected that more clarity on the ambiguity of certain provisions of the Amendments will be achieved. Like in terms of requirements to the consent needed, proving the legality of subsequent dissemination in cases of data leaks, force majeure and in cases where data is released without consent of the data subject.3 

A detailed overview of the aforesaid amendment can be accessed here.

Lack of jurisprudence in India 

India’s data protection law is currently facing many problems and resentment because of the lack of a proper legislative framework. Globally, there is a continuing explosion of cybercrimes. The theft and sale of the stolen data occur across the vast continents where physical boundaries in this technological era do not pose any restriction or appear to be non-existent. India, being the world’s largest host of outsourced data processing, could become the epicentre of cybercrimes. This is primarily due to the lack of appropriate legislation. India’s Data Security Council (DSCI) and the Department of Information Technology (DIT) also need to rejuvenate their efforts on similar lines in this regard. The best approach will, however, come from good statutory requirements along with sufficient knowledge of the public and the employees. It is high time we in India had to pay attention to data security. There is a lack of cybersecurity in India and the same requires rejuvenation. If even the cybersecurity of PMO is compromised for many months we must wake up now at least. In India, data breaches and cybercrimes can not be minimized until we implement strict cyber laws. We can’t do that by actually declaring a cat to be a tiger. India’s cyberlaw also needs sound cybersecurity and effective cyber forensics to support it.

Indian companies in the IT and BPO sectors manage and have access to confidential and personal data of all sorts of individuals around the world, including their credit card numbers, financial records, and even their medical history. Such businesses store electronically sensitive data and details and this could be exposed in their employees’ hands. It’s often misused amongst them by unscrupulous elements. Security vulnerabilities and data leakages have occurred in high-profile Indian firms. Recent data theft incidents in the BPO industry have raised data privacy concerns.

There is no specific data protection legislation in India. Despite the introduction of the Personal Data Protection Bill in Parliament in 2006, the light of the day is yet to see. The bill seems to be building on the general basis of the Data Privacy Directive of the European Union, 1996. It follows a comprehensive model with a bill that aims to govern personal data collection, processing, and distribution. It is important to note that the bill’s applicability is restricted to personal data, as described in the bill’s clause 2.

The Bill refers to the data functionalities of both government and private companies. The appointment of data controllers with general superintendence and jurisdiction over subjects covered by the Bill is provided for. It also specifies that criminal sanctions may be placed on criminals, in addition to compensation for damages to victims. The Bill marks a step in the right direction. However, due to a lack of documentation, the Bill is still pending. Though the IT Act is inclusive of the provisions not only on cyber and IT laws in India but it also attempts to define to the degree to which a party has access to data stored on a device, it fails to resolve the need for strict data protection law.

The IT Act, 2000 has been revised to tackle cybercrime issues, it has implemented two significant provisions that have a strong impact on the data protection legal regime. These are sections 43A and 72A, which the amendment act inserts into the IT Act. But the data security and confidentiality requirements are severely insufficient. Data theft incidents at BPO have raised concerns over data privacy in recent years and the offshore industry, media, and the legal world question the safety of foreign data which is in the Indian hands. The amendments are therefore, more of a government knee-jerk reaction to recent data breaches and other accidents, India has more to do with cybercrime and e-commerce problems than with data security.

Recent amendments to the IT Act

Section 43A states that if a corporate entity that maintains, distributes or manages any confidential personal data or information in a computer resource that it owns, regulates or operates is deficient in enforcing and maintaining fair security standards and procedures and this causes any individual wrongful loss or unfair benefit, then that corporate entity shall be liable for compensatory damages. The term corporate body is broad enough to include a company, a corporation, a sole proprietorship, or any other group of individuals engaged in professional or business activities. And then on reasonable safety practices and procedures including safety practices and procedures including security practices and procedures desiring to protect information unauthorized damage, use, modification, disclosure or impairment as may be specified either:

(i) in an agreement; or

(ii) in any law in force; and in the absence of an agreement or rule, as the Government of the Union may prescribe.

