Despite repeated requests from the business community to postpone the entry into force of the Data Localisation Law (the “Law”, on which we previously reported), the Law will come into force on 1 September 2015, as confirmed by the Minister of Communications and Mass Media.
In early August, the Ministry of Communications and Mass Media (the “Ministry”) published clarifications on the interpretation and application of the Law on its official website (see here – in Russian). The website provides the first written, but non-binding, unofficial clarifications on the steps organisations must take to meet the new requirements. Most of the Ministry’s comments confirm the assumptions and conclusions reached during the closed meetings between Roskomnadzor and the business community held in June and July 2015. As it is possible to ask further questions on the Ministry’s website, it is expected that the clarifications available on the site will be updated.
Who do the localisation rules cover?
The requirements for the localisation of personal data apply to Russian legal entities, branches and representative offices of foreign organisations located in Russia, as well as foreign organisations whose activities are directed to Russia. The mere fact that a website is in Russian does not in itself trigger the application of the new “localisation rules” to an operator. The following, for example, are stronger indications that an activity is directed to Russia: the operator’s efforts “to include the Russian market in its business strategy” by making it possible to pay for services/works in roubles and the performance of a contract directly within Russia (e.g. delivery of goods to a buyer in Russia). To determine if the localisation rules apply, the Ministry recommends (and so does Roskomnadzor) that operators analyse their actions against the principle of “targeted activity” on a case by case basis.
The clarifications also indicate that the Law does not apply to airlines.
When do the localisation rules apply?
The Law will only apply to relations arising from 1 September 2015. Databases containing personal data which were located abroad before that date need not be transferred to Russia as long as they are not updated thereafter.
What constitutes “collection” of personal data?
The Ministry’s clarifications carefully address personal data collection, which is understood as being limited to “purposeful actions” of the operator aimed at obtaining data directly from personal data subjects. Therefore, when a legal entity obtains the contact details of employees from its counterparty in the course of legitimate business, it would not amount to “collection”.
Can data be transferred abroad?
The clarifications also shed some light on the issues of cross-border data transfer and the use of data abroad. As previously assumed, cross-border transfer of personal data is not prohibited, and the rules governing these transfers remain unchanged. Thus, personal data may be transferred abroad to a foreign person (by copying it from the “primary” (Russian) database into the “secondary” (foreign) database) subject to Russian rules on cross-border transfer. These include obtaining consent from the data subject and determining the legitimate purposes and timeframe of the transfer, etc. Transferring data for the purpose of backup or promotional mailings are given as examples.