What is cross-border transfer of personal data?

With the development and globalization of the Internet, every day there are less and less territorial restrictions for carrying out commercial activities. Despite the rather difficult foreign policy situation, the number of domestic enterprises collaborating with foreign partners is constantly growing. The absence of territorial boundaries requires the introduction of uniform rules for the interaction of all participants in relations. In particular, this relates to the process of sharing personal information. Let us further consider how cross-border transfer of personal data is made.

2016 year

Currently, the legislation does not have clear rules for the exchange of information with foreign counterparties. Federal Law No. 152 served as the initial regulatory act in the field of communications. This law regulates the cross-border transfer of personal data. What it is? By this activity is understood the provision of personal information to the territory of a foreign state, to a foreign state authority, to an individual or legal entity. In 2014, Federal Law No. 242 was adopted. It was to enter into force on September 01. 2016. This regulatory act introduced some changes to the laws in terms of clarifying the rules for processing personal information in information and communication networks. However, Bill No. 596277-6 on the adjustment of Art. 4 of the Federal Law No. 242. In accordance with these amendments, the effective date was postponed to January 2015. Currently, therefore, the Federal Law No. 242 has been in force for more than a year.

Limitations

The Federal Law No. 152 establishes prohibitions under which cross-border transfer of personal data falls. These are restrictions related to ensuring the protection of the constitutional system of the Russian Federation, health, morality, interests and rights of the population, maintaining the security and defense capabilities of the state. Moreover, no other rules are established in the Federal Law No. 152. In particular, there are no conditions under which countries providing adequate protection of personal information could be limited to cross-border transfer of personal data. These are the states that act as parties to the ETS Convention No. 108, as well as those included in the list approved by Roskomnadzor by Order No. 274.

Exceptions

The Federal Law No. 152 defines cases where states that, despite the lack of adequate protection of personal information, may receive cross-border transfer of personal data. These are the situations:

1. Provided for in federal law, if the provision of information is required to protect the constitutional framework, ensure the security and defense of the country, the stable functioning of the transport infrastructure, protect the interests of society, the individual and the state from unlawful interference.
2. When an agreement is executed, the participant of which is the carrier of the information provided.
3. When it is necessary to ensure the protection of health, life and other most important interests of the subject of personal data, as well as other persons, if it is impossible to obtain the written consent of the first.
4. Provided in international agreements.
5. When consent is received for the cross-border transfer of personal data from the IPA entity.
   

Important point

If there is a permission from the PNA subject, in accordance with the Federal Law No. 152, cross-border transfer of personal data is allowed. This permission assumes that the person is notified that information relating to him personally will be provided to the foreign counterparty. The need to obtain such a document when sending information to countries providing adequate protection is not established in the normative act. However, it is important that the subject is informed by the operator of the proposed actions.

Public Policy

To avoid problems, the operator indicates:

1. Why cross-border transfer is made.
2. How much information is provided.
3. Persons who accept information.

The operator also notifies Roskomnadzor that a cross-border transfer of personal data will be carried out. This is done by filling in / making changes to the notice. The notification shall indicate the countries receiving the information. Before the start of information processing, the PND subject is notified of the upcoming operation. This provision is reflected in the policy, contract or other document with which the person will be able to familiarize.

Internal regulations

In local documents, the operator reflects:

1. Legal basis for the provision of personal information to foreign entities. In particular, a list of regulatory acts is provided on the basis of which information is processed and sent.
2. Rules for the cross-border transfer of personal data.
3. Description of measures and protective equipment, including technical and cryptographic ones.

Contract

The operator enters into an agreement with the organization that will carry out the cross-border transfer of personal data, which means that the processor accepts the obligation to maintain the confidentiality of information, comply with the requirements for the protection of information, and ensure their safety. The contract also indicates a list of actions performed by the parties.

Use of protective equipment

The responsibilities of the operator include a number of measures to prevent unauthorized access to personal information in the process of working with information. At the same time, the use of non-certified cryptographic protective equipment is allowed due to:

1. The requirements of the ETS Convention No. 108, Article 12.2 of which does not allow creating restrictions and introducing special control of information flows going to the territory of a foreign state, based on the principle of protecting the inviolability of private affairs.
   
2. The presence of special conditions for the export of funds from the territory of Russia, including encryption tools.
3. The specifics of the legislation of a foreign country into which cryptographic equipment is imported, the features of obtaining permits from relevant foreign authorities for this.

Federal Law No. 242

As mentioned above, in 2014 a law was passed that introduced amendments to a number of regulatory acts regarding the clarification of the rules for processing personal information in information and telecommunication networks. Federal Law No. 242 supplements Federal Law No. 152 with the requirement that, in the process of collecting data, including via the Internet, the operator must organize, record, accumulate, refine, store and retrieve them using databases located in Russia. This requirement may not be fulfilled if personal information is processed for:

1. Achievement of the goals established in an international agreement or by law, for the implementation by the operator of the powers, duties and functions assigned to him.
2. The administration of justice, the execution of a court order, an act of another body or employee subject to execution in the manner provided for in the norms of Russian law.
3. Realization of powers by federal, regional, municipal executive institutions of power, structures included in extrabudgetary state funds, organizations involved in the provision of services at the state and local levels.
   
4. Performing professional tasks of a journalist or the activities of the media (legal), literary, scientific and other creative work. In this case, the condition on the inadmissibility of infringement of the interests of other persons must be fulfilled.

As practice shows, at present, cross-border transmission of information is an effective and convenient tool for interaction. When used correctly, operators can reduce the costs of processing information within Russia.