THE SUPREME COURT CONFIRMED THAT RUSSIAN USERS MAY FILE A LAWSUIT AGAINST AN AMERICAN SOCIAL NETWORK TO A RUSSIAN COURT

The Supreme Court of the Russian Federation reviewed a case initiated by a number of Internet users against the American social network Facebook Inc.

The Russian users filed a lawsuit against Facebook Inc. based on the Terms of Service violations. Moreover, the users also motivated their lawsuit by illegal use of their personal data.

The plaintiffs, inter alia, claimed to prohibit blocking and deleting their Facebook accounts by the defendant without any motivated reason, as well as to prohibit the collection of users’ personal data without their consent.

Lower courts returned the lawsuit on standing grounds. The court of the first instance stated that there is no relevant relationship between the parties, because the users cannot be construed as the defendant’s customers. The appellate court indicated that as far as plaintiffs cannot be recognized as customers, the lawsuit should be filed to the court at the defendant’s location (in the USA).

The Supreme Court concluded that the courts illegally refused to hear the lawsuit against Facebook Inc.

This position has been motivated as follows:

• potential illegal collection of personal data affect the rights of Russian users;
• the defendant intentionally distributes advertisement among Russian Internet users;
• the dispute arises from the Terms of Service of the social network, the execution of which should be carried out at the user’s location, i.e. in Russia.

According to the Supreme Court position, these grounds have their reflection in the Russian Civil Procedural Code.

The case was assigned to the court of the first instance to reconsider the issue of accepting the lawsuit. However, the Supreme Court gave the instruction to consider forum selection clause, which the Terms of Service may contain.

One of the most important conclusions for further court practice connected with the place of the execution of the Terms of Service. In future, such criteria may be also used to define an applicable law – not only courts’ jurisdiction.

Decision of the Supreme Court Collegium for Civil Cases dated on 09.06.2020 N 5-КГ20-49, М-10004763/19

A DRAFT OF THE RUSSIAN CODE OF ADMINISTRATIVE OFFENCES INCLUDES NEW TYPES OF OFFENCES RELATING TO PERSONAL DATA VIOLATIONS

A draft of the Code of Administrative Offences establishes new offences connected with failure of the obligation to keep the confidentiality of personal data or with failure of requirements of the anonymization of personal data, and others. Please see below the key amendments in the sphere of personal data regulation.

Fines for breach of confidentiality of personal data

According to Article 7 of the Federal Law of 27 July 2006 No. 152-FZ “On Personal Data”, operators processing personal data shall keep it confidential unless a personal data subject granted a consent or there is a special exception provided by federal laws.

In connection with the proposed amendments a failure of a confidentiality obligation could lead to imposing fines in following amounts:

• for officials – from RUB 40,000 to 100,000 (approximately USD 562 – 1,405);
• for sole proprietors – from RUB 100,000 to 300,000 (approximately USD 1,405 – 4,215);
• for legal entities – from RUB 300,000 to 500,000 (approximately USD 4,215 – 7,025).

Fines for infringement of the personal data anonymization rules

Moreover according to the draft law, there is an adjustment of the administrative offence connected with an infringement of the personal data anonymization requirements. Nowadays such an administrative offence is applying only to officials of state and municipal authorities.

In accordance with the drafted amendment all categories of operators may be fined for violations of the anonymization rules. Particularly, the administrative fines will apply for breach the requirements and methods, established by Roskomnadzor in the Order of 05 September 2013 No. 996 “On Establishment the Requirements and Methods of the Anonymization of Personal Data”.

The amount of fines for such an infringement will stay the same – from RUB 3,000 to 6,000 per violation (approximately USD 42 – 84).

Fines for a rejection to conclude, amend, terminate or execute an agreement with a customer, if he (she) rejects to provide personal data

The draft has also introduced a novel ground of the administrative liability. The rejection of the seller (or the contractor) to conclude, amend, terminate or execute an agreement with a customer due to his (her) refusal of granting personal data will become an administrative offence.

