Although the term ‘Big Data’ is commonly used in the media and by companies and governments worldwide, no Russian legal provision deals expressly with the processing of such data.
As such, the Russian framework on information processing and other related issues – as set out in Federal Law 149-FZ on Information, Information Technologies and Information Protection 2006 (the Information Law) – applies.
Various legislative initiatives have attempted to introduce a specific legal framework regarding Big Data. Most recently, in February 2020, the Ministry of Digital Development, Communications and Mass Media issued for public consultation a draft law which aims to create a specific legal regime for Big Data processing.
Although the draft law received negative feedback from the government, it is useful to consider the ministry’s approach when shaping it.
Definition of ‘Big Data’
The draft law defined ‘Big Data’ as a combination of non-personalised information which can be classified into various groups (eg, informational and statistical messages and information on the location and behavioural aspects of movable and immovable objects and the quality and quantity of activities) which is received from various data possessors or structured or non-structured information sources using technology, data processing methods or devices, ensuring that the combination of the data and its repeated use and systematic updating do not specify particular individuals.
Big Data processing
The draft law provided the following non-exhaustive list of activities that would constitute Big Data processing, which may take place via automatic or non-automatic means:
- refinement (eg, updating or amending);
- transfer (eg, distribution, provision or access);
- destruction; and
The purposes and requirements for processing such categories of data were not provided in the draft law.
Definition of ‘Big Data processors’
The draft law provided that Big Data may be processed (or arranged to be processed) by any of the below parties (alone or jointly), provided that they define the purpose of such processing, the content of the data to be processed and the algorithm to be used:
- state and municipal bodies;
- legal entities;
- self-regulated organisations; and
- individuals, including entrepreneurs.
The draft law provided that the principles, legal grounds, rights and obligations of Big Data processors (ie, operators), as well as the rules and conditions concerning the circulation of Big Data and control over its processing and circulation, should be set by the government.
Further, under the draft law, the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) would create a register of Big Data processors and exercise control over the processing and circulation of Big Data.
Since the draft law received negative feedback from the government, whether it will become law is unclear. Nonetheless, it is a sign of an increasing focus on Big Data and the related issues.
In this regard, monitoring regulatory approaches in this area may be a useful way to prepare for future initiatives. After all, the draft law will not be the last attempt to provide a legislative framework for Big Data processing and regulation in Russia.
For now, businesses whose activities involve Big Data will need to observe the Information Law and, depending on the specific circumstances, Russia’s personal data legislation, including the personal data localisation requirements.