On August 3, 2015, the Russian Ministry of Communications and Mass Media (commonly referred to as "Minkomsvyaz" or "Minsviaz") published detailed—and the only written—guidelines[1] clarifying the new personal data localization requirements implemented by the Amendments to the Personal Data Law[2] signed into law by Russian President Vladimir Putin on December 31, 2014. The amendments took effect on September 1, 2015. The new law mandates that data operators which collect personal data about Russian citizens must "record, systematize, accumulate, store, amend, update and retrieve" data using databases physically located in Russia. The September 2, 2015 and June 15, 2015 Duane Morris Alerts have discussed a number of the most salient requirements of the new law. Discussed below are additional clarifications and further updates now that the law has been in effect for roughly six weeks.

Operations Covered by the Law, and Parallel and Trans-Border Data Storage

According to the guidelines, the new law will apply only to the data operations specifically enumerated in the law. Remote access to data, use of that data or data deletion (as long as the deletion does not undermine the law) will not be impacted.

The Minsviaz guidelines suggest that the new law will not impact any existing Russian laws and regulations regarding the cross-border transmission of personal data. Consistent with past practice, personal data about Russian citizens may be transferred out of Russia, as long as other Russian laws regarding personal data are followed. However, the personal data of Russian citizens must first be "recorded, systematized, accumulated, stored, amended, updated and retrieved" in a Russian database ("primary database") but may then be transferred to other databases outside of Russia ("secondary databases"). Such secondary/parallel databases of personal data can be used for backup purposes, for example. All personal data on Russian citizens subject to the law that is available abroad must also be stored in a Russian database. In other words, the secondary database available abroad should not have unique information that is not found in the primary database in Russia. The law does not restrict remote access to databases located in Russia. 

Citizenship Determination and Data Formats

Because the law has not specifically specified how operators must determine the citizenship of the subjects of their data collection efforts, Minsviaz's guidelines indicate that each operator will have the opportunity to select its own method for determining the citizenship of the individuals whose personal data it collects. The guidelines predict that the operator's sphere of activity will influence the operator's decision in selecting its method for ascertaining citizenship. 

The guidelines acknowledge the potential for high expenses and minimal gains associated with electronically storing personal data if a particular entity normally stores such information in paper format. The guidelines consider hard-copy databases of personal data initially "recorded, systematized, accumulated, stored, amended, updated and retrieved" in Russia to comply with the law, even if, eventually, this information is entered into an electronic database abroad. 

Implementation to Date

The new guidelines acknowledge that the ramifications of this law for foreign businesses transacting business in Russia which wish to comply with the law are likely to be significant. Companies intending to continue to do business in Russia that currently do not process or store personal information on Russian citizens inside Russia's borders may have to establish data centers or migrate infrastructure to Russia to comply with the law. One option for such companies may be to form partnerships with local Russian data collection and storage companies to facilitate the processing and storage of data in Russia. Data segmentation may also prove to be a viable option for companies, enabling them to record and store only personal data on Russian citizens in Russia, while processing other data abroad. The possibility also exists that the law may be too burdensome for some businesses, which may choose to cease all operations targeted at Russian consumers.[3]

The specific consequences for continuing operations in Russia but not complying with the law are unknown at this time. Roskomnadzor (the Russian agency responsible for enforcing the new law) has stated the intention to publish a list of non-compliant companies on its website. Possible penalties also include blocking non-compliant companies from access to local hosting and telecommunications. According to at least one Russian commentator, blockage of the offending companies' websites is unlikely[4] and some commentators and consultants to foreign companies operating in Russia have expressed skepticism about the potency of the law, opining that the requirements of the law are not easily enforceable and will serve as a formality. [5] Consequently, some companies have adopted the "wait-and-see" approach to evaluate how the implementation will unfold before committing to a specific course of action with regard to compliance with the law and future business endeavors in the Russian market.[6]

Now that the law has gone into effect, Roskomnadzor has indicated that it will limit its 2015 inspections to companies listed in its official plan of inspections. The plans will be published and updated on Roskomnadzor's official website, http://rkn.gov.ru/ (in Russian). Nevertheless, Roskomnadzor has reserved the right to conduct unplanned investigations, for which only 24 hours' notice will be given.[7] It is unknown what factors may trigger impromptu inspections or how frequently they will be undertaken. According to a recently published article in The Moscow Times,[8] a simple complaint by a data subject may trigger an investigation.

Roskomnadzor has also stated that it will grant a reprieve to large U.S. companies like Facebook and Google, indicating that it will not check such companies for compliance until at least January 2016. The focus of the 2015 inspections will be on small and medium-sized companies. Roskomnadzor's spokesman Vadim Ampelonsky has indicated that Roskomnadzor does not yet have the resources to enforce compliance among the largest data operators.[9]