FEDERAL SERVICE FOR SUPERVISION IN THE SPHERE OF

FEDERAL SERVICE FOR SUPERVISION IN THE SPHERE OF TELECOM, INFORMATION TECHNOLOGIES AND MASS COMMUNICATIONS (ROSKOMNADZOR) Practice of the Authority for rights protection of the personal data subjects in the Russian Federation © ROSKOMNADZOR, 2013

RF Federal Assembly The President of the Russian Federation Function of Russian PDA public control (supervision) of conformity of personal data processing to the requirements of the legislation of the Russian Federation in the field of personal data Function of Russian PDA ROSKOMNADZOR keeping a register of operators processing personal data judicial claims activities international co-operation with the authorities to protect the rights of personal data subjects in foreign countries processing applications of personal data subject, making decisions by the results of this processing within their powers Protections citizens rights and legitimate interests sending annual Reports on the activities of the authority to the President of the Russian Federation, to the Government of the Russian Federation and Federal Assembly of the Russian Federation 2 слайд preparation of proposals for improving the legal and regulatory framework for the protection of rights of personal data subjects Government of the RF

Organization Chart of the Russian DPA for rights protection of personal data subjects Head of ROSKOMNADZOR Deputy Head of ROSKOMNADZOR Administration of rights protection of the personal data subjects Department of maintenance of the operators registry responsible for the personal data processing Department of law and methodical support Department of the personal data processing correspondence control 70 local bodies of ROSKOMNADZOR Total number of employees – 284 Independently realizes the rights and duties Possesses necessary labor, organizational, technical and financial resources Have its own independent budget 2011 -2578236. 4 th. RUR (≈62 ml. €) 2012 -10491353. 6 th. RUR( ≈250 ml. €) 2013 -11038400. 2 th. RUR (≈263 ml. €) 3 слайд This status corresponds to the principle of independence of the authorized body, put in the text of the Additional protocol ETS № 181 to the Convention of the Council of Europe ETS № 108

Fundamental legislative and regulatory acts Council of for the protection of individuals with regard to automatic processing of personal data of European Convention for of 28 January 1981 ETS No 108 and its Additional Protocol ETS ETSNo No 181 of 28 January 1981 ETS No 108 Directive 95/46/ЕС of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 97/66/ЕС European Parliament and of of the Council of of 15 15 December 1997 concerning of personal Directive 97/66/ЕС of the European concerning the processing of data and protection of privacy in the telecommunication sector data and protection of privacy Federal Law of 27 July 2006 N o 152 -FZ «On Personal Data» » Federal Law of 27 July 2006 No 152 -FZ « The federal law “On personal data” was amended in in July 2011 federal law, terms The federal law “On personal data” 2011 with a view of clarifying the scope of the federal and definitions, used in the law, principles and conditions of personal data processing. Previous legislative rules, related to to the conditions of state control, security of personal data processing, rights and duties of the personal data operator, as well as interrelations between operator and subject of personal data were considerably amended. RF Government Resolution of November 1 st, 2012 No 1119 «On approval of the requirements for the protection of personal data during their processing in the personal data information systems » data during their processing in the personal data information systems» RF Government Resolution of September 15, 2008 No 687 «On approval of Regulations for Processing Personal Data without using automation» RF Government Resolution of of July 6 6 , 2008 No No 512 « «On approval of requirements to to the biometric personal data physical storage RF Government Resolution On approval of media and such data (outside informational systems) ) storage technologies» » media and such data (outside RF Government of the Russian Federation of March 21, 2012 of No 211 «On the approval of the list of the measures for ensuring implementation of the Federal law «On personal data» implementation and related municipal regulatory legal actss» ensuring implementation of the Federal law «On personal data» Order of the Ministry of Communication and Mass Media of the Russian Federation of November 14, 2011 No 312 “On approval of the Administrative provision of control procedure by the Federal Service for supervision in the sphere of communications, information technologies and mass communications while federal state control of the correspondence of personal data processing with the Russian Federation legislation requirements in the sphere of personal data” (obtained state registration 13 ) registration 13 December 2012, No 22595) 4 слайд Order of the Ministry of Communication and Mass Media of the Russian Federation of December 21, 2011 No 346 “On approval of the Administrative provision by the Federal Service for supervision in the sphere of communications, information technologies and mass communication for the state function execution “Maintenance of of the operator registry responsible for the technologies and mass personal data processing” ( 2 No personal data processing” (obtained state registration as of 29 March 2012 No 23650)

Comparative analysis of Russian legislation and European trends in sphere of personal data The lastest European trends in sphere of personal data Less of obligatory requirements Promote self-regulation and coregulation Pseudonymous data (the depersonalized data) Risk-based approach Increasing focus on data minimization Federal Law № 152 -FZ «On personal data» and normative legal acts Part 1 Article 18. 1 «An operator shall independently determine the composition and range of measures which are necessary and sufficient to ensure the fulfillment of the obligations laid down in this Federal Law and normative legal acts adopted in accordance with this Federal Law» The methodical recommendations to personal data depersonalization have been adopted the order of Roskomnadzor № 326 as of March 27 th, 2013 and are being undergone the procedure of state registration in Ministry of Justice of Russian DPA developed the draft Federal Law On Modification of the Administrative Offences Code of the Russian Federation (More detailed information on a slide 11) Russian DPA developed offers on minimization of personal information processed by data controllers The analysis of latest European trends in sphere of personal data shows that this trends are, in the majority, provided by new edition of the Federal Law «On personal data» and normative legal acts adopted in accordance with this Federal Law. It confirming that in Russia the system of the national legislation in sphere of personal data almost completely corresponds to the all-European requirements and approaches is created and won't demand soon essential changes 5

