On July 21, 2014 the President of the Russian Federation signed Federal Law No. 242-FZ “On Amendments to Certain Legislative Acts of the Russian Federation for Clarification of Personal Data Processing in Information and Telecommunications Networks” (the “Law”), which will become effective on September 1, 2016.
The Law addresses two issues:
First, the Law amends the Federal Law No. 152-FZ “On Personal Data” dated July 27, 2006 (the “Personal Data Law”) by introducing new obligations with regard to storage of personal data of Russian citizens.
Second, the Law amends the Federal Law No. 149-FZ “On Information, Informational Technology and Protection of Information” dated July 27, 2006 (the “Information Law”) by introducing the mechanism for the regulator [Federal Service for Supervision
in the Sphere of Telecom, Information Technologies and Mass Communications (the “RKN”)] to block Internet websites which process personal data of Russian citizens upon such citizens’ claim.
The Law has been enacted in a very short time (the bill No. 553424-6 was introduced on June 24, 2014 by deputies of the State Duma, Mr. Lugovoy, Mr. Dengin and Mr. Yushenko) with the initial aim to improve protection of privacy of Russian Internet- users. In particular, as follows from the explanatory note to the bill, the proposed amendments would introduce an opportunity for such users to demand IT-companies to delete their personal data, published on third parties’ websites, from search results. However, the consequences of the Law appear to be more far-reaching than initially intended.
In this client alert we provide a brief overview of the main changes provided the Law.
Obligation to Use Russian Data Centers
The first part of the Law introduces a new obligation on all companies, organizations and persons who process or organize processing of personal data of individuals, which are referred to in Article 3(2) the Personal Data Law as “operators”, to “ensure recording, systematization, accumulation, storage, change and extraction of personal data of Russian citizens with the use of data centers located on the territory of the Russian Federation in course of collecting personal data including via Internet”.
In other words, personal data of Russian citizens collected by operators must be stored in the servers/data centers located in the Russian Federation.
Operators are exempt from such obligation (i.e., allowed to store Russian data in foreign data centers), in particular, if such processing is necessary:
- to achieve goals prescribed by an international treaty or other Russian laws and necessary for the operators to perform their functions, authorities and obligations imposed on them by the laws of the Russian Federation;
- for the administration of justice or enforcement proceedings;
- for the provision of public/municipal services by the Russian state and municipal authorities, local government authorities and entities; and
- to implement the journalist’s professional activity and (or) the legitimate activities of the mass media or the scientific, literary and creative activities.
Operators will also be obliged to notify the RKN on the exact location of the servers/data centers where the personal data of Russian citizens is/will be stored.
The above obligations apply to all types of companies (branches and offices of foreign companies) regardless of the type of businesses they are involved in, e.g., tourism, transportation, e-commerce, banks, telecommunication, IT-companies etc., because the main criteria is collecting/processing of personal data of Russian citizens.
In the worst case scenario, introduction of the above obligations might be interpreted as prohibiting cross-border transfer of personal data of Russian citizens. This would however contradict the current provisions of the Personal Data Law which allows for the cross- border transfer of personal data provided that (i) such data is transferred to a country signatory to the European Council Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data CETS No.108 or to (ii) a country approved by the RKN (see Order No. 274 of the RKN dated March 15, 2013 which approved 19 states) or (iii) to other country subject to consent of the individual for such cross-border transfer of his personal data.
Implementation of the above obligation might work in the following way if interpreted rationally: (i) personal data of Russian citizens can be stored both in Russia, which will become a mandatory requirement and (ii) abroad, subject to duly obtained consent of Russian citizen for the cross-border transfer supplemented by the consent on storage of his personal data outside of Russia. Therefore, personal data will be duplicated both in Russian and in foreign data centers.
Due to the ambiguities mentioned above, we anticipate that before coming into force the Law will be subject to changes or official commentaries on practical implementation of the Law will be issued by the governmental authorities.
Blocking of Internet Sources
The second part of the Law provides for a mechanism by which a Russian citizen may claim that his personal data is deleted from certain Internet websites. This part of the Law mainly affects “hosting providers”, Internet website owners and Russian telecommunications operators, i.e., which provide Internet connectivity services. Subject to positive court ruling, a person may request the RKN to delete personal data from certain websites, in which case the RKN will then make the following steps:
- RKN will identify the “hosting provider” of the disputed website;
- RKN will send him a respective notification in Russian and English languages demanding to delete personal data of the Russian citizen from the webpage within three days voluntarily. The provider will then have to demand the owner of the website to stop processing personal data of the respective person otherwise the provider will have to restrict access to such website.
In the event that the provider fails to restrict access, RKN will be entitled to order Russian telecommunications operators to restrict access to the entire website which will not require a separate court ruling. For these purposes, the RKN will maintain a “Register of Persons Infringing the Rights of Personal Data Subjects” which will contain such information as domain names and Internet addresses containing the disputed data, court ruling details and other information.