From 1 September 2016 personal data of the Russian Federation citizens may be kept in electronic form only in Russia. It is probable that this deadline will be shifted to an earlier date, i.e. 1 January 2015.
On 21 June 2014 Federal Law No. 242-FZ was signed. It amended Federal Law No. 152-FZ "On personal data" dated 27 July 2006 and Federal Law No. 149-FZ "On information, information technologies and data protection" dated 27 July 2006.
The new requirements may be summed up as follows -
- A personal data operator's duties will include ensuring that the personal data ("Personal Data") of Russian citizens is collected, recorded, systematised, accumulated, stored, specified (updated or modified) and extracted in databases located in Russia.
It does not matter whether the Personal Data is collected via the Internet or by any other means. Operators will be obliged to provide to the regulatory authority1 responsible for protecting rights of personal data owners information about where a database is located, if that database contains the Personal Data of Russian citizens.
PG's Comment: The obligation to use databases located in Russia will be relevant in almost all the cases when Personal Data is processed. It should be specifically noted that the amendments in question do not directly restrict Personal Data from being transferred cross-border.
- If the Personal Data is processed in a way that violates the legal requirements, Roskomnadzor will have a right to restrict access to such data (and this includes blocking a web-site).
The issue mostly concerns violations in the form of personal data being processed in databases located outside Russia. Access to the data will be restricted by judicial decisions that have come into force.
PG's comment: The wording adopted is rather broad and covers almost any breach of legal requirements concerning Personal Data, including even those not relating to websites functioning.
- An automated IT system called the Register of Abusers of Personal Data Owners' Rights will be created.
The Register will include, among other things, domain names and/or web page indices of Internet sites that contain data processed in violation of the legal requirements, along with IP addresses that allow such websites to be identified and similar. A relevant judicial decision that has taken effect will also be a ground for including abusers in the Register.
- Federal Law dated No. 294-FZ dated 26 December 2008 "On protecting the rights of legal entities and individual entrepreneurs in the course of state (supervisory) and municipal control" will not determine a procedure for inspections to be organised and carried out in the context of control and monitoring of Personal Data processing and whether requirements are met in respect of information distributed over the Internet.
Guarantees provided under this law to protect the rights of entities being inspected will be disregarded when such inspections are carried out. It is assumed that Roskomnadzor will be able to react faster to information about personal data operators' violations and, in doing so, will not have to actually interact with abusers.
PG's Comment: There is an increased risk that violations of the law on personal data will be identified and a company will be held administratively liable.
To which companies do the amendments apply?
The amendments apply both to Russian and international companies represented in Russia by their branches, representative offices or subsidiaries that process Personal Data in databases located outside Russia and/or that have websites with forms for the Personal Data of Russian citizens to be collected. It should be noted that domain names .ru and .рф also run the same risks.
PG's comments: Each such company will face the risk that Roskomnadzor could block access to its websites and Internet resources from Russia. Since the operator will have to report of the place where the Russian citizens' Personal Data is located, it will be easy to check whether databases are actually kept in Russia. Law enforcement authorities will also be able to access personal data more easily.
Yet the question of whether the new rules will apply to foreign companies that are not represented in Russia remains open.
Coming into force
The amendments described are introduced from 1 September 2016. However, in early September, draft law No. 596277-6 was put before the State Duma. This proposes to bring forward the date when the above amendments come into force to as early as 1 January 2015. The State Duma has not yet considered this draft law.
To think about, to do
We recommend that companies be ready to work in the new conditions for Personal Data processing and prepare themselves to face monitoring by Roskomnadzor of their compliance with Personal Data law. This should include in particular:
- arranging the company's and its employees' activities in terms of processing Personal Data in line with the new legal requirements:
- developing and implementing the necessary internal regulations;
- taking technical measures required to protect Personal Data;
- obtaining relevant licences and other permits.
Among other things, this will prepare the companies in question for Roskomnadzor's supervisory activities well in advance so that they may manage (mitigate or to rule out) the risk of liability being imposed on the company or of other enforcement measures being taken as a result of such activities.