Due to the attack on Ukraine, Russia was suspended by the Council of Europe (CoE) on 16 March 2022. This results in some changes for data transfers to or data processing in Russia. The European Data Protection Board (EDPB) has now published a statement, which we will explain to you very briefly.
The CoE, Convention 108, and Russia’s steadfastness
Russia was till recently a member of the CoE and thus bound by a number of conventions and protocols. Russia’s forced exit from the CoE has prompted the EDPB, to release a statement on personal data transfers to the Russian Federation.
The EDPB’s statement highlights that Russia, on the one hand, is no longer bound by all the conventions and protocols of the CoE. On the other hand, Russia remains a member of those conventions and protocols to which it has acceded and which are to accession by non-member States, such as Convention 108. This Convention obligates all signatories to protect the human right to privacy in the digital age, by taking the necessary steps in their domestic legislation to apply the principles it lays down.
Russia signed a law on 5 July 2022, taking effect on 1 September 2022, making significant changes to Federal Law No. 152-FZ. These changes include new rules for international data transfers, data breach notifications, and additional data protection.
These changes have a political background as they affect news coverage on the war in Ukraine, but one could also interpret these changes in data protection as Russia’s steadfastness to Convention 108 and other conventions and protocols.
EDPB’s reaction and recommendations
The EDPB statement particularly highlights Russia’s continued obligations in terms of Convention 108 and questions how exactly Russia’s continued participation in this Convention will play out in the future.
Because of these uncertainties, the EDPB recommends data exporters to take supplementary measures. These recommendations are voluntary step-by-step instructions on how to assure more adequate data protection and good data usage to correctly take these additional actions.
They are six steps with
- step 1 being to find out where end-user personal data goes to,
- step 2 is discovering how one sends data and then
- step 3 is asking if the data is protected once one has sent the data.
- Step 4 will be adopting additional data transfer protections in case of the data not being adequately protected and
- steps 5 and 6 are encouraged where one documents one’s data transfer practices and one reevaluates one’s data transfer practices in case something changes in the countries you send personal data to.
Once one has followed these recommendations one can be assured to have done everything by the book to ensure that the data of data subjects is correctly handled and protected.
On top of that, the EDPB mentiones the Schrems ll judgement by the EU Court of Justice (CJEU) ruling on the mechanisms that allow personal data flows from the EU to the U.S. In a nutshell, the CJEU ruled that Standard Contractual Clauses (SCCs) can only be used so long as the data exporter can ensure an adequate level of data protection in the country of the data recipient.
With this mention the EDPB wants to highlight that there is precedence in case that non-EU and non-EEA countries don’t have adequate data protections and Russia may be equally treated as the U.S.
What to consider now as a business
Summarised, the EDPB highlights that Russia has not received an adequacy decision by the European Commission pursuant to Art. 45 GDPR. Therefore, data transfer from the EEA to Russia may only be permitted under Chapter V GDPR (Standard Contractual Clauses, Binding Corporate Rules, etc.). In addition, the data exporter must assess if, in the context of the specific transfer, a level of protection that is essentially equivalent to that guaranteed within the EEA can be ensured or whether supplementary measures must be adopted.
In the meantime, we recommend data exporters and processors who have interests in Russia to be on their toes to follow the EDPB Recommendations on supplementary measures. Where the assessment of the data exporter leads to the conclusion that compliance is not (or no longer) ensured, and that no supplementary measures can be implemented, data exporters should suspend data transfers.