Russia to Establish Special Rules for Processing Personal Data of Certain Groups

The Russian government has submitted a legislative proposal to the State Duma that introduces special procedures for processing personal data of specific groups of citizens. The proposal also grants law enforcement agencies access to certain population databases for the purposes of updating, modifying, or deleting information. The document has been published in the Duma’s electronic database.

According to the explanatory note from the bill’s authors, “In an era of rapid scientific and technological progress, much of which is related to data processing (including artificial intelligence), the task of ensuring the protection of information about specific groups of people stored in information systems and/or databases becomes extremely important.”

The bill proposes adding a new article to the law “On Personal Data,” which would establish special regulations for processing the personal data of certain individuals, with the list of such individuals to be determined by the President. As part of this initiative, a registry of personal data systems is planned to be created starting September 1, 2025. Each system in the registry will be assigned a significance category. The registry will be overseen by the Ministry of Digital Development, while the government will set the criteria for determining the significance of personal data information systems.

The proposal states that the Ministry of Defense, Ministry of Internal Affairs, Federal Security Service (FSB), Federal Protective Service (FSO), and Foreign Intelligence Service (SVR) will be able to require operators of information systems to provide access to personal data systems, clarify, extract, anonymize, block, delete, or destroy personal data, and specify the need to preserve such data. These agencies will also be able to request the restoration of clarified, extracted, anonymized, or blocked personal data.

The bill amends the law “On Information, Information Technologies, and Information Protection” with a new provision aimed at preventing the accumulation of data in government, municipal, and other information systems regarding the departmental affiliation of employees of the Ministry of Defense, Ministry of Internal Affairs, FSB, FSO, and SVR. Security agencies will monitor information systems and take measures to remove or restrict access to information about the departmental affiliation of their personnel. The new rules are expected to take effect on March 1, 2024.

Additionally, starting March 1, 2026, it is proposed to prohibit the operation of government, municipal, and other information systems included in the registry if, within six months of being added to the registry, measures have not been taken to ensure access for security agencies.