Approaches to the state control (supervision) in the field of personal data Planning of priority categories of operators Unification of approaches to control and supervising activity Implementation of remote control Improvement of a condition of protection of the rights of subjects of personal data Realization of measures of preventive character 6

Dynamics of the appeals received by the Russian DPA From the moment of imposing powers to protect the rights of personal data subjects Roskomnadzor has examined more than 12 000 applications of citizens 5677 6000 3920 Appeals received 5000 4000 1829 31% 3000 3720 2000 146 465 688 8317 1000 3 /2 31 3/ 20 1/ 01 12 11 10 20 09 20 20 /3 proved to be true 12 not proved to be true 20 69% 08 0 слайд 7

Main results of activity (state control and supervision) 5831 personal data inspections were carried out from the moment of empowering Roskomnadzor to protect personal data subject rights, 6363 instructions on elimination of detected infringements in the field of the personal data were issued, 14452 administrative offense reports were drawn up by courts based on the materials presented by Check Roskomnadzor, penalties amounting more than 23 million RUR were imposed 6000 5359 4901 5000 4000 3000 2250 1537 2000 36% 2231 2094 1370 1000 3737 322 254 0 2011 Inspections 64% 2012 Regulations issues 3/31/2013 AO protocols 8 слайд scheduled inspections unscheduled inspections 1147

International efforts to curb Improper dissemination of personal data During two years the Russian DPA was submitted 109 inquiries to support the termination of the delegation or deletion of the personal data for 118 internetresources to 15 foreign countries 9 слайд Support is given in 62 cases, among them, activity of 34 internet-resources was ceased and in 28 cases the information contained the personal data was removed (more than 50% from total number of internetresources)

The order of Roskomnadzor «About the approval of the list of the countries which aren't the party of the Convention of the Council of Europe about protection of individuals at automated processing of personal information, personal information providing adequate protection» Followed the criteria when preparing the order Availability of national legislation and (or) corresponded to provisions of Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data adopted branch-wise regulations (standards) in the sphere of processing and personal data protection List of the countries which personal information providing adequate protection Availability of sanctions and legal remedies provided Availability of the DPA 10 слайд Rendering of assistance in suppression of illegal activity on processing of personal data in the subordinated territory and (or) in recovery of violated rights and legitimate interests of citizens of the Russian Federation on the basis of appeal of the Russian DPA

Initiatives of the Russian DPA for modification of the legislation of the Russian Federation Introduction of new sets of administrative offenses with qualifying characteristic that stipulates bodily injury to the citizen Modification of the Code of the Russian Federation about Administrative Offences (The bill in the prescribed manner was submitted to the Government of the Russian Federation on a point of order of the Federal Law adoption) Investment of Russian DPA with powers on investigation of new sets of administrative offenses Increase in penalties. The maximum amount of fine for violation of legislation in the sphere of personal data is established by the bill in the amount of 700 thousand RUR (≈17 thousand euro) which is equivalent, as a whole, of a level of the fine sanctions adopted in the European countries слайд 11

Initiatives of the Authority for modification of the legislation of the Russian Federation Modification of the Code of civil procedure of the Russian Federation The order of Roskomnadzor № 326 as of March 27 th, 2013 «About the approval of the methodical recommendations to personal data depersonalization» (It is being undergone the procedure of state registration in Ministry of Justice of Russia) Establishment of exclusive jurisdiction to vessels of the Russian Federation of affairs on violation by foreign persons of the rights and legitimate interests of citizens of the Russian Federation as subjects of personal data. The proposals were supported by the Government of the Russian Federation and undergo now the procedures of coordination and adoption of the corresponding bill. Methodical recommendations establish ways and methods of a depersonalization of personal data in the state and municipal information systems as with development in Russia of the electronic government in information systems of authorities a large volume of personal data including being sensitive for citizens. слайд 12

Participation of Russian DPA in the international activity European Union Russian DPA agreed the Draft Agreement on the drug precursors between the Russian Federation and EU Realization of common actions on transition to the visa-free regime for shortterm journeys of the Russian and EU citizens OECD The implementation of the events plan in the frameworks of preparation to the Russian Federation' joining to the Organization for economic cooperation and development (OECD) Roskomnadzor Eurojust The negotiations on the Draft Agreement between Russia and Eurojust Europol The negotiations on the Draft Agreement between Russia and Europol слайд 13

International Conference «Protection of personal data» (Moscow, Russia) 2010 -2012 years participants: Albania, Armenia, Azerbaijan, Belarus, Bosnia and Herzegovina, Bulgaria, Chile, Croatia, Czech Republic, Estonia, Germany, Hungary, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Macedonia, Moldova, Montenegro, Ukraine, Poland , Romania слайд 14

15