Back in July, President Vladimir Putin signed a law (Federal Law No. 242-FZ) that compels “data operators” to store Russian citizens’ personal data only inside Russia. Previously, Russian law allowed the storage of data relating to Russian citizens to be located on servers in foreign countries.
Under the new law, companies that collect personal data on Russians will be required to use servers and data centers located exclusively in Russia. Should a website or online service fail to comply with the new regulations, access to the site from Russia could be restricted or blocked by Russia’s Roskomnadzor (Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications). In essence, the law requires companies to store users’ data in Russia, or cease operations in the country.
Obviously, the new rules could have an enormous impact on many multi-national companies as well as global technology and social media companies currently used by Russians. The activities of such companies will, in many instances, involve the collection, storage, or processing of personal data outside of the Russian Federation. The rules may be particularly burdensome on travel service companies, including airline and hotel booking services, since those companies routinely obtain personal data from virtually every country, including Russia. Such companies will now be forced to separate out data relating to Russians and store the data in Russia, by either starting their own presence in Russia or renting server space from Russian firms.
In fact, “data operator” is broadly defined under Russian law to include any entity that “processes personal data as well as determines the purpose and scope of personal data processing.” Thus, cross-border data transfers by companies with global HR systems that include Russian citizens could potentially be impacted by the new law.
Originally, the rules were to take effect on January 1, 2016. Recently, however, there has been a push by some Russian legislators to fast-track the law and move the enforcement deadline up to January 1, 2015. Politics appears to be a least one motive behind the fast-tracking, as some lawmakers are citing security concerns and the ongoing crisis in the Ukraine. One politician was quoted as saying that “the faster Russia gets control over servers with users’ data, the more secure it would be against the attempts to influence its domestic politics from abroad.”
Indeed, many critics say that although the law is couched in terms of protecting the privacy of Russian citizens, the real purpose is to allow more Russian control over foreign companies and to strengthen Russia’s control over the Internet, including more monitoring and censorship within Russia. But whether or not the implementation of the law is moved up to just a few short months from now, companies that collect Russian data should start preparing right away. As critics point out, it could have a chilling effect on a variety of websites, including Facebook and Twitter, which currently do not have Russian data centers.