Russia has adopted its own new Data Localisation Law that went live on 1 September 2015 which affects international business with a physical presence in Russia, or businesses with websites “directed at” Russian users.

The new rules state that when you collect data about Russian citizens you must store it on a database inRussia. This doesn’t have to be the exclusive location for processing it. It is sufficient that the Russian database is the primary or “entry-level” database. Data can be exported outside Russia subject to compliance with the usual data protection export rules which will require individual consents and transfer agreements.

The Russian data protection authority Roskomnadzor can impose penalties for non-compliance, though the fines are relatively low. However, more significantly it can punish those failing to comply by blocking the websites used to collect or process Russian citizens’ data. It therefore has the potential to cause significant disruption to any business that relies on a strong online presence.