On 21 July 2014, Federal Law No. 242-FZ “On making amendments to certain laws of the Russian Federation regarding clarification of  the order of  processing of personal  data in information  and telecommunication networks” (“Law No. 242”) came into force. Law No. 242 introduced significant amendments into the following Federal Laws of the Russian Federation:

  • Federal Law No. 149-FZ “On Information, Information Technologies and on Protection of Information” dated 27 July 2006
  • Federal Law No. 152-FZ “On Personal Data” dated 27 July 2006
  • Federal Law No. 294-FZ “On Protection of Rights of Bodies Corporate and Individual Entrepreneurs during Performance of the State Monitoring (Supervision) and Municipal Monitoring” dated 26 December 2008.

The most significant amendment introduced by Law No. 242 is the equirement that data operators must store personal data of Russian citizens on servers located within the territory of the Russian Federation.

Law No. 242 will apply to all businesses which operate in Russia through subsidiaries, representative offices, or through individual agents, to the extent they “collect, record, systematize, accumulate, store, correct (update, change), extract personal data of citizens of the Russian Federation”.

Law No. 242 will also affect foreign businesses which deal with clients from Russia.

Law No. 242 will affect:

Click here to view table.

Originally Law No. 242 was supposed to become effective on 1 September 2016, however, subsequently this was changed to 1 September 2015 (Federal Law No.526-FZ dated 31 December 2014).

Reasons for Law No. 242

  • Preventing security services of foreign countries accumulating personal data of Russian citizens
  • Preventing foreign companies passing data of Russian citizens to law enforcement agencies outside Russia
  • Preventing personal data of Russian citizens being stored overseas.

How will Law no. 242 work in practice?

  • When collecting personal data of Russian citizens, an operator must ensure that it is recorded, systematized, accumulated, stored, corrected (updated, changed), using databases located on the territory of the Russian Federation. Such collection is not limited to internet.
  • In order to limit access to the websites which break Law No. 242, a new automated information system “The Register of violators of the rights of subjects of the personal data” (the “Register”) is being set up. The Register will be maintained by the Russian regulator Roskomnadzor and will contain names of all domains, web-addresses and further information about internet resources which fail to comply with Law No. 242 and any other Russian legislation on processing personal data.
  • The entries in the Register will be made on the basis of complaints lodged by individuals whose rights are affected by breaches of Law No. 242. If compliance is not provided within three calendar days from the notification about the alleged breach by Roskomnadzor, access to the website will be blocked without notice.
  • The regulator in practice will have unlimited powers to make unscheduled compliance checks to police compliance with the law, even in absence of any complaint or criminal investigation.
  • There is no express prohibition to store any personal data outside Russia, as Law No. 242 is silent on the subject. This implies that the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (to which Russia is a signatory) would apply, and the Convention permits such transfers, provided certain conditions are met.
  • The current interpretation of Law No. 242 is that it is possible to back up personal data of Russian citizens on servers outside Russia, as long as the data is also stored on a server in Russia, in accordance with Law No. 242 – but this may change.
  • The ultimate purpose of Law No. 242 (to avoid information being stored outside Russia) would suggest that the fact of the data being stored overseas would be a sufficient ground for a complaint.

How to ensure compliance?

  • Set up a server in Russian Federation where personal data of Russian customers must be stored
  • Include “citizenship” in the database to ensure Russian citizens can be identified
  • Monitor legal developments in the area