The law we reported on previously – which requires the personal data of Russian citizens to be stored and processed in databases located within Russia (the “Law”) – is expected to come into effect one year earlier than initially planned.
On 17 December 2014, the State Duma (the lower chamber of the Russian Parliament) passed a bill in the second and third readings, under which the Law is to enter into force on 1 September 2015 rather than on 1 September 2016.
To become law, this bill must be approved by both the Federation Council of the Federal Assembly (the upper chamber of the Russian Parliament) and the Russian President.
After the Law was adopted this summer, the legislators proposed bringing forward its entry into force and starting to apply the new rules on 1 January 2015. Discussions were engaged with the business community. They resulted in a consensus date being agreed upon and reflected in the bill.
With the Law coming into force in all likelihood on 1 September 2015, the companies affected have little time left to bring their existing processes for personal data storage in line with the requirements of the Law.
Even though companies would be well advised to start planning now for the changes, they should bear in mind that it remains unclear how certain provisions of the Law should be interpreted and applied in practice. This uncertainty is expected to be clarified in subordinate legislation that will be adopted at inter-agency meetings in early 2015.
We would like to remind that the sum of the penalties for improper processing of personal data is not high at the moment, however, recently the bill providing the increase of the penalty sum (up to 300 000 rubles for legal entities) was submitted to State Duma.