Volume: 14 Issue: 2
The Russian data protection authority (‘Roskomnadzor’) issued, on 26 January 2017, the criteria that it will use to determine which countries are deemed to provide adequate protection for the purposes of personal data transfers.
Vyacheslav Khayryuzov, Counsel at Noerr LLP, said, “The reason for the new criteria is rather unclear. The Roskomnadzor previously only applied the criterion contained in Article 12 of the Federal Law of 27 July 2006 No.152-FZ on Personal Data, namely whether a country’s laws and data security measures complied with the provisions of Convention 108. As such, the number of countries deemed adequate could increase.”
Ilya Goryachev and Sergey Medvedev, Senior Lawyers at Gorodissky & Partners, added, “The Roskomnadzor [will now] take account of three criteria, namely that the prospective country has a special supervision authority competent to oversee personal data protection, has sufficient legislation on personal data and an enforcement system [for violations of data protection legislation], and complies with the resolutions adopted by the Council of Europe as well as resolutions of the 38th International Conference of Data Protection and Privacy Commissioners. These criteria do not differ significantly from the requirements enshrined by the Article 29 Working Party.”