This article was first published on Taylor Wessing's Global Data Hub.
From 1 September 2015, Russia will impose restrictions on the processing of the personal data of its citizens outside Russian territory and facilitate state supervision of data privacy. Meanwhile, the Russian Parliament is considering a Bill strengthening the sanctions for breaching personal data regulations. These changes have caused a huge stir in international business circles as many organisations have realised they will find it a challenge (to say the least) to comply with the new requirements.
What do the amendments say?
The Federal Law 'On Personal Data' Nr 152-ФЗ dated 27 July 2006 (PDL), will be supplemented by a new requirement stating that data operators (entities performing functions of both controllers and processors, to use European terminology) are obliged (subject to certain exceptions) to ensure the recording, systemisation, accumulation, storage, clarification (update, change) and extraction of personal data of citizens of the Russian Federation with the use of databases located in the territory of the Russian Federation when collecting this personal data in any manner, including via the internet (the Localisation Requirement). This means it will be illegal to collect personal data of Russian citizens and send it directly to servers located outside Russia without involving a database installed on a Russia-based server/computer in the processing of the personal data. Russian governmental bodies are surprisingly cautious in commenting on the legislative changes. There is still no official guidance on how the processing of personal data should be reorganised and, therefore, the affected data operators have to come up with solutions based on a literal interpretation of the law and using their common sense.
What data will be affected?
At first glance, the answer is simple. The Localisation Requirement will apply to information about Russian citizens. The personal data of non-Russian citizens and stateless persons goes beyond its scope even when their data is collected in Russia. However, this turns out to be a serious problem in practice.
First, the amendments say nothing about personal data collected before their entry into force so there are no grounds to assume that this data will not be affected.
Second, the amendments are silent about what to do with the data of Russian citizens residing in other countries. An official of the Data Protection Authority (in Russian – "Roscomnadzor") recently commented on this matter with regard to eBay: "If a personal data operator faces extreme difficulties with singling Russian citizens out from the overall multitude of data subjects, then it is reasonable to apply the territorial principle. In eBay's case, it is necessary to keep in Russia personal data of those [data subjects] who have their registered addresses in the territory of Russia. Correspondingly, if a citizen of Russia is located abroad and a server collects his/her data in the territory of this country, this falls outside the scope of the law".
Third, under the PDL, personal data includes any information relating to a directly or indirectly identified or identifiable individual (data subject). It is, therefore, unclear whether or not certain categories of information should be classified as personal data (e.g. office phone numbers, IP addresses and information about users' activities on the internet that is automatically recorded by some corporate firewall systems).
Fourth, the Localisation Requirement provides for several exceptions. One of them, if interpreted in a certain way, could be seen as being applicable to personal data of Russian employees processed by their employers, which could make the Localisation Requirement inapplicable to HR systems. However, this important question seems to have no clear answer, at least for now.
Which data operators will be affected?
There is no doubt that the Localisation Requirement must be observed by Russian companies and subsidiaries of foreign companies. Several years ago, Roscomnadzor explained that the PDL should be applicable to representative offices of foreign companies processing personal data in Russia, but not to their divisions located in other countries. Correspondingly, web-site owners that do not have any establishment in Russia were not uniformly considered to be bound by the PDL. The amendments will provide Roscomnadzor with the power to block access, under certain conditions, to websites which process personal data in violation of the PDL. One can assume that this power may serve as an instrument for enforcing Russian law against non-Russian online companies. In any case, the media has reported that global internet giants Google, AliExpress and eBay will move stores of Russian citizens' data to Russia.
How do you comply with the amendments?
- Apart from restricting access to global ICT systems and non-Russian servers, the most practical solution for international companies could be partial relocation of their ICT systems to Russia (namely, data stores containing Russian citizens' data and certain processing modules). For online businesses, the relocation will include a complete or partial move to Russia-based hosting. It is worth noting that the Localisation Requirement does not restrict remote use of Russian data, i.e. third-country data operators should have the right to access the Russia-based data store and process the data it contains via the internet or any other communication channel. For the purposes of relocation, it could be useful to contract with international data centres which have divisions in Russia that are capable of establishing unimpeded data exchanges between Russian and global parts of an ICT system.
