Russia, Mexico and China Modify Existing Legislation to Protect Personal Data

Thursday, September 8, 2011 by Thought Leadership Team

As Hunton & Williams’ Privacy and Information Security Law Blog recently reported, Russia, Mexico and China have all made substantial modifications to their personal data laws.

On July 25th, Russian President Dmitry Medvedev approved and enacted amendments to Russia’s privacy law, “On Personal Data”. Medvedev’s decision came after the amendments were adopted by Russia’s bicameral legislature with the act effective retroactively on July 1st, 2011. The changed provisions have a significant impact on data processing regulations and procedures as well as privacy concerns forwarded by the general public and governmental entities. The statute empowers officials to create regulatory mandates for the processing of personal data and redefines the way personal data may be transmitted.

The amendments allow for the transfer of personal data outside of Russia in one of several ways:

  • A data subject may provide written consent to transfer their personal data.
  • The 27 state parties to the EU are allowed to request and receive cross-border transfers of personal data.
  • The law imparts the Russian Federal Service for Oversight of Communications, Information Technology and Mass Media with the ability to authorize a list of state parties (non-members to the EU) with sufficient personal data protection to qualify to receive personal data.
  • Personal data may be produced pursuant to a treaty or Russian federal law.

Mexico has also made substantial developments with respect to their national privacy laws. On July 6, 2011, the Federal Institute for Access to Information and Data Protection and Mexico’s Secretary of Economy released draft privacy regulations (“Mexico’s Regulations”) that “regulate the provisions of the Federal Law on the Protection of Personal Data in the Possession of Individuals” (“Mexico’s Law”). Mexico’s Regulations are framed upon several principles of protection of personal data in the possession of individuals: Legitimacy, Consent, Information, Quality, Purpose, Loyalty, Proportionality and Responsibility.

Finally, China has made additions to their existing body of personal data law as well. The “Provisions on the Administration of Internet Information Services” (The “Draft Provisions”), released on July 27, 2011, restrict the ability of “Internet Information Service Providers” (IISPs) in a number of ways. Service providers must not use personal data without consent, nor not collect more than the minimum amount of personal information necessary to provide their service, and must divulge the method, content and purpose of the collection to the users in express forms without disclosing any information to a third party absent users’ consent. As described by Hunton & Williams, ambiguity surrounding the definition of an IISP is somewhat elucidated by the “Measures for the Administration of Internet Information Services” (“the Measures”). The Measures define “Internet Information Services” as “service activities for the provision of information to Internet users over the Internet.”

How the New Amendments Match-Up to International Benchmarks

Russia’s reformed privacy laws still closely align with the strict privacy stance taken by European Union Data Protection Directive 95/46/EC (“the Directive”). Russia’s new statutory scheme permits uninhibited transfer to the EU. Additionally, similar to the need for “adequate” data protection in the Directive, Russia’s law empowers a special agency to determine whether the country’s data security procedures are sufficiently “adequate” to receive personal data from Russia. As data breaches continue to surface, only time will tell how the altered regulatory pressure on companies processing personal data will be enforced.

In many respects, Mexico’s Regulations are also akin to the Directive and other countries’ privacy protection initiatives. Similar to the Directive, Mexico’s Regulations outline special provisions for data controllers handling “sensitive personal data”, data that may reveal information like racial or ethnic origin, health status and religious and moral beliefs. Mexico’s Regulations, like the Directive, provide that “any transfer… national or international, is subject to the consent of its data subject.” Exceptions to this rule found in Mexico’s Law are also common to the exceptions found in many other data protection regimes. Some of the exceptions to Mexico’s consent requirement arise when the data transfer is pursuant to a treaty, where the transfer is necessary for health care purposes, where the transfer is made to subsidiaries, affiliates or parent companies of the data controller with the same processes and policies, and when necessary to safeguard public interest.

China’s lack of explicit provisions and potentially broad “Internet Information Service Providers” nomenclature purports to take a new perspective on combatting the misuse of personal data. Hunton & Williams notes that these provisions are aimed at preventing industry-wide data misuse. Arguably, this wording could be interpreted to attack a bottleneck of compromised personal data far downstream from the processing done in private sectors.

Foreign national-level blocking statutes can have profound effect on America’s broad and adversarial discovery process.