C hanges to Russian Data Protection law came into force on the 1st September 2015, introducing the requirement to localize personal data held on Russian citizens in Russia. The main changes to the law are as follows: All personal data held on Russian citizens must be collated, processed and stored on databases and servers held in Russia — As part of the new law, data operators must notify Roskomnadzor (Service for the Supervision of Communication, Information Technology and Mass Media) — the state authority responsible for controlling compliance with laws on personal data — as to where servers are located. Roskomnadzor will be able to block access to the websites of those who violate personal data legal requirements. They will be included in a specially-created registry of infringers. Roskomnadzor, which will monitor all data protection procedures, has the power to make unscheduled inspections (currently the right is limited to once in a three year period). The provisions will enable Roskomnadzor to react more quickly and to restrict access to data being processed in a way that violates the new legal requirements, and to impose penalties on infringers. Organisations say that these changes, plus the lack of clarity in how the new law will be implemented, may result in substantial costs, increased prices, and, possibly a limit on the products and services that can be provided. Organisations will have to change international/global business models and infrastructure, jeopardising the benefits they currently get from centralised support and command centres, and potentially affecting their global competitiveness and reliability. Nonetheless, Russian officials emphasise that the aim — to protect the personal data of Russian citizens in the best possible way — combined with the national security interests behind the law, trumps all other concerns. The government is now working on two decrees covering the state control of personal data processing requirements, and the creation of a registry of violators of personal data rights. It is expected that these decrees will soon be issued and will address the ambiguities currently surrounding the new law. The decrees will form the basis of regulations through which the new law will be implemented. Rationale behind the change The aim of the new law is to ensure that the personal data of Russian citizens is protected more effectively. The explanatory note to the new law refers to the ruling by the Court of Justice of the European Union on 13th May 2014 (the so called ‘right to be forgotten’ ruling). That ruling made search engines subject to data protection rules and required them to remove ‘outdated, wrong or irrelevant’ information from their indices, unless there was a public interest in keeping it. Initially, it was believed that the localisation law would apply mostly to IT companies and businesses providing social networking services. However, the consequences appear to be more far-reaching, affecting all companies doing business in Russia, including Russian companies and representative offices or subsidiaries of international companies in Russia that process the personal data of Russian citizens. The localization requirement also applies to foreign companies operating through the internet, where such operations are targeted at Russian consumers (e.g. a foreign company has the Russian version of the website, or the website is located in the domain zone .ru or .rf or users can make online purchases in roubles). Will data need to be held exclusively in Russia under the new law, or will crossborder data transfers be permitted? The current interpretation of the new law is that after data have been collected and placed for storage in a data Elena Polevaya, Associate, Intellectual Property Practice, Baker Botts LLP in Moscow, describes changes brought in by the new Russian ‘localization’ law and what organisations need to do to comply Changes to Russian data protection law www.pdpjournals.com PRIVACY & DATA PROTECTION VOLUME 15, ISSUE 8 centre within Russia, they can then be transferred abroad provided that data controllers comply with general crossborder transfer rules (including getting the proper consents). In other words, where Russian citizens are concerned, organisations should have an updated and accurate database of personal data located in Russia, which can be then transferred abroad if needed. The general rule is that cross-border transfers of personal data are allowed to (1) foreign states that are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data; and (2) other foreign states that provide an adequate level of data protection. A list of the former is: Albania, Andorra, Armenia, Austria, Azerbaijan, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Moldova, Monaco, Montenegro, Netherlands, Norway, Poland, Portugal, Romania, Russia, San Marino, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, The former Yugoslav Republic of Macedonia, Ukraine, United Kingdom and Uruguay. A list of the latter is: Angola, Argentina, Australia, Benin, Cape Verde, Canada, Chile, Korea, Israel, Malaysia, Mexico, Mongolia, Morocco, New Zealand, Peru, Senegal and Tunisia. The United States, Brazil, China and India are neither parties to the Council of Europe Convention nor included on Roskomnadzor’s list. There are some exceptions allowing cross-border data transfers to countries that are not on the list of approved countries providing adequate level of data protection, such as a written consent of a data subject, international agreements or agreements with personal data subjects, national security interests or the protection of life or health of individuals. Accordingly, provided that at least one of the above mentioned conditions is met, personal data can be transferred to any non-approved countries. Enforcement of the new law Compliance with the new law will be enforced by Roskomnadzor, which will have the right to carry out inspections on-site, scheduled or otherwise. Roskomnadzor also has the right to request documents and to issue mandatory requests to suspend or fully cease personal data processing, as well as to clarify, block or delete any personal data that are inaccurate or were obtained in breach of the law. Roskomnadzor intends to compile information on violators of personal data legal requirements in a newly-created registry of infringers. Penalties for noncompliance Failure to comply with the new law may lead to an administrative fine for legal entities of up to 10,000 roubles (approximately £100). The Russian Parliament is considering a draft law to increase liability for legal entities of up to 50,000 roubles (approximately £500) for general cases of violations of personal data processing. It is suggested that violations connected with sensitive personal data will be fined in amounts of up to 300,000 roubles (approximately £3000). This draft law has not yet been approved. However, it is clear that liability for improper processing of personal data will be increased significantly. Practical steps that companies can take to comply with these changes Separate personal data held on Russian citizens from that of other citizens. Locate databases containing the personal data of Russian citizens within Russia. Organisations should err on the side of caution and include personal data of those individuals whose citizenship is not known, or cannot be established. Ensure that the first-time recording, accumulation, storage, updating, modification and extraction of personal data of Russian citizens is performed and held in databases located in Russia. Ensure that Russian citizens can readily be identified in the system (e.g. by adding a ‘citizenship’ field to on-line forms). Store the personal data of Russian citizens outside Russia in an anonymised form, with personal identifiers enabling the re-identification of data subjects (turning anonymised data back into personal data) stored in Russia. Alternatively, personal data of Russian citizens can be stored outside Russia in an encrypted form, and decryption of personal data performed through an application located in Russia.