During the first week of July 2014, the State Duma (lower chamber of the Russian Parliament) adopted a set of amendments to the Federal Law "On Information, Information Technologies, and Information Protection" ("Information Law") and to the Federal Law "On Personal Data" ("Personal Data Law"). The draft legislation was approved by the Federation Council (upper chamber of the Russian Parliament) on July 9, 2014, without change. The legislation now awaits signature by Russian President Vladimir Putin to become law. When signed, and there are some mass media reports in Russia that President Putin may sign the legislation any moment now, the law will become effective as of September 1, 2016.
The most significant change, which appears likely to have a significant business impact on companies operating in and outside of Russia, is a new requirement that "databases which are used for gathering, recording, systemizing, accumulation, storage, updating and uploading of personal data of the Russian citizens" shall be located in Russia. Under the amendments, "an operator gathering personal data, including by Internet, must ensure recording, systemizing, accumulation, storage, updating and uploading of personal data of the Russian citizens with the databases located on the territory of the Russian Federation." Hence, operators collecting data from Russian citizens will need to move their information technology infrastructure to a data center located in Russia, whether such data relates to consumers, employees, or third-party partner personal data.
The amendments do not introduce additional specific liability or penalties for failure to "ensure" allocation of data centers and other physical resources for personal data processing in Russia. Hence, moderate administrative fines that already exist in Russian law may in theory be applied against noncompliant data operators.
Another significant change under the amendments is the introduction of the "Register of Infringers of Rights of the Personal Data Subjects" ("Register"). The Register will list "domain names and/or webpages and weblinks on the Internet" as well as "web addresses which identify internet sites" of internet services and social networks that are deemed "infringers." No reference is made to the operators that process personal data of their employees and/or customers keeping such data in their data centers (i.e., not with a direct web access for third parties). As a result, it is possible that such operators may not qualify for the Register.
Any party may be included in the Register based on the enforceable court decision. The draft legislation is silent on who would be initiating relevant court proceedings and on what grounds. Once the court decision comes into effect, the "personal data subject" whose rights are infringed may apply to the Russian regulator (currently Roskomnadzor) with a complaint seeking to "restrict access to infringing information."Roskomnadzor, in turn, has three days to react to the complaint and then order the relevant internet service provider ("ISP") to block access to the domain name and/or internet site address in question. The ISP has one day to apply to the relevant domain name/website owner asking for a "voluntary compliance" with the regulator's order. After that, if no "voluntary compliance" is provided, access to the relevant domain name/website will be blocked. Obviously, this has the potential effect of providing the Russian government with significant control over web content and data processing practices.
These amendments were adopted by the State Duma under a huge time pressure as all three draft law consideration stages have passed in just four days. Inevitably, this has resulted in an amendment legislation that leaves many questions unanswered. Most of all, it is still unclear what was the ultimate purpose of introducing such dramatic changes in the personal data protection legislation.
Although many Russian and multinational industry players attempted to influence Russian legislators by explaining that the new legislation may destroy entire industry sectors that involve a routine "offshore" processing of personal data of Russian customers abroad, such attempts were not successful. The only hope for businesses that will be negatively affected by these amendments is the Russian government's possible interference with guidelines on the practical application of the amended laws.
Given the significance of these changes, it is necessary for businesses that collect personal data from Russian citizens to immediately evaluate available options for addressing the new legal requirements and restrictions.