Russian websites may be required to adopt General Data Protection Regulation (GDPR)-style cookie policies and use cookie banners because of new case law. Russian courts have recently decided that the personal data law should apply to web analytics and suppressed access to a website that failed to meet the relevant data protection requirements. This judgement definitely makes the web cookies less 'tasty' than ever before.
Last year, the Russian Data Protection Authority, Roskomnadzor, brought an action against a website for a number of data breaches. Tagansky First Instance District Court of Moscow sustained the claim and decided that the website owner, among other things, had
- Used Google Analytics and its Russian equivalent, Yandex Metrica, for collecting and processing personal data;
- Failed to meet the data protection requirements prescribed by the Federal Law On Personal Data and applicable to the said web analytics tools.
Google Analytics and Yandex Metrica provide their customers with the detailed statistical and analytical information about visitors, their behaviour, locations, preferences, devices (model, browser, user settings, IP addresses, etc.), probable gender and approximate age, and other details valuable for marketing and business planning purposes (the user data). The user data is collected mostly through cookies, for example, small pieces of text readable by Google Analytics, Yandex Metrica and other web services. The cookie files are recorded on a user's device and stored there for some time or until they are manually deleted. The user data may also be collected through Java scripts (pieces of software incorporated into the HTML-code of a website), and some other instruments.
The first-instance judgement does not go into the reasons for classifying the user data as a kind of personal data. Under article 3(1) of the personal data law, personal data includes 'any information relating to directly or indirectly identified or identifiable natural person (data subject)'. Russian law does not explain what 'an identifiable natural person' actually means.
According to the previous case law, 'details that allow identifying a natural person should be considered as personal data. If it is impossible to do that without using additional information, such details are not personal data'.
In their Scientific and Practical Commentary to the personal data law, Roskomnadzor's executive officers supported this understanding of personal data, stating that 'information must not be considered as personal data if it is not possible to identify a natural person with this information without the use of additional information'. These conclusions are based on article 3(9) of the personal data law, defining the term 'data anonymisation' as a process that makes it impossible to attribute a piece of personal data to a particular data subject without the use of additional information.
Russian ecommerce companies used to believe that the web analytics had not given them such additional information that could transform the depersonalised users into the data subjects. Hence, most of the websites had not extended their privacy policies and data protection measures on the user data.
GDPR uses almost the same wording for defining the term 'personal data' in article 4(1), but the official interpretation is completely different as compared to Russian law.
According to GDPR, an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an online identifier.
Such identifiers include IP addresses, cookie identifiers, and others.
They may be used to create profiles of natural persons and identify them.
The personal data law does not prescribe any rules on the online identifiers, web traces, and cookie files. Although non-binding in that country, GDPR could inspire Roskomnadzor and the court to rethink their understanding of personal data in the same way as it is in the EU.
The first-instance judgement may be understood such that the website owners should fulfill all data protection requirements prescribed by the personal data law while dealing with the user data. From a formal point of view, there is a long list of such requirements including, among others, the following:
- Legal grounds for data processing: In contrast with GDPR, Russian law does not establish a welldeveloped concept of legitimate interests and encourages the controllers to ask for a data subject's consent where possible. That is why the website owners should use cookie banners for both informing the users of web analytics and asking for their consent.
- Data processing notification: Article 22 of the personal data law prescribes that the data controllers file their data processing notifications with Roscomnadzor. Similar notification obligations were abolished in the EU pursuant to recital 89 of GDPR. The Russian notifications must contain a list of all processed data categories and some other details. The user data may consist of various categories determined by a web analytics service. It is therefore unclear how to reflect all of them in the notification.
- Data processing agreement: Under article 6(3) of the personal data law, the data processing may be assigned to a third party under an agreement containing a number of mandatory terms. This is the darkest side of web analytics, since the website owners cannot negotiate the contractual terms with Google Analytics, Yandex Metrica, and many other global service providers.
- Localisation requirement: According to article 18(5) of the personal data law, certain data processing activities must be conducted with the use of databases physically located in Russia while collecting personal data from the citizens of Russia. Hence, it is unclear how this may be observed if a Russian website is connected to a global (nonRussian) web analytics service.
As shown above, the requirements of the personal data law raise more questions than give answers regarding the user data. Roskomnadzor commented on the first-instance judgement that it had not suspected Google Analytics and Yandex Metrica of breaching the law.
Rather, it is the website owner who must:
- Inform users of the web analytics tools collecting their data
- Request users to consent to such data collection
- Publish a policy document
Consequently, Roskomnadzor's comments introduce a kind of a "minimum compliance set" and they do not shed any light on how to fulfil the localisation requirement, conclude the data processing agreements with web analytics providers, and fill out the notification form.
Many Russian ebusinesses rely on these comments and do only what is specified there.
In addition, they emphasise in their cookie policies that the user data constitutes statistical and depersonalised information and, therefore, it is separated from all kinds of processed personal data.
This may help to mitigate compliance risks to a certain extent because the users are informed of the web analytics and they give their explicit consent if they stay on a website after reading the cookie banner. International companies often translate and localise their GDPR policies and cookie banners to use them on Russian websites.
The Moscow City Court affirmed the first-instance judgment without any corrections in an appeal hearing.
Hence, this judgement entered in force.
Surprisingly, the appeal judgement of the Moscow City Court does not mention the web analytics at all.
Instead, it examines several other data breaches committed by the website owner.
The compliance challenges arising from extending the personal data law over the web analytics seem to be insuperable unless the relevant rules are added to the personal data law.
As of today, there are no bills on this topic. This may be the reason for the Moscow City Court to mask this matter behind other violations revealed by Roskomnadzor.
On 6 May 2019, the defendant lodged a cassation appeal and, therefore, the case is going forward.
In the meantime, ecommerce companies have to ensure their compliance and begin with publishing Russian versions of cookie policies and banners.
That is how the cookie crumbles.
Previously published in www.ippromagazine.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.