Russia’s new law requiring the local storage of personal data of Russian citizens in databases on Russian territory came into force on 1 September 2015. The new law is very broad and new obligations are stretchable and can fit almost any situation where personal data of Russians are processed. This includes data collected by foreign operators without permanent establishment in the Russian Federation. To date, enforcement authorities have not issued any official clarifications. Recent unofficial explanatory notes by the Ministry of Communications and sporadic publications by the Russian data protection authority provide some guidance on how the supervisory authorities are inclined to interpret the new law. The new law has already been used to block a website that is violating localisation and data protection requirements. Foreign companies with Russian offices or with companies that target Russian individuals, for example, via Russian language websites, are advised to immediately review their practices and policies involving the Russian Federation. Compliance measures should include the notification of the Russian privacy regulator Roskomnadzor about the location of the company’s databases that contain personal data of Russian citizens, and the preparation of documents substantiating that a company has its own data storage facilities on Russian territory or an agreement with a Russian data centre.
The main provisions of the localisation law
Personal data of Russian citizens
The localisation law specifically applies to personal data of “the citizens of the Russian Federation”. There are no standards on how the operators would be able to establish and verify the nationality of data subjects. The Ministry of Communications suggests that data operators establish their own procedure for identifying the citizenship of data subjects and, if impossible or impracticable, apply data localisation rules to all personal data collected from the Russian territory.
There are no clear-cut legal provisions on the applicability of the new localisation requirements. Russian data protection law was previously not applicable to foreign companies without a presence in Russia. The new localisation law, according to the Ministry of Communications, applies to any operator that directly collects personal data of Russian citizens, including foreign entities with headquarters in the Russian Federation and foreign entities without permanent establishment in the Russian Federation but directing their activities to the Russian Federation. The latter includes companies that host a website on a Russian domain, such as .ru, .rf, .su, .moscow, .москва or .рф or have a web service in the Russian language. The Ministry of Communications has the following additional criteria for determining whether a Russian language website could lead to applicability of the data localisation requirements:
On 7 September 2015, Roskomnadzor confirmed that any company processing personal data in Russia, with or without legal address in the Russian Federation, “can be and shall be if necessary” checked for compliance with data localisation law. A flow-chart published by Roskomnadzor explains how the authority sees the procedure on interacting with foreign operators. In a nutshell, if Roskomnadzor discovers foreign operators active in Russia, it can request that they provide information on compliance with the data localisation requirements. Submitted information and documentation are evaluated for completeness and accuracy (which might include contacting a data centre provider). If no information is provided, or if submitted data were inaccurate or incomplete, Roskomnadzor will initiate court proceedings for take-down procedures and put the company’s name on the registry of violators. For foreign companies without a presence in Russia, Roskomnadzor will define a provider responsible for administration and delegation of domain names for take down procedures.
These procedures can go very fast: the first foreign internet site with personal data of 1.5 milion Russian citizens was blocked on 9 September 2015. The site has been also added to the registry of violators. The website contains the names, birth dates, addresses, phone numbers, and other personal information of Russians and is hosted on the top-level domain assigned to the Republic of Palau.
Cross-border transfers of personal data of Russian citizens remain possible, under the following conditions:
Unless processing activities fall under specific exemptions (for example, required on basis of international treaties or, possibly, processing in employment context), the processing of personal data of Russian citizens in a database outside the Russian Federation is only possible if the databases on the Russian territory contain “bigger or equal amount of data” of Russian citizens than the foreign database.
What can you do to comply?
Companies must notify Roskomnadzor of the location of databases with personal data of Russian citizens before 10 September 2015. Also, Roskomnadzor has already planned 317 inspections for this year on compliance with the localisation law (90 inspections in September) and ad hoc inspections are possible. This means there is no time to lose.
An administrative fine for failure to timely notify the database location (RUB 5000 or EUR 67) may be negligible, but failure to provide the relevant information and documentation, once requested, may result in blocking the access to the company’s internet resources.
Since the first inspections will be document-based, companies must be prepared to demonstrate an agreement with a Russian data centre or documents substantiating that a company has its own data storage facilities in the territory of Russia. If the company is not that far yet, it can prepare documents demonstrating how the company is changing internal procedures aimed at compliance; the company’s discussions with potential providers; data migration plans; etc. Roskomnadzor also shows leniency towards companies initiating a conversation with this authority on which steps are needed to comply. Big multinationals like Facebook, Google or Twitter will not be audited until at least January 2016.
28 April 2021
16 March 2021
17 February 2021
13 January 2021
17 December 2020
17 December 2020
16 November 2020
16 November 2020
12 November 2020
23 October 2020