Recent amendments to Russia’s data processing rules require that databases used to process personal information of Russian citizens be located in the Russian Federation, even if the data is maintained by foreign corporations
LinkedIn is the first international operator to be banned for violation of this localization requirement by the blocking of its services in Russia
There is a question as to whether Russia’s localization rules could be challenged in the international arena as a potential violation of its WTO obligations
Companies (including those without a legal presence in Russia) should consider how the law affects their operations in Russia and how to best comply with the localization requirements, or face possible blocking of their internet services in Russia
The recent ruling against LinkedIn Corporation (“LinkedIn”) by the Moscow city appellate court, allowing the government to block LinkedIn’s internet services in the Russian Federation (“RF”), may be seen as a signal that the Russian Government intends to use its new powers of enforcement under its data protection laws to block companies who fail to come into compliance with the new rules. The decision has garnered a great deal of media attention and outcry. Even Russia’s largest bank Sberbank has publicly commented on potential difficulties with recruitment that the blocking of LinkedIn will impose on it.
The court decision is based on both the new legal requirements concerning the handling of personal data under the recent Federal law No. 242-FZ, as well as on Russian law provisions that have been in existence for some time now regarding the necessity to obtain proper consents from individuals in order to collect and process their personal data. In short, LinkedIn was charged with violating Russian law by processing Russian citizens’ personal data on databases not located in Russia and by allegedly failing to obtain the required consents for such operations. In this update, we focus on the former issue (failure to localize), which is a relative novelty of Russian law.
Overview of the personal data laws at issue in LinkedIn’s case
Adopted on July 21, 2014, and coming into effect on September 1, 2015, Law No. 242 amends certain Russian legislative acts with new specific requirements for the processing of “personal data” by “operators”. Most importantly, Law No. 242 amended the 2006 Federal law No. 152-FZ “On personal data” (“Personal Data Law,”) and 2006 Law No. 149-FZ (collectively the “Data Processing Rules”) to require “operators” of personal data (such as LinkedIn) to use databases located within the RF territory for “the recording, systemization, accumulation, storage, clarification (update, modification), and extraction” of Russian citizens’ personal data.
“Personal data” is defined in the Personal Data Law as any information relating directly or indirectly to an identified or identifiable natural person (a “personal data subject”). “Operators” include public agencies, municipal bodies, and legal or natural persons – alone or together with others – that (a) organize and/or carry out the processing of personal data (other than for private personal and family needs) and/or (b) determine the purpose of processing personal data, the composition of personal data to be processed, and the action or operation using the personal data. This extremely broad definition of “operator” is interpreted to include both domestic and foreign companies, even foreign companies with no presence in the RF (as in the case with LinkedIn). There are no exceptions for Russian employees of foreign companies, even those working abroad. “Personal data processing” involves any action or operation performed with personal data (with or without automation equipment), including “collection, recording, systemization, accumulation, storage, clarification, extraction, use, transfer, depersonalization, blocking, and deletion” of such personal data. As a result, foreign companies with operations in Russia have been required to ensure that personal data of Russian citizens is processed on a Russian local server and not on servers located abroad.
Operators who violate the law are subject to fines and possible blockage of their services in Russia. In particular, under the law, a Register of Violators of the Rights of Personal Data Subjects (“Register of offenders” or “Register”), listing operators who mishandle personal data has been established. If an offender fails to heed a government warning and remedy any violations of the Data Processing Rules in a timely manner, the enforcement agency – currently “Roskomnadzor” – may include it in the Register and “restrict access to” or “block” such violator’s information resources in Russia, including its network addresses, domain names, and the index pages of internet sites. Roskomnadzor must base the inclusion of an offender in the Register on a court decision specifying the operator’s violation and authorizing the enforcement action. The court decision triggers a procedure whereby Roskomnadzor should give the offender written notice of the violation in Russian and English within three days of an enforceable court decision, and allow the offender one business day (from receipt of the notice) to take measures to remedy the violation. If not remedied, the offender’s services in Russia may be blocked within three business days of the offender’s receipt of the notice. If an offender listed in the Register subsequently resolves the violation, Roskomnadzor may remove the offender from the Register.
