The Federal Law specifies the scope of the Federal Law On Personal Data, its basic terms, and principles and conditions for processing personal data. Significant revisions have been made to applicable legislative norms governing transborder transfer of personal data, measures to protect personal data while processing, the rights and responsibilities of operators, and the relations between operators and personal data subjects.
In particular, the amendments stipulate that regulations governing certain issues of personal data processing can be passed not only by government bodies, as is currently the case, but also by municipal authorities, as well as the Bank of Russia. These regulations shall be adopted in accordance with federal laws and within the powers of these bodies and the Bank of Russia.
The Federal Law separates the procedures for transborder transfer of personal data to foreign states that are and are not parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The list of foreign states that are not parties to the Convention is approved by the authorised body on the protection of the rights of personal data subjects.
The Federal Law defines the measures to ensure the protection of personal data while processing. The law also directs the Government of the Russian Federation to develop regulations that will set forth appropriate levels of information security for personal data processing, establish security requirements to physical carriers of biometric personal data and technologies for storing such data outside of information systems. The law determines which federal executive authorities are to monitor and supervise the fulfilment of organisational and technical measures to ensure secure personal data processing.