The main provisions of the localisation law
- Databases on Russian territory: personal data of Russian citizens must be stored in the databases physically located on the territory of the Russian Federation (with some exceptions, for example, compliance with a legal obligation of controller or performing task carried out in the public interest).
- Notification of server location: in addition to the existing requirement to notify the Roskomnadzor (the Russian data protection authority) on processing personal data, the data operators must notify the location of servers with databases containing personal data of Russian citizens.
- Registry of violators: a new state “registry of the violators of the rights of data subjects” will be created and maintained; inclusion in the registry will be done on basis of a court order.
- Blocking non-compliant services: access to information that is processed in violation of personal data laws can, upon request of the data subject, be restricted on the basis of a final court order. Restrictions can extend as far as blocking access to the website altogether. Enforcement authorities can also initiate such access restriction.
Personal data of Russian citizens
The localisation law specifically applies to personal data of “the citizens of the Russian Federation”. There are no standards on how the operators would be able to establish and verify the nationality of data subjects. The Ministry of Communications suggests that data operators establish their own procedure for identifying the citizenship of data subjects and, if impossible or impracticable, apply data localisation rules to all personal data collected from the Russian territory.
There are no clear-cut legal provisions on the applicability of the new localisation requirements. Russian data protection law was previously not applicable to foreign companies without a presence in Russia. The new localisation law, according to the Ministry of Communications, applies to any operator that directly collects personal data of Russian citizens, including foreign entities with headquarters in the Russian Federation and foreign entities without permanent establishment in the Russian Federation but directing their activities to the Russian Federation. The latter includes companies that host a website on a Russian domain, such as .ru, .rf, .su, .moscow, .москва or .рф or have a web service in the Russian language. The Ministry of Communications has the following additional criteria for determining whether a Russian language website could lead to applicability of the data localisation requirements:
- payments are accepted in Russian roubles;
- the online contract stipulates execution on the Russian Federation territory (for example, delivery of goods, provision of services or access to digital content);
- links or advertisements in Russian that refer users to the web service,
- any other circumstances that clearly demonstrate an intention of the website owner to include the Russian market in its business strategy (for instance, identifying Russia as one of company’s locations on the corporate website).
On 7 September 2015, Roskomnadzor confirmed that any company processing personal data in Russia, with or without legal address in the Russian Federation, “can be and shall be if necessary” checked for compliance with data localisation law. A flow-chart published by Roskomnadzor explains how the authority sees the procedure on interacting with foreign operators. In a nutshell, if Roskomnadzor discovers foreign operators active in Russia, it can request that they provide information on compliance with the data localisation requirements. Submitted information and documentation are evaluated for completeness and accuracy (which might include contacting a data centre provider). If no information is provided, or if submitted data were inaccurate or incomplete, Roskomnadzor will initiate court proceedings for take-down procedures and put the company’s name on the registry of violators. For foreign companies without a presence in Russia, Roskomnadzor will define a provider responsible for administration and delegation of domain names for take down procedures.
These procedures can go very fast: the first foreign internet site with personal data of 1.5 milion Russian citizens was blocked on 9 September 2015. The site has been also added to the registry of violators. The website contains the names, birth dates, addresses, phone numbers, and other personal information of Russians and is hosted on the top-level domain assigned to the Republic of Palau.
Cross-border transfers of personal data of Russian citizens remain possible, under the following conditions:
- the primary collection and storage of personal data will take place on the territory of the Russian Federation; and
- outbound data transfers will further comply with legal requirements.
Unless processing activities fall under specific exemptions (for example, required on basis of international treaties or, possibly, processing in employment context), the processing of personal data of Russian citizens in a database outside the Russian Federation is only possible if the databases on the Russian territory contain “bigger or equal amount of data” of Russian citizens than the foreign database.
What can you do to comply?
Companies must notify Roskomnadzor of the location of databases with personal data of Russian citizens before 10 September 2015. Also, Roskomnadzor has already planned 317 inspections for this year on compliance with the localisation law (90 inspections in September) and ad hoc inspections are possible. This means there is no time to lose.
An administrative fine for failure to timely notify the database location (RUB 5000 or EUR 67) may be negligible, but failure to provide the relevant information and documentation, once requested, may result in blocking the access to the company’s internet resources.
Since the first inspections will be document-based, companies must be prepared to demonstrate an agreement with a Russian data centre or documents substantiating that a company has its own data storage facilities in the territory of Russia. If the company is not that far yet, it can prepare documents demonstrating how the company is changing internal procedures aimed at compliance; the company’s discussions with potential providers; data migration plans; etc. Roskomnadzor also shows leniency towards companies initiating a conversation with this authority on which steps are needed to comply. Big multinationals like Facebook, Google or Twitter will not be audited until at least January 2016.
- The Federal Law № 242-FZ 2014 of 21 July 2015 on data localisation (in Russian)
- Order on the Registry of violators of 19 August 2015 (in Russian)
- Regulation on blocking of internet sites, of 22 July 2015 (in Russian)
- Non-official, not binding explanatory notes and Q&A by the Ministry of Communications, published on 2 August 2015, as last updated on 25 August 2015 (in Russian)