We last reported on Russia’s data localization law earlier this year when the Russian data protection authority, Roskomnadzor, released its inspection plan for 2016. Since then, Roskomnadzor has been conducting compliance inspections both according to the plan and in individual cases when it has reason to do so. The results of those inspections and recent comments by the Head of Roskomnadzor all yield insights into the regulatory expectations and the risk of noncompliance with the data localization law.

In an interview last week at the St. Petersburg International Economic Forum, the Head of Roskomnadzor, Mr. Zharov, announced (link in Russian) that Roskomnadzor has found most of the companies that it has inspected this year to be compliant with the data localization requirement. In particular, he commented that out of 645 inspections, Roskomnadzor has found only four violations of the data localization requirement. Mr. Zharov further stated that these four companies were given six months to come into compliance, which is a relatively long grace period given standard regulatory enforcement practice in Russia. This is in line with previous statements by Mr. Zharov that Roskomnadzor will cooperate with these companies which are willing to come into compliance.

Other details from the interview include:

  • 45,000 companies have already notified Roskomnadzor that they comply with the law by keeping a database of the personal data of Russian citizens within Russia.
  • In 2016, Roskomnadzor plans to inspect 910 more companies, bringing the total inspected companies to over 1,500.
  • Major social networks such as Facebook and Twitter will not be inspected in 2016, but according to Mr. Zharov will be at some point in the future.

While it is clear that the regulators still expect Russian personal data to be stored in Russia, companies may have more of a grace period to cure instances of noncompliance than originally expected, so long as they are making a good faith effort to comply.

That said, the relatively low rate of violations may reflect the fact that most of the companies inspected to date are those located within Russia, and not the U.S.-based and other multi-national companies whose network infrastructure is not already located in Russia, requiring greater effort and expense to comply. Roskomnadzor has indicated its plan to broaden the scope of its audits to cover these types of companies starting in 2017.