Exception from this ground of the administrative liability applies where a customer’s obligation to inform about his or her personal data is provided for in legislative and regulatory acts and (or) connected with an agreement’s direct execution.

The provided administrative sanction could be fined in following amounts:

• for officials – from RUB 30,000 to 50,000 (approximately USD 423 – 703);
• for sole proprietors – from RUB 50,000 to 100,000 (approximately USD 703 – 1,405);
• for legal entities – from RUB 100,000 to 500,000 (approximately USD 1,405 – 7,025).

To sum up, compulsion of customers to grant excessive volume of personal data can result in serious fines for companies that redundantly process personal data.

Please be informed that Russian courts have a new tendency to fine operators per each personal data subject. For instance, the university “Sinergy” was multiply fined by court for the illegal collection of personal data of students (per their number). Therefore, a real amount of new fines may be significantly higher than the amount per violation indicated in the document.

Draft of the Code of Administrative Offences (prepared by the Ministry of Justice of the Russian Federation, Draft ID 02/04/05-20/00102447)

A LAW ON THE CREATION OF THE UNIFIED REGISTRY OF DATA ON POPULATION WAS ENACTED

The enactment of the law establishing the legal grounds of the unified data register creation took place on 08 June 2020.

The law suggests forming a unified federal registry containing the data on the country’s population that will include, in particular, the following information:

• full name;
• date of birth and death;
• place of birth;
• sex;
• Civil Registry Office record details;
• Insurance Number of Individual Ledger Account;
• Federal Tax ID;
• data on marital status and kin relations.

The full list of data that could be put in the federal information registry is presented in Article 7 of the law.

The information registry is aimed to accumulation of all information contained in different state databases, such as registers of the Ministry of Internal Affairs, Ministry of Defense, Federal Tax Service and others. The federal registry will become a template for all state authorities.

Access to the federal population information registry will be provided to all government authorities at all levels, to all extrabudgetary funds management bodies (for example, Federal Compulsory Medical Insurance Fund), election commission and Multiservice centers providing state services.

The information registry of data on population is to be managed by the Federal Tax Service.

According to the text of the law, Russian citizens and legal entities will be able to receive the information contained in the population information registry on the cost-free basis.

The unified register could become an effective tool of gathering of evidence in court processes. Potentially, the parties will have an opportunity to request information from this database, if a court approves such a request. Thus, the data from the register could be useful, for example, to confirm affiliation or other relationship between Russian citizens.

The law (except for some particular provisions) came into legal force from the date of its enactment. However it should be noted that the transition period for the creation of the population information registry will be ended on 31 December 2025.

The Federal Law of 08 June 2020 No. 168-FZ “On Unified Federal Registry of Data on People of the Russian Federation”

A DRAFT LAW ON INDEPENDENT REGISTRATION OF BIOMETRIC DATA IS INTRODUCED TO THE STATE DUMA OF RUSSIA

The draft law was submitted to the State Duma of the Russian Federation on 22 April 2020, and now it is under the preliminary review stage.

According to the draft, citizens will be able to download their biometric personal data in the special database through their mobile phones, tablets or computers.

The personal data regulation defines biometric personal data as an information concerning a person’s physiological and biological characteristics from which he/she may be identified (for instance, fingerprints or patterns of the iris of the eye).

According to the draft, the personal data subject will be able to grant consent for processing of personal data by the basic electronic signature in the Public Services Portal of the Russian Federation (gosuslugi.ru).

According to the draft’s developers, Russian citizens may need to update their biometric personal data in the database to perform certain actions that usually require a personal attendance – for example, to get a loan.

The simplification of the procedure of collecting biometric personal data will make financial and other similar services truly remote mode more accessible.

It should be noted that the data contained in the biometric personal data database could be used by state authorities, local government bodies, sole proprietors, notaries and legal entities in cases which are established by Government of the Russian Federation or by the agreements with the operator of the biometric personal data database.

Draft No. 946734-7 “On Amendments to the Federal Law “On Information, Information Technologies and the Protection of Information”