It implies, in particular, that the contracting parties can specify the level of protection they expect from the disclosing parties in the event of a violation which makes them liable to pay the damages under their contract. The Amendment Act, however, failed to define the definition of the term sensitive personal data or information, and merely stated that the personal data would mean such personal information as recommended by the Union Government in consultation with such professional bodies or associations as may deem necessary.

Section 72 is limited to knowledge obtained by virtue of a power granted under the IT Act. On the other hand, the scope of Section 72A is wider than existing Section 72 and applies to the disclosure of a person’s personal information (without consent) when delivering services under a lawful contract and not merely to the disclosure of information obtained by virtue of the powers conferred under the IT Act. The word intermediate was inserted in Section 72A. This was defined in the amendment as an individual (for any particular electronic record) who receives, stores or transmits any recording or service on behalf of another person and includes telephone service providers, network service providers, Internet service providers, web hosting service providers, search engines, online payment sites, online auction sites.

The proper requirement for Indian law can be analyzed when comparing Indian law with the law of developed countries. U.K. does have its 1998 Data Security Act (DPA). This Act is instituted for the protection and privacy of individuals’ personal data in the UK. Under this Act, the persons and organizations that store personal data must register with the information commissioner, who has been named as the government official to oversee the Act. The law places limits on data collection. Personal data may only be collected for one or more defined and valid purposes and may not be processed further in any way that is inconsistent with the intent or purposes for which they are processed.

Both the U.S. and the European Union are focusing on enhancing the protection of their citizens’ privacy, with the U.S. taking a different approach to privacy than the European Union. The United States has adopted a sectoral approach based on a mix of legislation, regulation, and self-regulation. In the United States, data are grouped into several classes based on their usefulness and significance. Thereafter, the various data groups are granted a different degree of security. Whereas the IT Act’s provisions essentially deal with data extraction, data destruction, etc. Organizations can not achieve full data security through what eventually forced them to sign separate private contracts to keep their data protected. Those arrangements are as enforceable as the general contractor.

In all its member countries the European Union has implemented a detailed Directive on Personal Data Protection. The US has also complied with the EU Directive through the Safe Harbor Agreement to encourage businesses from EU countries. It would also be prudent for India to comply with the EU directive as there is a great deal at stake here. Notwithstanding attempts to provide a law on data security as a separate discipline, our legislature has left some holes in the 2006 bill. The bill was drafted entirely on the structure of the UK Data Protection Act whereas the requirement today is a comprehensive law. So it can be suggested that compiled drafting based on US data protection laws would be more favourable to the requirement of today. Unauthorized use or transmission of this credit data is subject to prohibitive fines. Credit information can only be used to identify a potential customer’s creditworthiness, and can not be used or transferred for any other purpose to unauthorized persons. The IT Act again exclusively protects credit data which is just one aspect of personal data.

Any piecemeal legislation is insufficient; we require a comprehensive data protection legislation to protect data subjects’ rights, which will vehemently prohibit the use of data collected for any purpose other than that for which it was. The Information Technology Act, 2000 is not permanent law on data security or privacy. It does not lay down any specific principles regarding data protection or privacy. The Information Technology Act, 2000 is a general law that articulates on a range of subjects, such as digital signatures, public key infrastructure, e-governance, cyber contraventions, cyber offences, and privacy. It has one Act syndrome. Comparing the Information Technology Act, 2000 provisions with the European Data Protection Directive (EC/95/46), OECD Guidelines on Privacy Protection and Transborder Flows of Personal Data, 1980, and the US Safe Harbor Principles would be erroneous.

The Information Technology Act, 2000 takes a piecemeal approach to data security and privacy issues. There is an absence of any actual legal framework under the EU Directive, OECD Guidelines, or Safe Harbor Principles in the form of data protection authority, data quality, etc. that adequately addresses and covers data protection issues. The lack of data protection legislation is a huge blow to the outsourcing industry in India. A comprehensive Privacy Policy protects consumers in the United States, the European Union, and part of that privacy protection is the obligation for companies not to move personal data to countries that do not provide adequate protection. As a result, European trade unions have cited data protection as an issue that should be taken into consideration in many international outsourcing deals. This stops the personal data flow, which has a very bad impact on our outsourcing industry.

