The Russian Federal Law on Personal Data extends its applicability to foreign entities processing personal data of Russian citizens based on contractual agreements or consent, regardless of the entity's location.

Text of Relevant Provisions

№ 152 - FZ Art.1(1.1):

"The provisions of this Federal Law shall apply to the processing of personal data of citizens of the Russian Federation carried out by foreign legal entities or foreign individuals on the basis of an contract to which citizens of the Russian Federation are a party, other agreements between foreign legal entities, foreign individuals and citizens of the Russian Federation or on the basis of the consent of a citizen of the Russian Federation to the processing of his/her personal data."

Original (Russian):

"Положения настоящего Федерального закона применяются к обработке персональных данных граждан Российской Федерации, осуществляемой иностранными юридическими лицами или иностранными физическими лицами, на основании договора, стороной которого являются граждане Российской Федерации, иных соглашений между иностранными юридическими лицами, иностранными физическими лицами и гражданами Российской Федерации либо на основании согласия гражданина Российской Федерации на обработку его персональных данных."

Analysis of Provisions

The Russian Federal Law on Personal Data explicitly extends its scope to include the processing of personal data of Russian citizens by foreign entities. This extension is based on two key factors:

1. Contractual agreements: The law applies when processing is carried out "on the basis of an contract to which citizens of the Russian Federation are a party" or "other agreements between foreign legal entities, foreign individuals and citizens of the Russian Federation".
2. Consent: The law also applies when processing is based "on the basis of the consent of a citizen of the Russian Federation to the processing of his/her personal data".

This provision significantly broadens the territorial scope of the Russian data protection law, making it applicable to foreign entities that process personal data of Russian citizens, regardless of where these entities are located. The law focuses on the citizenship of the data subject rather than the location of the data processor or controller. It's important to note that this provision was introduced relatively recently, through Federal Law No. 266-FZ dated July 14, 2022. This recent addition suggests that Russian lawmakers recognized the need to protect the personal data of Russian citizens in an increasingly globalized digital environment.

Implications

This provision has significant implications for foreign businesses and individuals processing personal data of Russian citizens:

1. Extraterritorial application: Foreign entities must comply with Russian data protection law when processing personal data of Russian citizens, even if they have no physical presence in Russia.
2. Contractual relationships: Any foreign company entering into contracts with Russian citizens that involve personal data processing must ensure compliance with Russian data protection law.
3. Consent-based processing: Foreign entities relying on consent for processing personal data of Russian citizens must ensure that such consent meets the requirements of Russian law.
4. Increased compliance burden: Foreign businesses may need to implement specific measures to comply with Russian data protection requirements when dealing with Russian citizens' data.
5. Potential enforcement challenges: While the law extends its reach, practical enforcement against foreign entities without presence in Russia may pose challenges for Russian authorities.

This provision aligns Russia's approach with the global trend of data protection laws having extraterritorial effect, similar to the EU's General Data Protection Regulation (GDPR). It reflects the growing concern of nations to protect their citizens' personal data in the digital age, regardless of where that data is processed.