Russia’s new law requiring the local storage of personal data of Russian citizens in databases on Russian territory came into force on 1 September 2015. The new law is very broad and new obligations are stretchable and can fit almost any situation where personal data of Russians are processed. This includes data collected by foreign operators without permanent establishment in the Russian Federation. To date, enforcement authorities have not issued any official clarifications. Recent unofficial explanatory notes by the Ministry of Communications and sporadic publications by the Russian data protection authority provide some guidance on how the supervisory authorities are inclined to interpret the new law. The new law has already been used to block a website that is violating localisation and data protection requirements. Foreign companies with Russian offices or with companies that target Russian individuals, for example, via Russian language websites, are advised to immediately review their practices and policies involving the Russian Federation. Compliance measures should include the notification of the Russian privacy regulator Roskomnadzorabout the location of the company’s databases that contain personal data of Russian citizens, and the preparation of documents substantiating that a company has its own data storage facilities on Russian territory or an agreement with a Russian data centre.
The main provisions of the localisation law
- Databases on Russian territory: personal data of Russian citizens must be stored in the databases physically located on the territory of the Russian Federation (with some exceptions, for example, compliance with a legal obligation of controller or performing task carried out in the public interest).
- Notification of server location: in addition to the existing requirement to notify the Roskomnadzor (the Russian data protection authority) on processing personal data, the data operators must notify the location of servers with databases containing personal data of Russian citizens.
- Registry of violators: a new state “registry of the violators of the rights of data subjects” will be created and maintained; inclusion in the registry will be done on basis of a court order.
- Blocking non-compliant services: access to information that is processed in violation of personal data laws can, upon request of the data subject, be restricted on the basis of a final court order. Restrictions can extend as far as blocking access to the website altogether. Enforcement authorities can also initiate such access restriction.
Personal data of Russian citizens
The localisation law specifically applies to personal data of “the citizens of the Russian Federation”. There are no standards on how the operators would be able to establish and verify the nationality of data subjects. The Ministry of Communications suggests that data operators establish their own procedure for identifying the citizenship of data subjects and, if impossible or impracticable, apply data localisation rules to all personal data collected from the Russian territory.
There are no clear-cut legal provisions on the applicability of the new localisation requirements. Russian data protection law was previously not applicable to foreign companies without a presence in Russia. The new localisation law, according to the Ministry of Communications, applies to any operator that directly collects personal data of Russian citizens, including foreign entities with headquarters in the Russian Federation and foreign entities without permanent establishment in the Russian Federation but directing their activities to the Russian Federation. The latter includes companies that host a website on a Russian domain, such as .ru, .rf, .su, .moscow, .москва or .рф or have a web service in the Russian language. The Ministry of Communications has the following additional criteria for determining whether a Russian language website could lead to applicability of the data localisation requirements:
- payments are accepted in Russian roubles;
- the online contract stipulates execution on the Russian Federation territory (for example, delivery of goods, provision of services or access to digital content);
- links or advertisements in Russian that refer users to the web service,
- any other circumstances that clearly demonstrate an intention of the website owner to include the Russian market in its business strategy (for instance, identifying Russia as one of company’s locations on the corporate website).
On 7 September 2015, Roskomnadzor confirmed that any company processing personal data in Russia, with or without legal address in the Russian Federation, “can be and shall be if necessary” checked for compliance with data localisation law. A flow-chart published byRoskomnadzor explains how the authority sees the procedure on interacting with foreign operators. In a nutshell, if Roskomnadzordiscovers foreign operators active in Russia, it can request that they provide information on compliance with the data localisation requirements. Submitted information and documentation are evaluated for completeness and accuracy (which might include contacting a data centre provider). If no information is provided, or if submitted data were inaccurate or incomplete, Roskomnadzor will initiate court proceedings for take-down procedures and put the company’s name on the registry of violators. For foreign companies without a presence in Russia,Roskomnadzor will define a provider responsible for administration and delegation of domain names for take down procedures.
These procedures can go very fast: the first foreign internet site with personal data of 1.5 milion Russian citizens was blocked on 9 September 2015. The site has been also added to the registry of violators. The website contains the names, birth dates, addresses, phone numbers, and other personal information of Russians and is hosted on the top-level domain assigned to the Republic of Palau.
Cross-border transfers of personal data of Russian citizens remain possible, under the following conditions:
- the primary collection and storage of personal data will take place on the territory of the Russian Federation; and
- outbound data transfers will further comply with legal requirements.
Unless processing activities fall under specific exemptions (for example, required on basis of international treaties or, possibly, processing in employment context), the processing of personal data of Russian citizens in a database outside the Russian Federation is only possible if the databases on the Russian territory contain “bigger or equal amount of data” of Russian citizens than the foreign database.
What can you do to comply?
Companies must notify Roskomnadzor of the location of databases with personal data of Russian citizens before 10 September 2015. Also,Roskomnadzor has already planned 317 inspections for this year on compliance with the localisation law (90 inspections in September) and ad hoc inspections are possible. This means there is no time to lose.
An administrative fine for failure to timely notify the database location (RUB 5000 or EUR 67) may be negligible, but failure to provide the relevant information and documentation, once requested, may result in blocking the access to the company’s internet resources.
Since the first inspections will be document-based, companies must be prepared to demonstrate an agreement with a Russian data centre or documents substantiating that a company has its own data storage facilities in the territory of Russia. If the company is not that far yet, it can prepare documents demonstrating how the company is changing internal procedures aimed at compliance; the company’s discussions with potential providers; data migration plans; etc. Roskomnadzor also shows leniency towards companies initiating a conversation with this authority on which steps are needed to comply. Big multinationals like Facebook, Google or Twitter will not be audited until at least January 2016.