Russia accelerated the entry into force of a set of amendments to the Federal Law ‘On Personal Data’ Nr 152-ФЗ dated 27 July 2006 (the PDL). The amendments are aimed at restricting the use of foreign servers for the processing of Russian citizens’ personal data and facilitating state supervision activities of the Russian data protection authority (in Russian, Roscomnadzor). Last autumn, they caused a stir in international business circles, which suddenly realised they would be unable to comply with the new requirements.
Initially, the effective date of the legislative changes was set for 1 September 2016. Last October, the Russian Parliament almost brought this date forward to 1 January 2015, but the negative reaction of numerous Russian and international companies forced Parliament to reschedule the effective date on 1 September 2015. This date is now established by the Federal Law Nr 526- ФЗ signed by the President of Russia on 31 December 2014. As a result, all entities processing the personal data of Russian citizens on servers located outside of Russia have eight months to bring their ICT systems into line with the new legal requirements briefly described below.
Storage of Personal Data in Russia
The amendments to the PDL state that the data operators (entities performing functions of both controllers and processors under the European terminology) are obliged to ensure the recording, systemisation, accumulation, storage, clarification (update, change) and extraction of personal data of citizens of the Russian Federation with the use of databases located in the territory of the Russian Federation when collecting this personal data in any manner, including via the Internet.
This requirement may be understood in such a way that it will be illegal to collect personal data of Russian citizens and directly send it to servers located outside of Russia without involving a database installed on a Russia-based server/computer in the processing of the personal data. The adoption of this requirement raises a number of questions. For example, it is not clear whether it would be legal to integrate Russian databases with databases and software located on foreign servers or to copy data from Russian servers to non-Russian servers. In addition, the amendments say nothing about personal data collected before their entry into force.
At this early stage, it seems obvious that the above requirement does not cover the personal data of non-Russian citizens and stateless persons, even when their data is collected in Russia. In this case, it would be possible to continue processing such data in the same way as now as long as it is separated from the data of Russian citizens.
It is worth mentioning that the amendments contain several exceptions to the above requirement. One of them, if interpreted in a certain way, can be applicable to Russian employees of international companies. However, this contentious question seems to have no clear answer, at least for now.
Notifying Roscomnadzor of the Location of Servers
Under Article 22 of the current edition of the PDL, before a data operator proceeds to processing any personal data, it must notify Roscomnadzor in writing of its intention to do so. By way of exception, it is not mandatory to notify Roscomnadzor about processing one’s own employees’ data, the data of contractors used in order to conclude or execute a contract with them provided that such data is not transferred to third parties without special consent of the data subjects, etc. When the amendments become effective, the notification form will also include information on the location of the databases containing personal data of Russian citizens. Russian law does not clarify whether data operators will be obliged to update the notifications already filed.
Strengthening Personal Data Inspection Procedure
Under the amendments, provisions of the Federal Law ‘On Protection of Rights of Legal Entities and Individual Entrepreneurs When Performing State Control (Supervision) and Municipal Control’ No 294- ФЗ dated 26 December 2008 (as amended) establishing the procedure of organisation and execution of state inspections would no longer be applicable to Roscomnadzor’s inspections of data operators. This novelty may lead to an increase of supervisory activities in the sphere of personal data.
Blockage of Websites for Violations of Personal Data Laws
Roscomnadzor will be given powers to react to violations of the personal data legislation by blocking access to websites in the territory of Russia. In particular, a website can be blocked on the grounds of the relevant court act if somebody commits any violation of Russian personal data legislation while processing information contained on the website in question. For this purpose, banned domain names, network addresses and other details will be recorded in a special state register of lawbreakers. These rules can be construed as being fully applicable, among others, to social networks, blogs, public databases, booking systems, some online shops and other web-services supporting registration of users or processing their personal details in many other ways.
Apart from the website blockage, the sanctions for noncompliance with the PDL remain at a surprisingly low level. As a general rule, a company will have to pay a fine of RUR 5,000–10,000 (approx. EUR 65–130) for each violation of the PDL. In addition, a responsible officer of a company (e.g. CEO or DPO) may also be fined personally, but the amount of fine does not exceed RUR 1,000 (approx. EUR 13). A failure to eliminate revealed violations at the instruction of Roscomnadzor is considered as the noncompliance with an order of a state authority that entails additional fines.
As it often happens in the legal world, the new legislative changes generate more questions than answers. Nevertheless, the tendency towards tightening the screws in the field of data privacy is quite visible. From that angle, the amendments may be considered Russia’s first attempt to prevent a common practice of substituting Russian jurisdiction over Russia-related operations with personal data with foreign jurisdictions that are believed to be preferable for many actors whose business is connected with the processing of personal data. There is almost no doubt that the sanctions for violating the personal data laws will be substantially increased sooner or later. At least, Roscomnadzor have been striving for such increase for several years.
Today, one of the best recommendations for businesses processing Russian citizens’ personal data is to monitor the situation and wait for detailed clarifications from Roscomnadzor on how to implement the new rules in practice.