With the September 2015 effective date of Russia’s Data Localization Law less than six months away, the Russian data protection authority, Roskomnadzor, has still not issued any formal guidance on how it interprets the law’s broad requirement that companies must process and store the personal data of Russian citizens within Russia. Roskomnadzor has, however, recently held a series of meetings with different industry groups about the law. While Roskomnadzor’s views as expressed in these meetings do not constitute a formal position, they provide insight into how the regulator is likely to interpret the law.
Hogan Lovells is closely monitoring these developments, and we will be hosting a webinar next Thursday, April 2 to provide a summary and take your questions.
Key takeaways from the recent meetings are as follows:
- Roskomnadzor only plans to apply the Data Localization Law with respect to the personal data of Russian citizens who are located within Russia when their personal data is collected. In other words, Roskomnadzor will not seek to apply the data localization rules to personal data collected from Russian citizens who are not in Russia at the time of collection.
- The Data Localization Law applies to all data operators, and not only to consumer-facing, data-driven companies. The law also applies to foreign businesses collecting personal data from Russian citizens from the territory of Russia, and not only to Russia-based data operators. The data localization rules would apply only when the data operator collects personal data directly from individuals, and not when the data operator receives personal data from third parties.
- Roskomnadzor expressed its view that to comply with the law, organizations must store the primary databases that comply with the law in Russia, where all personal data processing, including the updating of personal data, should take place. On its face, the law is ambiguous about whether a company can comply with the law by backing up in Russia a database that is primarily stored elsewhere, but Roskomnadzor has now indicated that it will not view this as an acceptable compliance solution. Once stored in Russia, the data can be transferred outside of Russia if compliant with Russian cross-border transfer rules, where it may be processed further under the destination country’s data protection law. Under Russian law, the cross-border transfer of personal data to the United States (among other countries) is generally prohibited unless the data subject has provided consent, or one of a number of other limited exceptions applies.
- Any structured set of personal data is subject to the law, irrespective of the format and means of processing. In particular, Roskomnadzor said that it will consider electronic databases, spreadsheets, archives, and card files subject to the law.
- Data operators can establish a process for identifying the citizenship of data subjects at their own discretion, depending on their business structure and operations. If a data operator has difficulty establishing such a process, Roskomnadzor suggests applying the data localization rules to all personal data collected from the territory of Russia.
- It is expected that regulations establishing Roskomnadzor’s oversight over data processing compliance and updating the form through which data operators notify Roskomnadzor of data processing will soon be adopted.
Roskomnadzor expressly emphasized in the meetings that these clarifications are not official or legally binding, and merely reflect its interpretation of the Data Localization Law. However, since Roskomnadzor is the enforcement authority that will investigate compliance with the law, its views should be taken seriously by companies establishing their compliance solutions.