The Automated Means Criterion is a key factor in determining the applicability of Russia's Federal Law on Personal Data, extending its scope to both automated and certain non-automated forms of data processing.

Text of Relevant Provisions

№ 152 - FZ Art.1(1):

"This Federal Law regulates activities related to the processing of personal data by federal government bodies, state bodies of constituent entities of the Russian Federation and other state bodies (hereinafter referred to as "state bodies"), by local government bodies and other municipal bodies (hereinafter referred to as "municipal bodies"), by legal entities and private entities, both automatically, including in data telecommunications networks, and without the use of such means, provided that the data processing is by its nature similar to the actions (operations) of automatic data processing, that is, allowing users to search personal data recorded in physical media or contained in card catalogs or other systematized legislation of personal data in accordance with the specified algorithm and (or) to have access to such personal data"

Original (Russian):

"Настоящим Федеральным законом регулируются отношения, связанные с обработкой персональных данных, осуществляемой федеральными органами государственной власти, органами государственной власти субъектов Российской Федерации, иными государственными органами (далее - государственные органы), органами местного самоуправления, иными муниципальными органами (далее - муниципальные органы), юридическими лицами и физическими лицами с использованием средств автоматизации, в том числе в информационно-телекоммуникационных сетях, или без использования таких средств, если обработка персональных данных без использования таких средств соответствует характеру действий (операций), совершаемых с персональными данными с использованием средств автоматизации, то есть позволяет осуществлять в соответствии с заданным алгоритмом поиск персональных данных, зафиксированных на материальном носителе и содержащихся в картотеках или иных систематизированных собраниях персональных данных, и (или) доступ к таким персональным данным."

Analysis of Provisions

The Automated Means Criterion in Russia's Federal Law on Personal Data is broadly defined to encompass various forms of data processing. The law applies to personal data processing that is carried out:

1. "automatically" ("с использованием средств автоматизации"), which includes processing in "data telecommunications networks" ("в информационно-телекоммуникационных сетях").
2. "without the use of such means" ("без использования таких средств"), but only if the processing is "by its nature similar to the actions (operations) of automatic data processing" ("соответствует характеру действий (операций), совершаемых с персональными данными с использованием средств автоматизации").

The law further clarifies that non-automated processing falls under its scope if it allows users to "search personal data recorded in physical media or contained in card catalogs or other systematized legislation of personal data in accordance with the specified algorithm and (or) to have access to such personal data". This provision extends the law's applicability to structured manual filing systems that enable systematic retrieval of personal data.

The inclusion of both automated and certain non-automated forms of processing reflects the lawmakers' intention to cover a wide range of data processing activities, recognizing that personal data can be systematically processed and accessed even without the use of automated means.

Implications

This broad definition of the Automated Means Criterion has significant implications for businesses and organizations operating in Russia:

1. Digital systems: All forms of digital data processing, including those using computers, servers, cloud services, and telecommunications networks, fall under the law's scope.
2. Manual systems: Structured paper-based filing systems that allow for systematic retrieval of personal data are also covered, even if they don't involve electronic means.
3. Mixed systems: Organizations using a combination of digital and manual systems for personal data processing must comply with the law for both types of processing.
4. Small-scale processing: Even small businesses or individuals processing personal data in a structured manner may need to comply with the law if their processing methods allow for systematic retrieval.
5. Data protection measures: Organizations must implement appropriate data protection measures for both automated and qualifying non-automated processing systems.
6. Compliance scope: When assessing compliance requirements, organizations need to consider all their data processing activities, not just those that are fully automated.