Legal tussles with big-tech

Russia has always made moves and penalized anyone who has violated its data protection laws considering the importance of data used by third parties in today’s modern times. For the same, Russia has not spared even the global billion-dollar giants like Google, Facebook and now WhatsApp too. 

2020

In 2020 Russia fined a District Court in Moscow and levied hefty fines to the tune of 4 million rubles (approx $54,000) on WhatsApp as it refused to localise the data of Russian citizens on the territory of Russia. In the same week as this, even Facebook was fined 15 million rubles (approx $202,769) and Twitter was fined 15 million rubles (approx $229,805). Like WhatsApp, they have also been fined 4 million rubles when they refused to transfer servers of the Russian people’s database to the Russian Federation.4  

2021

Russia then made further amendments to its Personal Data Law which was effective from March 2021, the details of which have been mentioned above in this article. 

In 2021, the Tagansky District Court of Moscow filed a protocol against WhatsApp and it was deemed to be guilty under Part 8 of Article 13.11 of the Administrative Code of the Russian Federation. The Roskomnadzor summoned representatives of Facebook, WhatsApp and Twitter at the beginning of July 2021 after they violated certain provisions of the new law, and warned them of such administrative proceedings. 

In the same week, even Google was ordered to pay a fine of 3 million rubles for violating Russia’s new data law that came into force on 1st July 2021. Article 10(4) of the Personal Data Law requires “all recording, systematization, accumulation, storage, clarification and extraction of personal data of Russian nationals is collected with the use of databases located in the territory of the country.”5

This amendment made significant changes and further data operators like Facebook, Twitter, WhatsApp then require the consent of the data subject to make use of their publicly available data. 

These operators now have to adhere to a bunch of obligations with respect to the data they collect, access and use. 

Obligations of data operators

We discussed that there are certain rights given to data subjects and Article 10.1 lists that the following are certain obligations that every data operator has to adhere to: 

1. Data operators cannot disseminate publicly available personal data of Russian data subjects without said data subjects’ consent.
2. Data operators are now obligated to publish any information about applicable processing conditions and restrictions, through an online and offline platform built for readers within a period of 3 days of receiving dissemination consent from data subjects.
3. Data operators are required to adhere to requirements related to the standard dissemination consent forms (that include the subject to fill their full name, address, registration number, TIN of data operator, etc) wherein the said data will then be disseminated. 
4. It is now a prerequisite that data operators need to appoint a Data Protection Officer (DPO) for the purpose of protecting and safeguarding the personal data of data subjects.
5. It is the sole responsibility of data operators to implement a data protection policy. Which must be posted and visible on the data operators’ website and it is the duty of all employees of data operators to familiarise themselves with this data protection policy and provide a signature confirmation about their knowledge of such policy. 
6. Data operators are required to notify the data subjects and the authority for data protection i.e. Roskomnadzor, in case of any situation of a data or security breach.
7. It is the responsibility of data operators to abide and follow the restrictions related to data transfers to third-party countries from Russia to other countries by ensuring that adequate protection is given to the rights of data subjects. 

Restrictions on transfer of Personal Data to different jurisdictions

PD Law requires a local storage requirement that applies to all data operators that process the personal data of Russian citizens, regardless of their jurisdiction and also contains online business activity. Thus, when data operators collect personal data via the internet they must record, arrange, accumulate, store, specify (update, change) or retrieve the personal data of the Russian citizens through any safe and sound databases that are preceded in Russia itself. However, there are a few exceptions as per  Article 18(5) of the Personal Data Law which are as follows: 

• the processing of data in order to achieve the objectives of international treaties or the implementation of an operator’s statutory powers and duties; 
• for state purposes; 
• for professional activities of journalists or the lawful activities of mass media; or 
• scientific, literary or other creative activities that may be performed directly in the foreign databases

As per Article 12, if there arises a situation of cross-border transfer of personal data then a data operator must, before such transfer, ensure that the rights and interests of the respective data subject are fully protected in the “adequate manner” in the corresponding foreign country.

