In July 2014 President Putin approved Federal Law No. 242-FZ ("On Amendments to Certain Laws of the Russian Federation in Order to Clarify the Procedure for Personal Data Processing in Information and Telecommunications Networks" (the "New Law")). This introduced two key changes to Russian Data Protection Law which, with its current interpretation, has possible ramifications for all foreign businesses doing business in Russia and dealing with the personal data of individuals.

The legislation has been criticised for its vague wording and practical implications. The business community has applied pressure since the New Law was announced to obtain clarification from the authorities on the implications for those conducting business in Russia and dialogue between businesses and the authorities continues.

Summary of the New Law

The New Law created a procedure which can restrict access by Russian citizens to websites ‘violating' Russian data protection law, and secondly imposes a requirement that the personal data of Russian citizens be stored on server(s) located in Russia.

Under the New Law, personal data of Russian citizens must be stored and processed within the Russian Federation. The Russian data protection authorities (the "DPA") intend to create a register/ database (the "Register") of websites which contain infringing information i.e. storing personal data of Russian citizens outside of Russia. The New Law gives Russian data subjects and/or the DPA the right to obtain a court order to have an "infringing" website added to the Register, the idea being that the DPA will then contact host and service providers and arrange for access to the relevant website to be blocked via a notice and takedown procedure.

There are some exceptions to the New Law (which remain to be clarified) including:

  • Processing for purposes required by law of an international treaty;
  • Judicial purposes;
  • Processing by state authorities; and
  • Mass media purposes.

However, these are of little to no assistance to the business community as they are predominantly non-commercial exceptions.

Potential Consequences of the New Law to businesses

The following have been cited as key possible consequences of this New Law:

  • Companies conducting business in Russia could be forced to open data centres with data storage capacities in Russia by 1 September 2015, or face the risk of being blocked and/or added to the Register.
  • Any foreign companies collecting the personal data of Russian individuals will be required to install servers in Russia and only use these servers to process information about Russian citizens. Recent discussions have suggested that this is very unlikely, given that the DPA has admitted that it has no jurisdiction over foreign companies.
  • The cross-border transfer of personal data of Russian citizens is also at issue, particularly as the New Law now conflicts with Russia's existing laws on international data transfers.

Key Issues

Some primary criticisms of the New Law are the fact that it will restrict competition in the internet to Russian-only services and may create a barrier to entry for foreign internet start-ups who lack the budget and technical expertise to ensure compliance with the New Law, thus restricting services available to Russian citizens.

One key aspect of the New Law at issue is that it does not explicitly prohibit storage of personal data of Russian citizens in Russia in addition to storing it abroad. It is still unclear whether it will be sufficient to keep a database copy in Russia or whether businesses will be obliged to store data exclusively in Russia without any mirroring foreign databases.

Counsel in Russia have advised that the likely outcome is that cross-border transfers will continue to be permitted. Once this is clarified it is anticipated that a legally compliant ‘structure' for businesses will be:

  1. Personal data of Russian citizens is first aggregated in Russian located servers;
  2. Parties put in place a data transfer agreement in which the parties agree to transfer data outside of Russia.
  3. The personal data can then be transferred outside of Russia.

The Russian Internet Ombudsman sent a letter in March 2015 to President Putin proposing a model along these lines, recommending that foreign online companies be allowed to store Russians' personal data in a third country provided that consent from the user is obtained.

Practical considerations for the business community

The important aspect of this law is the fact that it is so far reaching. Even where a business has Russian customers but no legal presence in Russia, it should note that Russian data protection law is considered as public order for all companiescollecting and processing personal data of Russian citizens, with no exceptions for foreign companies. Therefore, if a business holds Russian personal data in the US and UK, the law is, technically, applicable to that business.

That said, the DPA is not (so far) active in imposing Russian data protection laws on foreign companies without a presence in Russia - and as a matter of practice only imposes the data protection regulations on legal entities or representative offices of foreign legal entities registered in Russia. Unofficially, the authorities have admitted that they have no practical tools to impose Russian laws outside of Russia and do not intend to do so in future.

Accordingly, in the absence of a Russian based subsidiary or representative office, the risk of enforcement of Russian data protection laws against companies simply with Russian customers is currently relatively low. However, the DPA may well provide further clarification on this issue in its proposed by-laws of the New Law so we advise that businesses continue to monitor developments closely.

Conclusion

Based on the current understanding of the New Law, international businesses with Russian customers are, strictly speaking, legally subject to the New Law. However, the practical risks of enforcement against non-compliance are remote.

Businesses may consider (a) collaboration to perhaps share the costs of a server; or (b) shared learning with other similar sized foreign companies if it becomes likely that all such businesses will be forced to achieve compliance. In practice, as far as local counsel are aware, the majority of foreign companies with a presence (subsidiaries or representative offices) in Russia have not yet taken any action with respect to the New Law beyond seeking precise interpretations from the authorities.

Until more clarification is obtained, this is a sensible approach to follow.

Please note that the above alert is based on existing unofficial interpretations provided by the authorities, which may change upon publication of the official interpretations.