- It seems that a pure duplication of Russian personal data from a Russia-based server to a foreign server for further remote processing by a Russian data operator would not be in line with the spirit of the amendments. However, there are a number of arguments that could justify this approach in some cases. For example, the rules allowing cross-border data transfers (Article 12 of the PDL) will remain valid and unchanged after 1 September 2015. Most probably, it will be possible to send Russian citizens' personal data collected in Russia to a third party located in another country.
How will Roscomnadzor find out about non-compliance with Russian law?
Roscomnadzor carries out regular selective inspections and extraordinary inspections (usually following a complaint). Under the amendments, provisions of the Federal Law 'On Protection of Rights of Legal Entities and Individual Entrepreneurs When Performing State Control (Supervision) and Municipal Control' Nr 294-ФЗ dated 26 December 2008, establishing the procedure for the organisation and execution of state inspections, would no longer be applicable to Roscomnadzor's inspections of personal data operators. This novelty may lead to an increase of supervisory activities in this sphere. Recent practice shows that state prosecutor's offices are also quite active in supervising observance of the PDL.
Under Article 22 of the current version of the PDL, before a data operator proceeds to processing any personal data, it must notify Roscomnadzor in writing of its intention to do so. By way of exception, it is not mandatory to notify Roscomnadzor about processing one's own employee data or the data of contractors used in order to conclude or execute contracts with them provided that such data is not transferred to third parties without special consent of these contractors, etc. When the amendments become effective, the notification form will also include information on the location of the databases containing personal data of Russian citizens. Russian law does not clarify whether data operators will be obliged to update the notifications already filed.
What is the liability for non-compliance?
Roscomnadzor will be given powers to react to violations of the personal data legislation by blocking access to websites in the territory of Russia. In particular, a website can be blocked under a relevant court judgment if the personal data is published on this website and processed in violation of the PDL. For this purpose, banned domain names, network addresses and other details will be recorded in a special state register of lawbreakers. These rules can be construed as being applicable, among other things, to social networks, blogs, public databases, some online stores and other web-services supporting registration of users or processing their personal details online in many other ways.
Apart from website blocking, the sanctions for non-compliance with the PDL are surprisingly low. As a general rule, a company will have to pay a fine of RUR 5,000–10,000 (approx. EUR 90–180) for each violation of the PDL. In addition, a responsible officer of a company (e.g. CEO or data protection officer) may also be fined personally, but the amount of the fine will not exceed RUR 1,000 (approx. EUR 18). In case of undue processing of employee personal data, the fines may be a bit higher. A failure to eliminate violations at the instruction of Roscomnadzor will be considered non-compliance with an order of a state authority and will entail additional sanctions. The Russian Parliament is considering a Bill strengthening sanctions and introducing new types of personal data violations. If a company does not pay attention to the data privacy requirements, it may be subject to several fines for different personal data violations at the same time and, as a result, the total amount of fines may reach several thousand Euros. The Bill introduced by the Government of Russia has passed the first of three readings.
What to do?
The tendency towards tightening the screws in the field of Russian data privacy is quite visible. There is virtually no doubt that the sanctions for breaching the personal data laws will be substantially increased sooner or later. The amendments will enter into legal force shortly. Initially, the effective date was set for 1 September 2016, but was subsequently brought forward to 1 September 2015. There is not much time left for considering possible options for rearranging data processing systems. It is advisable to begin with assessing the following: (i) what Russian data the company has and in what ways the company actually processes this data; (ii) where the servers are physically located and whether the ICT contractor can technically relocate them; (iii) what the ICT capabilities and practical needs of the concerned Russian office are; and (iv) which ICT Systems and/or services provided to Russian users are crucial and which of them can be temporarily or permanently shut down. This will create a basis for choosing the appropriate technical and legal solutions. Guidance from Russian governmental bodies is expected. It is also a good idea to monitor Russian media as state officials tend to give comments to journalists from time to time.