What does this cover?

In October 2015 we reported on the Russian Data Localization Law (the Law) which came into effect on 1 September 2015. Some of the key provision of the Law include:

  • Databases to be physically located on Russian territory;  
  • Data operators to notify of server locations containing Russian citizens' personal data;  
  • A registry of violators to be created and maintained; and  
  • Access to information that is processed in violation of personal data laws can be restricted, either upon request of the data subject or on the initiative of the enforcement authorities. This can include completely blocking access to the website.  

Following a recent announcement in Russia, the privacy regulator the Roskomnadzor (the Regulator) will be carrying out increased audits under the Act in 2016. This will be comprised of 1,000 compliance audits and 2,000 monitoring procedures.

A copy of the Law is available here (Russian).

What action could be taken to manage risks that may arise from this development?

The law is still relatively new and consequently there is ambiguity surrounding the nature and extent of enforcement action that will be taken against non-compliant organisations. However, the implications of increased audits suggest an intention by the Regulator to identify non-compliant entities and violations are unlikely to be overlooked. Organisations operating in Russia should ensure they are compliant with the Russian Data Localization Law and take advice from local counsel if necessary.