Processing of biometric data: novelties in Russian law

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation has approved a new procedure for processing, including collection and storage, of the personal biometric data parameters in the Unified State Biometric System (UBS) (details regarding the UBS are provided in the next section) as well as in other information systems ensuring identification and/or authentication of individuals (Decree No. 930 issued by the Russian Ministry of Digital Development, Communications and Mass Media on 10.09.2021). The new procedure will take effect on 1 March 2022 and apply till 1 March 2028, replacing the current rules (Decree no. 321 issued by the Russian Ministry of Digital Development, Communications and Mass Media on 25.06.2018).

The new decree regulates processing of the data owner’s images and voice , which have been collected applying a text-dependent method, i.e. while reading a specific text. The data owner’s their written consent will still be needed for processing of their personal biometric data. According to the above decree, biometric personal data will be stored in the Unified Biometric System for at least 50 years. The biometric data (collected  in the UBS as well as in other information systems) may be used for identification and/or authentication purposes within no more than five years of the collection date.

The Unified Biometric System (UBS) is the Russian digital platform for remote biometric identification of Russian citizens, which was implemented at the request of the Russian Central Bank and the Russian Ministry of Digital Development, Communications and Mass Media in 2018. PAO Rostelecom is the developer and the operator of the system. Above all, this system is used by banks. However, its application scope is expanding and covers also public services, health care, e-commerce, etc. The UBS contains the data types specified in Russian Governmental Decree no. 772 of 30.06.2018, and in particular: one’s facial image and/or voice data, contact details (phone number, e-mail), account ID in the system, etc. Since 19 August 2021 more data has been included in the UBS: Now the system contains, in particular, information about one’s birth date and nationality/(-ies), information about the authorities and organizations submitting the data to the system, information regarding the method of biometric data collection, etc. (Russian Governmental Decree no. 1345 of 16.08.2021).

The state supports use of the system by the organizations connected thereto and reimburses them for a part of the fee charged by the UBS operator. According to Decree no. 662 issued by the Russian Ministry of Digital Development, Communications and Mass Media on 29.06.2021, such reimbursement may cover up to a half of the fee payable for system use, including VAT.

In October 2021 the Russian Government made a list of the situations in which legal entities and entrepreneurs operating as sole traders may accumulate and process biometric personal data in their information systems (i.e. outside the UBS). This list includes the following situations of personal data processing: 

The above regulatory act (Russian Governmental Decree no. 1815 of 23.10.2021) will take effect on 1 March 2022 and apply till 1 March 2028.

Organizations owning information systems that ensure identification and/or authentication of individuals by means of their biometric data or provide such identification/authentication services will have to get accredited by the Russian Ministry of Digital Development, Communications and Mass Media beginning on 1 January 2022. Foreign legal entities can also get such accreditation. The  accreditation rules are provided in Russian Governmental Decree no. 1799 of 20.10.2021, which will apply for six years (i.e. until 1 January 2028).

The Russian Ministry of Digital Development, Communications and Mass Media has approved a list of identified safety concerns arising during use of personal biometric data. The relevant decree of the Ministry came into force on 14 November 2021 (Decree no. 902 of 01.09.2021). The safety concerns listed in this regulatory act include in particular: violation of integrity of personal biometric data (through substitution, deletion thereof) and their compromising during automated processing by user’s equipment; safety concerns arising when collecting biometric data in offices, branches or internal subdivisions of companies, including unauthorized access to information by using code or network weaknesses, malware etc. The Decree also covers the safety concerns arising during the collection of biometric data which involves using mobile phones and tablets and during data transmission between devices as well as safety concerns which may arise during interaction between authorities, individual entrepreneurs, notaries and organizations (other than financial institutions) on the one part and information systems on the other part, etc.

This list may be applied in particular for checks of biometric data and transmission of information about matches thereof to the data owner in information systems of the organisations applying biometric identification or authentication.

The above list of changes is not exhaustive: there have been a number of novelties with regard to state control over identification security and provision of governmental services involving use of biometric data. All companies (including foreign ones) processing personal biometric data of Russian citizens should take numerous changes in the Russian laws regulating this sphere into account to ensure that their activities comply with applicable rules and to avoid sanctions.