In addition to possible blockage in the RF, violations of the Data Processing Rules can result in disciplinary, civil, administrative or criminal liability for the operator and its employees responsible for the violations. As companies with no legal presence in the RF cannot be easily subjected to administrative liability (e.g. fines), the blocking of their operations is the most likely and effective means of discipline. Operators who violate the Personal Data Law can also potentially be liable to the personal data subjects for resulting property damages, personal losses, and non-pecuniary damages, as provided under Russian law.
Overview of LinkedIn’s case in Russian courts to date
The decision in LinkedIn’s case marks the first major enforcement case against an international operator under the Data Processing Rules one year after the amendments came into force.
Roskomnadzor filed a claim against LinkedIn in Moscow’s Tagansky District Court earlier this year, alleging that LinkedIn violated the rights and legal interests of Russian citizens by illegally collecting personal information about the users, and even non-users, and using and transmitting this information without proper consent outside the territory of the RF. Although according to the trial court’s decision, notice of the claim was sent to LinkedIn, apparently LinkedIn did not appear in the trial court proceedings and did not submit any materials to the court.
In August 2016, the Tagansky District Court ruled against LinkedIn in case No. 2-3491/2016, finding that its activities violated the requirements of Part 5 of Article 18 of the Personal Data Law because LinkedIn did not use a database located in Russia to process and handle the personal data of Russian citizens. As explained above, under this provision, before collecting personal data by internet means, an operator must ensure the use of databases located in Russia for the recording, systemization, accumulation, storage, clarification (update, modification), and extraction of citizens’ personal data. The court also found that LinkedIn violated Part 1 of Article 6 of the Personal Data Law by processing the data of third parties who were not members or visitors of the site and thus not covered by the user agreements or any other LinkedIn documents (i.e., without obtaining such parties’ consents). Based on the court decision recognizing these violations, Roskomnadzor is obliged to take measures to block internet access to LinkedIn in Russia by entering its domain names and other information in the Registry of offenders.
LinkedIn filed an appeal from the Tagansky District Court’s decision with the Moscow city appellate court, which found no basis for reversing the decision of the court of first instance and affirmed the ruling against LinkedIn on November 10, 2016. The text of the appellate court’s decision has not yet been released, but is expected to be published shortly. Pursuant to the court’s ruling, Roskomnadzor decided to initiate the blocking of LinkedIn in Russia on November 17, 2016.
There is some discussion among certain trade experts on whether the Russian localization requirements, such as the one introduced by the amended Data Processing Rules, could be challenged in the international arena as a violation of Russia’s WTO obligations. Though it has not yet been tested in international dispute resolution venues in respect of Russia, an argument can be made that such a requirement for the localization of databases constitutes a protective measure that contradicts a WTO member’s commitments, including unrestricted market access under Article XVI of the GATS and the cross-border supply of data services as set out in the GATS Annex on Telecommunications. It remains to be seen whether such a challenge would be brought against Russia.
Compliance with the new legal requirements for personal data
The LinkedIn case demonstrates the Russian Government’s commitment to enforcing Russia’s Data Processing Rules by blocking companies who fail to comply with the requirements notwithstanding their lack of a legal presence in Russia. The decision serves as a warning to social media and other technology companies, as well as any company processing personal data of Russian citizens, that the failure to properly process data will result in their blockage in Russia.
Since the Data Processing Rules were enacted, many companies have sought ways to bring their procedures into compliance with Russian law, by, for example, relocating all personal data relating to Russian citizens to databases located within Russia. However, where this option has proven too burdensome financially or logistically, some service providers have outsourced this aspect to local providers.
Companies without a Russian presence should be extra-cautious as they are unlikely to receive timely notification of the fact that Roskomnadzor is undertaking a review of their website and/or is initiating court proceedings against them in Russian courts.