Face for sale: Leaks and lawsuits blight Russia facial recognition

When Anna Kuznetsova saw an ad offering access to Moscow’s face recognition cameras, all she had to do was pay 16,000 roubles ($200) and send a photo of the person she wanted spying on.

The 20-year-old – who was acting as a volunteer for a digital rights group investigating leaks in Moscow’s pervasive surveillance system – sent over a picture of herself and waited.

Two days later and her phone buzzed.

Q&A: the data protection legal framework in Russia

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

Federal Law No. 152-FZ on Personal Data dated 27 July 2006 (the PD Law) is the main law governing personally identifiable information (personal data) in Russia. The PD Law was adopted in 2005 following the ratification of the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data. In general, the PD Law takes an approach similar to the EU Data Protection Directive and is based on the international instruments on privacy and data protection in certain aspects, but the Russian regulation places special emphasis on the technical (IT) measures for data protection. Notably, the PD Law has concepts similar to the one contained in the General Data Protection Regulation, which became effective in the EU on 25 May 2018. Data protection provisions can also be found in other laws, including Federal Law No. 149-FZ on Information, Information Technologies and Information Protection (2006) and Chapter 14 of the Labour Code of the Russian Federation (2001).

Experimental AI regime to be introduced in Moscow

The Law separately outlines certain provisions relating to the storage and processing of personal data that will be obtained during the experiment.

As a result, the Law makes it possible to use the previously anonymised personal data of individuals participating in the experiment to increase the effectiveness of the state or municipal government. However, the Law specifically establishes that such personal data can only be transferred to participants in the experiment and must be stored in Moscow.

Data protection frameworks emerging in the BRICS countries

The members of the so-called BRICS grouping (Brazil, Russia, India, China and South Africa) have realized that digital transformation is an essential element for the future of their economies and societies. In this perspective, data protection becomes a key priority to foster thriving digital environments, where individuals enjoy protections and businesses benefit from legal certainty.