A recent presentation by our Moscow office highlighted amendments to privacy laws in Russia set to go into effect on September 1, 2015 that will have a significant effect on US technology companies and website operators that do business in Russia. Starting on that date, companies with a legal presence in Russia will be required to relocate databases used for storing Russian citizens’ data to servers physically located in Russia or face administrative fines and potential prohibitions on operating websites in Russia.
Data Storage Requirements
Federal Law No. 242-FZ, adopted in July 2014, amends the Personal Data Law to require both Russian and foreign entities with a legal presence in Russia to use databases located in Russia to record, systematize, accumulate, store, amend, or extract Russian citizens’ personal data. Failure to comply with the amended Personal Data Law may lead to an administrative fine of up to 10,000 rubles (approximately $170), which the Russian legislature is considering increasing to a maximum of 300,000 rubles (approximately $5,160). More importantly, websites that do not comply may be blocked from operating in Russia and recorded on a register of “organizations in breach” maintained by the Russian Federal Service for Communications, Information Technology and Mass Communications Supervision (Roskomnadzor). Civil and criminal liability may also apply in exceptional cases.
Please note that “personal data” includes any information directly or indirectly related to an identified or identifiable individual and excludes aggregated, anonymized, or purely technical data (such as cookies and analytics results). In addition, according to prior guidance from Roskomnadzor, usernames, passwords, mobile phone numbers, and email addresses alone do not unequivocally identify a person and therefore may not constitute personal data.