Personal Data Protection Law (152-FZ)

Executive Summary

Federal Law No. 152-FZ "On Personal Data," dated July 27, 2006, is the foundational legislative act of the Russian Federation regulating relations in the field of personal data processing. The law was adopted by the State Duma on July 8, 2006, approved by the Federation Council on July 14, 2006, and has been amended and supplemented numerous times over nearly two decades of its operation.

The law's purpose is to ensure the protection of human and civil rights and freedoms during personal data processing, including the right to privacy, personal and family secrets. The law applies to all forms of personal data processing -- both automated (including in information and telecommunications networks) and non-automated -- and covers federal and regional government bodies, local authorities, legal entities, and individuals.

The document is one of the most dynamically updated laws in the IT regulatory sphere, reflecting the rapid development of digital technologies, the expansion of cross-border data flows, and growing information security threats. The latest significant amendments, taking effect in 2025, introduce new requirements for data anonymization for AI purposes and the formation of data compositions, as well as stricter controls on cross-border transfers.

Key Provisions

• Personal data definition. Any information relating to a directly or indirectly identified or identifiable individual. The law also distinguishes special categories of PD (race, political views, health, intimate life), biometric PD, and personal data authorized by the subject for distribution.

• Processing principles. Legality and fairness; limitation to processing purposes; prohibition on merging incompatible databases; accuracy and currency; storage term limitations; destruction or anonymization upon achieving processing goals.

• Subject consent. PD processing is permitted with the subject's consent, which must be specific, substantive, informed, conscious, and unambiguous. Consent must be formalized separately from other documents (2025 norms). Written consent is mandatory for special categories of PD.

• Subject rights. Right to obtain information about data processing, right to withdraw consent, right to demand destruction of unlawfully processed data, right to cease distribution.

• Operator. A government body, legal entity, or individual that organizes and carries out PD processing. Bears responsibility for the actions of parties processing data on its behalf, including foreign counterparts.

• Cross-border transfer. Extensively regulated since 2023: mandatory Roskomnadzor notification, obtaining information from foreign recipients, possibility of transfer prohibition at the request of FSB, Ministry of Defense, MFA, and other agencies.

• Anonymization for AI purposes. From September 1, 2025, a mechanism is introduced for forming compositions of anonymized data to improve government efficiency and develop AI technologies (Article 13.1).

• Biometric data. Processing only with written consent, except in cases related to defense, security, and judicial proceedings. Operators may not refuse service when subjects decline to provide biometric data.

Goals and Timelines

The authorized body (Roskomnadzor) makes decisions on prohibiting/restricting cross-border transfers within 10 business days; operators must publish processing conditions within 3 business days.

Implementation Mechanisms

• Roskomnadzor -- the authorized body for protecting personal data subjects' rights: maintains the operator registry, approves requirements for distribution consent, makes cross-border transfer prohibition decisions, and exercises control and supervision.
• The Government of the Russian Federation -- determines anonymization procedures, requirements for data composition formation, exceptions to cross-border transfer rules, and GIS user verification procedures.
• FSB of Russia -- approves anonymization requirements, data composition formation and access procedures; can initiate cross-border transfer prohibitions to protect the constitutional order.
• The authorized IT body (Ministry of Digital Development) -- forms anonymized data compositions in GIS, issues requirements to operators for providing anonymized data.
• Operators -- must notify about processing and cross-border transfers, ensure data security, anonymize on demand, and delete data upon achieving processing goals.
• Vicarious liability. The operator bears responsibility for the actions of any party processing PD on its behalf, including foreign entities.

Industry Impact

Law 152-FZ is one of the key regulatory factors for Russia's IT industry. Its impact is multifaceted:

Compliance costs. Requirements for database localization, Roskomnadzor notifications, obtaining consents, and ensuring security increase operational costs for companies, especially those handling large volumes of user data (fintech, e-commerce, social networks).

Information security market. The law stimulates demand for PD protection solutions: encryption, DLP systems, anonymization tools, auditing, and consulting. This creates a sustainable market for Russian cybersecurity companies.

AI development. The new Article 13.1 (from 2025) creates a mechanism for accessing anonymized data for AI technology development, which is a critical resource for machine learning. However, strict anonymization requirements and restrictions on private company access (only one year after data submission to GIS) may slow innovation.

Cross-border operations. The 2023 tightening of cross-border data transfer rules complicates operations for international IT companies in Russia and creates additional barriers for integrating Russian companies into global data processing chains.

Penalties and liability. Stricter sanctions for violations (including turnover-based fines introduced in 2024) increase the law's significance as a business planning factor.

Amendment History

The law has undergone numerous changes since adoption. Key milestones:

• July 25, 2011 (No. 261-FZ) -- major overhaul: new definitions, processing procedures, operator rights.
• July 21, 2014 (No. 242-FZ) -- requirement to localize databases of Russian citizens on Russian territory.
• December 30, 2020 (No. 519-FZ) -- introduction of the institution of personal data authorized for distribution (Article 10.1).
• July 14, 2022 (No. 266-FZ) -- extension to processing by foreign entities, new cross-border transfer rules, strengthened liability.
• August 8, 2024 (No. 233-FZ) -- anonymization for data composition formation (Article 13.1).
• December 28, 2024 (No. 519-FZ), June 24, 2025 (No. 156-FZ), July 7, 2025 (No. 200-FZ) -- clarification of consent, biometric, and special category requirements.

Related Documents

• Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).
• Federal Law "On Information, Information Technologies, and Information Protection" (No. 149-FZ, July 27, 2006)
• Federal Law "On the Security of Critical Information Infrastructure" (No. 187-FZ, July 26, 2017)
• National Strategy for AI Development until 2030 (Presidential Decree No. 490, October 10, 2019)
• Federal Law No. 123-FZ of April 24, 2020 -- AI experiment in Moscow, specifics of PD processing for data compositions.
• Federal Law No. 258-FZ of July 31, 2020 -- on experimental legal regimes in the sphere of digital innovations.
• Information Security Doctrine of the Russian Federation (Presidential Decree No. 646, December 5, 2016).