A recent LawFlash by Morgan Lewis partners Ksenia Andreeva and Vasilisa Strizh and associate Anna Pirogova discusses a draft law proposed in Russia that would introduce heavy fines for violations of Russia’s data protection law and a variety of internet activity laws.

The primary federal data privacy law in Russia, On Personal Data, dated July 28, 2006 (the Personal Data Law), applies to “personal data operators,” which are entities that organize and carry out the processing of personal data and determine the purpose of individuals’ personal data processing. The proposed draft law, On Amending the Code of Administrative Offences of the Russian Federation, relates to the “localization requirement” of the Personal Data Law, which creates on obligation for personal data operators to collect, store, and otherwise process personal data of Russian citizens using databases and servers located in Russia.

Currently, there is no monetary fine or penalty under the law for failure to comply with the localization requirement. Instead, in the event of noncompliance, the Roskomnadzor (a Russian data privacy and internet regulator) could impose a restriction on access to websites or applications. The draft law, however, proposes to introduce financial penalties on personal data operators for failure to comply with the localization requirement. In addition, it proposes to introduce fines for repeated violations by internet companies whose activity is specifically regulated by Russian law, such as information dissemination organizers, audiovisual service owners, messenger organizers, and search engine operators.

Although the proposal has not yet been signed into law, companies that are required to comply with Russian data privacy law should assess their processes and controls, and those of their service providers, to ensure that the applicable requirements are met.

Read the full LawFlash for additional details and discussion of the proposed draft law.