It has been a year since Russia’s data localization requirement came into force in September 2015, requiring companies to store within Russia databases containing personal data they collect from Russian citizens. Exactly one year later, the Russian Data Protection Authority, Roskomnadzor, issued a news release (in Russian) on the first year of enforcement.
In the update, Roskomnadzor stated that an absolute majority of the inspected companies comply with the data localization requirement and that noncompliance is low.
Roskomnadzor planned the inspections in industry “clusters,” and in the past year added to the inspection list credit organizations, e-commerce platforms, recruitment agencies, insurance companies, and other industries. Besides the planned inspections, Roskomnadzor conducts certain other monitoring activities in reaction to public claims and analysis of mass media.
According to the release, from 1 September 2015 until 29 August 2016 Roskomnadzor conducted 954 planned inspections and 82 ad hoc inspections, and is planning to conduct 479 more inspections in the last four months of 2016. Within these inspections, Roskomnadzor identified 1,822 violations of data protection law, although only 23 related to data localization requirement (which Roskomnadzor pointed out is only 1.3% of the overall violations). Separately, Roskomnadzor identified another eight violations of the data localization requirement through its general monitoring activities. In all cases, Roskomnadzor has issued orders to cease the violation within six months.
The news release also stated that the register of data operators violating Russian personal data regulations online has been actively used. As of 1 September 2016, the register contains 161 blocked websites resulting from 59 court decisions.
Moreover, about 63,000 data operators have notified Roskomandzor of their databases’ locations, in line with the recently updated database registration requirement obligating data operators to notify Roskomnadzor of the locations of databases containing personal data.
It is clear from the news release that Roskomnadzor will continue enforcement of the data localization requirement, primarily (but not exclusively) through its planned inspections. Moreover, it appears that the agency’s practice is not to immediately fine companies or shut down their online presence in Russia, but rather to issue orders enabling companies to come into compliance, although certainly it could decide to take a different enforcement posture in the future.