The infamous Federal Law No 242-FZ (The Law) came into force in Russia today. The Law which is also known as Localization Law requires companies to ‘record, systemise, accumulate, store, update, change and retrieve personal data with the use of data centres located in the territory the Russian Federation’.
Companies that collect personal data in Russian citizens have been eager to obtain official clarification and understand what changes must be made to their IT infrastructure and business processes to ensure the compliance with the Law.
So far only unofficial commentary on the Law was shared by the local data protection authority (the Roskomnadzor). At the beginning of August, the Ministry of Telecom and Mass Communications of the Russian Federation (the Ministry) offered its interpretation of the Law. Even though the Ministry’s interpretation is not binding, it now serves as a key source of information on how companies should apply the Law.
The following areas are discussed in the Ministry’s interpretation:
The Ministry confirmed that the definition of personal data remains unchanged; ie that personal data is any data that directly or indirectly relates to identified or identified individual. No exhaustive list of such data is available.
The Ministry confirmed that the Law does not apply retrospectively ie only personal data collected after 1st September 2015 must be processed in accordance with the Law. However, the Ministry then added that as soon as legacy data is being used again (eg updated, changed, retrieved) the Law requirements will be triggered. Personal data that has been stored outside Russian Federation prior 1st September 2015 is excluded from the applicability of the Law.
The Law applies to companies that operate on the territory of Russian Federation and collect personal data of Russian citizens. The Law also applies in the event when a company does not have its physical presence in Russia but directs its business activities towards Russian citizens; for example via the internet. The following criteria will be used by authorities to establish if a business is directed towards Russian citizens: i) the name of the internet domain ends in ru; rf; su; Moscow; (in Russian) etc; and/or ii) the data operator creates a website in Russian language, uses advertisements in Russian and allows transactions in Russian currency.
APPLICABILITY OF THE LAW
The requirement to process data using local databases is triggered at the collection point of personal data. Not all personal data will fall into scope. Personal data that is collected systematically with the clear purpose in mind will be covered by the Law. Personal data collected accidentally (eg via receiving emails or letters from data subjects) will be excluded.
Personal data can be transferred and stored outside the Russian Federation as long as such transfer is in accordance with the requirements set out in Russian data protection laws. For example, employee data can be transferred outside of Russia if the consent of the employee has been obtained.
The Law does not contain terms ‘primarily’ or ‘secondary’ databases but the Ministry explained, that when an operator collects personal data, such data collection firstly has to occur in the databases in Russia (‘Primarily database’) with the possibility of later transferring of data outside Russian Federation. Databases outside Russia (‘Secondary databases’) can be used for data copies, for sending advertisements or for other activities as long as initial collection and processing occurs in a primarily database.
RUSSIAN CITIZEN – CRITERIA
The Law does not stipulate the criteria on how to establish if personal data belongs to Russian Citizens. Companies are free to choose their own criteria or apply the Law requirements to all personal data.
HUMAN RESOURCES (HR)
The processing of HR data is excluded from the Law if HR data is processed to meet obligations set out in other local laws (eg employment laws). Companies should note, however, the Roskomnadzor may have an opposite view once its opinion is officially published.
DATA PROCESSING FOR ADDITIONAL PURPOSES
If a company decides to process personal data for additional purposes such as statistics, research, etc. all such additional processing still will be captured by the Law.
DATA SUBJECTS CONSENT
Obtaining data subjects’ consent to process his/her data in databases outside Russian Federation will not constitute the exclusion from obligation under the Law. Notifications: The Law requires companies to update their existing data processing notifications with the Roskomnadzor. Notifications should include new information on where databases are located; however relevant forms are not yet available on the Roskomnadzor’s website.
The Roskomnadzor is due to audit 317 companies in order to establish their compliance with Russian data protection law. As per unofficial commentary, the Roskomnadzor stated that it will not be auditing big internet giants such as Facebook and Twitter. The majority of the companies being audited will include local Russian public and private entities in a variety of business sectors, such as telecoms, oil and gas, insurance and credit companies. From the international companies, the General Motors representatives in Russia are among more known names that are on the audit list. During the audits, the inspector may request that companies present documentation proving that their databases storing personal data are located in the Russian Federation. Failure to provide the relevant documents may result in administrative sanctions and subsequent monetary penalties. In addition, the Roskomnadzor may block the access to the company’s website.
The official guidelines are yet to be published, but companies must ensure that their data processing activities are in compliance with all existing data protection laws in Russia, not only the Localization Law.
To access the Ministry’s opinion (in Russian) you can via using the link here.
To access the Roskomnadzor’s website (in English) you can via using the link here.