On 21 July 2014 Russia adopted a law which generally requires all companies that collect and process personal data of Russian citiizens to use databases located in Russia (the “Law”).1 On 19 and 24 September 2014 the Russian State Duma passed in the first and second readings a draft law that will change the implementation deadline from 1 September 2016 to 1 January 2015.2
Recently Russian authorities provided a non-binding interpretation of the Law which implies that more significant changes to the existing personal data processing procedures might be necessary than previously expected.
Implications for companies
Russian and foreign companies that collect the personal data of Russian citizens (either through websites or othe wise) will be required to maintain databases to store and process such personal data on Russian territory. There is a high likelihood that the effective date for these requirements will change from 1 September 2016 to 1 January 2015.
However, the minimum steps required to comply with the Law are not currently clear.
The Law does not expressly require databases handled abroad in accordance with previous regulations to be returned to Russia and does not additionally restrict cross-border personal data transmission. Therefore, the interpretation of the new law in conjunction with other laws in this sphere lead us to believe that the new law does not restrict sending and processing personal data abroad and a structure with a mirror database in Russia may be sufficient to comply with the law (expressed in our Legal Alert of July 2014).
In September 2014 Russian authorities suggested a more restrictive interpretation, according to which databases located within Russian territory must always be used at least for primary processing of personal data (recording, correction, alteration, etc.). If such interpretation prevails, companies would be required to reroute their flows of personal data through Russian IT facilities when Russian citizen are concerned.
While this interpretation is non-binding and further interpretations may be less restrictive, we find this development important due to the substantial changes and short period of implementation.
If companies fail to comply, the Russian regulatory authorities will be able to block access to non-compliant websites based on a relevant court decision and/or to impose administrative fines and issue binding orders to cease violations.
Actions to consider
The potential change in effective date of the Law would significantly affect the Russian segment of businesses that use online personal data collection as a core element of their commercial activities.
At this stage we recommend to those of our clients who are involved in the collection and processing of Russian nationals’ personal data, and who currently do not use a Russia-based personal database, to explore the legal and technical possibilities of creating such a Russia-based personal database while managing tax and other risks associated with the same. We also advise considering both the initial and possible restrictive interpretation of the law, as well as revising the implementation deadline.