All countries that are signatories to the Strasbourg Convention (which was ratified by Russia in 2005 helps protect and enforce data protection at the International level) are legitimate jurisdictions that enable “adequate protection” of rights and interests of the data subjects.

All the more, Roskomnadzor (the data protection authority in Russia) has put into force an official list of countries that are non-signatories to the Strasbourg Convention but yet provide cross-border transfer of data with adequate protection. 

When the consent of a data subject has been taken by a data operator as per the New Personal Data Law, that data’s transfer internationally to any jurisdiction with the “adequate protection” does not require any restriction. In addition, the PD Law set forth special requirements for the cross-border transfer of personal data to countries that don’t provide adequate protection. For more detailed information regarding the new amendments to the Personal Data Law enforced in 2021 one can read this article.

In absolute layman terms for our readers to understand, Data controllers making personal data publicly available, for the purpose of third parties further making use of it shall:

• obtain each data subject’s specific and clear consents individually, separate from any other consents;
• Provide freedom to data subjects to choose which types of their personal data are to be made publicly available and also provide barriers or restrictions on the use of such personal data;
• Provide the opportunity to individuals to revoke their consents for making their data publicly available with immediate effect; and
• Provide four corners for the usage of their publicly available data and post such rules on their relevant web resources within three business days.

With regards to the third parties who plan to utilize openly accessible individual information, such outsiders may all things considered have the following options: 

• depend on the assent acquired by the data operator when making the information freely accessible.
• depend on the consent given by a data subject to the Roskomnadzor, through a devoted online stage to be set up under the law, in addition to considering the guidelines of information promulgated by the Roskomnadzor; or
• guarantee, all alone, that they have a fitting lawful reason for the utilization of such openly accessible individual information. 

The purpose of this as defined in the explanatory notes to the Amendments is to prevent “the collection and uncontrolled use of such personal data on websites for purposes different from the initial purpose for which it was disseminated”.6

Conclusion

India needs a legislative structure to maintain and promote the BPO boom that fulfils both legal and public standards to prevail in the jurisdictions from which data is shipped to India. In practical terms, the greatest hurdle is for India to have its domestic data protection law system formally adjudicated and widely viewed as adequate. About its Data Protection Directive of 1995, the EU officially declares and lists adequate countries. So far, only a handful of countries such as Argentina, Canada, Australia, and Switzerland have made this white list. If India were also to be included in this list by enacting necessary legislation, companies within the EU Member States would then be able to export data to India without having to follow mandatory, complex, and tedious procedures.

Russia is one of the largest countries in the world and sits at the intersection of the continents of Europe and Asia. Russia’s amendments to its Personal Data Law were a step in the making for quite some time which got delayed to the outbreak of Covid-19. Russia’s previous Personal Data Law contained provisions and requirements that were outdated, keeping in mind the current digital age revolution that has been taking place, by the standards of data protection that is needed to protect the privacy rights of data subjects. Bearing the aforesaid in mind, the 2021 amendment to the Personal Data Law puts the regulation on the same pedestal with other recently passed data laws around the world, such as the EU’s General Data Protection Regulation. 

Instead of becoming a Corporate America and Europe service provider, India sees itself as the location where these companies will develop themselves. Therefore India could expand far beyond being a mere service provider to multinational companies worldwide by having a strong data security law.

References

• https://www.rkdewan.com/articledetails.php?artid=183

• https://www.mondaq.com/india/data-protection/655034/data-protection-laws-in-india–everything-you-must-know
• https://www.linklaters.com/en/insights/data-protected/data-protected—india#:~:text=General%20data%20protection%20laws&text=India%20has%20also%20not%20yet,improper%20disclosure%20of%20personal%20information

---

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: