On August 3, 2015, the Russian Ministry of Communications and Mass Media (commonly referred to as "Minsviaz") published detailed—and the only written—guidelines clarifying the new personal data localization requirements implemented by the Amendments to the Personal Data Law, signed into law by Russian President Vladimir Putin on December 31, 2014. A summary of the new law can be found in the June 15, 2015 Duane Morris Alert on this topic.
The new law became effective on September 1, 2015, and mandates that data operators, while collecting personal data about Russian citizens, must "record, systematize, accumulate, store, amend, update and retrieve" data using databases physically located in Russia. This law apparently makes Russia one of the few countries in the world, including China, Vietnam, Indonesia and Malaysia, that require the personal information of its citizens generally to be kept on locally housed servers. The guidelines, largely in the form of answers to FAQs, as well as a portal to ask additional questions, can be found at: http://www.minsvyaz.ru/ru/personaldata/ (in Russian).
The guidelines published on this site are non-binding for the Russian government. They merely provide the best understanding of Minsviaz officials on the law's requirements, based on information received from governmental and business sources. Minsviaz is the main governmental body responsible for the issuance of regulations and other guidance in this area. An agency within Minsviaz, Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media ("Roskomnadzor"), will enforce this law. It is not inconceivable that Minsviaz's published guidelines might differ, in some respects, from the manner in which Roskomnadzor will actually enforce the law after September 1, 2015.
The business community has been seeking guidance from the government on the application of the law since its signing. Roskomnadzor officials have conducted a set of meetings with representatives from the business community to field questions and facilitate discussions about interpretation and compliance with the impending law. The interpretations and recommendations that came out of such meetings are also reflected in the published guidelines. Though the business community has also repeatedly requested a postponement of the effective date of the law until September 2016, the date when the law was initially scheduled to go into effect, this law is now effective.
This Alert summarizes several of Minsviaz's most significant clarifications. Duane Morris LLP will provide additional information on other important clarifications in Minsviaz's guidelines and other legislative developments in this area in an upcoming Alert.
Operators Who Are Subject to the Law
A concern with the law has been the ambiguity surrounding which entities must comply with it. While it seemed that the law would apply more broadly to Russian operators only and it was unknown what foreign operators would be impacted by it, and now, Minsviaz has clarified this issue, indicating that the following entities are subject to the law:
- Russian entities.
- Foreign entities with official representation and branches in Russia.
- Foreign entities without an official presence in Russia but conducting business that targets Russian consumers. The use of domain names, such as .ru, Russian language version of .ru, .su, .moscow, Russian language version of .moscow, etc., will place an entity under the purview of the law. Advertising in Russian and the opportunity for consumers to pay in Russian rubles are other examples mentioned by the guidelines. The availability of a Russian-language version of the company website may also be used as an indicator that the company is subject to the data localization law. The guidelines acknowledge the widespread use of the Russian language in other jurisdictions (mainly countries of the former Soviet Union), however, and indicate that additional criteria may be necessary to ascertain that the entity that hosts a Russian website is actually targeting Russian consumers. For example, the indication that the advertised product is available for delivery to Russia, or the opportunity to pay in Russian currency, may supply such an additional factor. The mere ability to access an entity's Internet site from Russia does not automatically place that entity under the purview of the law.
- Non-resident entities and individuals located and operating outside of Russia are not subject to the law if they collect the personal data of Russian citizens abroad (as long as this collection does not occur for the purposes of targeting Russian consumers).
Minsviaz's guidelines indicate that the new law will cover activities deliberately undertaken only for the purpose of collecting personal data. The personal data received in an accidental or non-solicited manner need not be stored and processed under the new law. For example, receipt by an operator of an email that contains personal data about a Russian citizen, when such information was not sought, does not obligate the operator to locally store the received information. Similarly, if, in the due course of business, one operator transmits to another operator the contact information of the former's employees, such receipt will not be considered as personal data collection.
No Retroactive Effect
Only personal data collected after September 1, 2015, is subject to the law. The law will not apply retroactively. Personal data on Russian citizens or other individuals residing in Russia collected and archived abroad prior to September 1, 2015, can remain in databases located abroad. However, if the personal data is updated or changed now that the law is in effect, that data will be subject to localization.
Though the guidelines are not binding and do not provide answers on every aspect of the new law, they provide an essential resource for those trying to understand the scope of this law. Operators subject to the new law and/or their counsel should review the Minsviaz guidelines with prudence since the law is now in effect.