As we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory. The Ministry’s website also provides a mechanism to ask further questions online.
In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law.
Applicability of the law
Under standard Russian jurisdictional rules, laws apply only within the territory of Russia. The clarifications, therefore, state that as a general rule the Data Localization Law should not apply to non-residents of Russia, including foreign businesses. The guidance, however, further states that because of the Internet’s transborder nature, certain Internet activity may be considered to be conducted within the territory of Russia, and therefore is subject to the localization requirements. For example, a website may be deemed subject to the law if it includes a Russian language option (except where the website is translated with the help of an automatic online translator) or uses a Russian top-level domain such as .ru, .su, .moscow, or the like.
The guidance also clarifies that the law applies to all “data operators” notwithstanding whether they collect personal data online or offline.
This guidance establishes two types of organizations that are likelier targets of enforcement, reflecting the practical realities of jurisdiction: (1) organizations with a physical presence in Russia (which can be subject to on-premise audits), and (2) organizations that direct Internet activity to Russian users (whose websites can be blocked by the regulator). On the other hand, foreign businesses with less of a physical connection to Russia, or without a website specifically targeted to Russian users, appear to be less likely enforcement targets under the Ministry’s guidance. That said, Russian courts have the final say on the scope of the law’s jurisdiction, so while the Ministry’s guidance is helpful in determining likely enforcement targets, it does not definitively exempt any organizations from the localization requirements until the law is tested in the courts.
Retrospective character of the law
The law applies only to data processing activities that take place after its effective date. Therefore, the guidance states that personal data collected and stored abroad before 1 September 2015 does not need to be stored in Russia. However, this interpretation may not offer much of a reprieve, as that interpretation only applies if no changes are further applied to the data. From September 2015 onward, any processing of personal data of Russian citizens (namely, the recording, systematization, accumulation, storage, update, change, or retrieval of personal data) should be done in accordance with the new data localization requirement, even if collected and stored abroad before the effective date.
Collection of personal data
The Data Localization Law states that “when collecting personal data,” a data operator must process the personal data of Russian citizens within Russia. The law therefore connects the localization obligation with the collection of personal data, a prerequisite for the law to apply.
According to the guidance, “collection” is the purposeful process of receiving personal data directly from the individual data subject or through specifically engaged third parties. Therefore, an organization that incidentally receives personal data is not subject to the law because it did not purposefully collect the data.
The clarifications further state that collection does not occur when one legal entity receives personal data from another legal entity in the context of routine business activities, such as the transmission of contact information of employees and other representatives. There is a notable exception, however, when an organization uses “computing powers” (i.e., automatic processing) to purposefully collect personal data from third parties, in which case the organization is required to comply with the data localization requirements.
The bottom line under the guidance is that when an organization purposefully collects personal information directly from Russian citizens, or uses a third party to do so on its behalf, or purposefully collects personal data of individuals from third parties beyond routine business activities, that collection is subject to the Data Localization Law. If, however, an organization only incidentally receives personal data (e.g., through email), or does not purposefully collect personal data from third parties (e.g., when a data operator only receives personal data from another legal entity for routine business activities), the Data Localization Law will not apply.
The guidance makes clear that the Data Localization Law does not prohibit the transfer of personal data outside of Russia. It therefore is possible to first enter and process personal data collected from Russian citizens in a database located in Russia (“primary database”), and then to transfer that data to databases located abroad and administered by other persons (“secondary database”), so long as the transfer complies with Russian cross-border transfer requirements. The personal data transferred abroad can then be processed by the foreign operator of the secondary database under laws applicable to that operator.
However, the guidance states that any changes to the personal data collected and localized in Russia should first be made in the primary database located in Russia and the transferred abroad to the secondary database, if needed.
The law only applies to personal data collected from “Russian citizens,” and the law does not specify how an organization must determine who is a Russian citizen. The guidance states that data operators may make a reasonable determination of what data subjects are Russian citizens, taking into account the specifics of their businesses. In case a data operator cannot make a reasonable determination, the guidance states that the localization requirement should be applied to all personal data collected from the territory of Russia.
The localization requirement does not apply to the collection and processing of personal data by Russian and foreign airlines for the purposes of booking, processing, and issuing air tickets, luggage tickets, and other carrier documents. According to the guidance, this is because the law exempts the processing of personal data for the purpose of pursuing objectives envisaged by an international treaty of the Russian Federation, and commercial air travel is governed by such international treaties. The Ministry named a number of such international treaties, including the Chicago Convention of 7 December 1944, the Warsaw Convention of 12 October 1929, and the Guadalajara Convention of 18 September 1961.
Similar to the international treaty exemption, the Data Localization Law provides an exemption for personal data processed for the purpose of pursuing objectives envisaged by Russian law. The contours of this exemption are unclear, and many have asked the Ministry of Communications to clarify whether it exempts organizations from applying the localization requirements to the personal data of their employees, the processing of which is subject to certain legal requirements.
The guidance is vague on this question, merely stating that each company must assess on its own whether its handling of employee personal data is subject to this exemption, the correctness of which will be further evaluated in the course of regulatory inspections. This position gives a little more leeway than the previous (but unofficial) position of Roskomnadzor—the Russian data protection authority which will be conducting the inspections, and which is subject to the authority of the Ministry of Communications—which previously said that the processing of employee data will be subject to the Data Localization Law.
That said, there is still no official statement expressly exempting any particular processing of employee data from the localization requirement. The guidance is purposefully vague on this point, which indicates that the regulator likely is still considering its final position on the issue. Given this uncertainty, the safest approach is for companies to treat the routine processing of employee data as subject to the law, although there is still the possibility of future clarifications once courts or the Ministry of Communications has had an opportunity to more fully consider the issue.
Personal data is defined as any information related to a directly or indirectly identified or identifiable individual. The guidance declines to define personal data in more detail or to provide a list of data that is considered personally identifiable.
The Data Localization Law applies when a data operator engages in one of seven types of data processing with respect to personal data collected from Russian citizens: the recording, systematization, accumulation, storage, updating, changing, or retrieval of such data. The clarifications state that other types of data processing may be done on non-localized databases. Specifically, the guidance provides the example of using, transferring, de-identifying, deleting, and destroying personal data. The key take-away from this guidance is that the personal data of Russian citizens may be used (reviewed, used for business purposes, etc.) from anywhere in the world, while changing, updating, or otherwise modifying personal data should first be done in the primary databases located in Russia.