On December 31, 2014, Russian President Vladimir Putin signed into law a change in the effective date of a Russian personal data law that includes a data localization requirement (the "Personal Data Law"). Under that change, all companies doing business in Russia – regardless of where the company is based – will be required effective on September 1, 2015 to process and store in Russia personal data that they collect relating to Russian citizens or other individuals residing in Russia.
The accelerated effective date raises a host of compliance issues for companies doing business in Russia, particularly companies that are involved in collecting, storing, and processing information of a personal nature. The Personal Data Law is not industry-specific and, depending on the interpretation by Russia's key regulators, the Personal Data Law's data localization requirement may apply to companies that operate in industries as diverse as social media, aviation, online ticketing and booking, and e-commerce.
What the Law Does
Under the Personal Data Law, businesses and individuals that collect personal data of Russian citizens or other individuals residing in Russia must ensure that as of September 1, 2015 the databases used to "record, systemize, accumulate, store, amend, update and retrieve data" are located in Russia. Some potential compliance solutions for companies whose operations fall under the data localization requirement may include maintaining servers based in Russia, and taking steps to segment the data collected.
The Personal Data Law generally does not apply to foreign companies that process personal data outside Russia. However, two exceptions indicate that companies doing business in Russia may face potentially significant compliance burdens under the Personal Data Law, and potentially significant penalties for non-compliance. First, the law applies to Russian "operators" of personal data (an "operator" is anyone who processes personal data and determines the purpose of such processing) even if they process such data outside Russia. Second, the law applies to foreign entities that process data of Russian nationals even if they do so outside Russia. Questions remain regarding how Russian regulators will enforce the law with respect to such foreign entities.
Noncompliance with the data localization requirement may potentially trigger administrative or civil liability, and subsequent administrative or criminal liability for continuous failure to comply. Russia-based companies – including subsidiaries of multinationals – are at significant risk of potential penalties should they be unable to comply with the Personal Data Law. Russian regulators may seek to impose sanctions by enjoining access to online services to the noncompliant entities at the Russian Internet access service provider level. As a practical matter, it may be more difficult to enforce potential penalties on companies operating outside Russia, but the Russian government may affect foreign companies indirectly by taking steps against their local customer base.
Forthcoming Regulatory Interpretations
The Personal Data Law is written in broad and somewhat ambiguous terms. It is likely, therefore, that implementation will depend heavily on Russian enforcement agencies. The Ministry of Communications ("Minsviaz") is the main governmental body responsible for the issuance of regulations and other official guidance in this area. In March 2015, Minsviaz began working on an official protocol to explain its interpretation of the law. It is anticipated that the protocol will be completed and published by the end of summer 2015. Upon implementation, an agency within Minsviaz, Russia’s Federal Service for Supervision of Communications, Information Technology, and Mass Media ("Roskomnadzor"), will be responsible for enforcing the law.
The current language of the Personal Data Law does not answer some of the key compliance questions that may affect many companies. For example, it is not clear whether companies may process personal data outside Russia after the collection in Russia. Russian regulators’ initial comments on this subject remain vague, sporadic, and mixed. Most recently, in its informal remarks, Roskomnadzor has stated that the operator of personal data has to process data with the use of databases located in Russia. Based on some indications, however, Roskomnadzor may be contemplating a change of that position and allow processing of personal data abroad after the initial collection in Russia is complete.
Keys to Compliance
Companies that will be impacted by the Personal Data Law should prepare in advance for the September 1, 2015 effective date. At least initially, prudence suggests that such companies consider planning for the broadest interpretation of the law. While establishing a data center in Russia may be the most direct means of compliance, there may be other potential avenues to attain that objective. One potential option may be that a company consider database segmentation to record and store only personally identifying data in Russia (any portion of the database containing full names, contact details, etc.), while processing anonymous user transaction data in data centers located abroad.
At a minimum, companies and/or their counsel should monitor the informal guidance, as well as the official guidelines and clarifications, from Minsviaz and Roskomnadzor.