On July 20, 2014 a new law amending the law on data protection and law on information was signed off by the Russian president and thus was officialy adopted. The law, as further clarified, will come into force on September 1, 2015.
The law requires all personal data operators to store and process any personal data of Russian individuals within databases located in Russia (subject to few exceptions). The penalty for violation of this requirement is ultimately the blocking of websites involving unlawful handling of Russian personal data. A Register of Infringers of Rights of Personal Data Subjects shall be established by the Russian telecommunication authority (Roskomnadzor) and from there, Roskomnadzor may move to block websites.
As the law is newly passed and not in effect yet, it is unclear as to how this register and the website blocking would work in practice, but we note that blocking websites is a commonly used enforcement method in Russia.
These rules are important for anyone doing business with Russians, regardless of where the business is located.
These new rules will have a considerable impact on Russian and multi-national companies with Russian presence, or with involvement of Russian-oriented websites, as many of such activities involve collection, storage and/or processing of personal data outside of the Russian Federation.
Moreover, they are likely to place a heavy burden on the many international businesses operating online (such as travel services companies) who routinely process data of individuals from all countries (including Russia) without having any Russian subsidiary or presence as it would require them to distinguish the data pertaining to Russian individuals and store this data within Russia. A particularly distressing aspect for these companies is that without a Russian presence, they will have little opportunity or ability to engage Roskomnadzor regarding inclusion on the register or blocking of the websites.
According to the views of many commentators, enactment of such unprecedented rules could place a substantial new burden on foreign investment into Russia and may involve broader negative economic consequences than anticipated. With that in mind, there is a good chance that the law will be modified or finetuned before September 1, 2015. While this new law creates additional compliance requirements, there are strategies through which efficient compliance may be achieved.
At this point, we strongly advise anyone doing business in Russia or with Russians to take a close look at how personal data of Russians is handled.
The post Russia: Important changes to Russian data protection rules appeared first on Technology's Legal Edge.