Russian data localisation has been a hot topic in recent years, although non-compliance with the localisation requirements carried only very limited risks. Now this is going to change. On 2 December 2019 the Russian president signed a bill which comes into force immediately and provides for increased fines in case of non-compliance with the Russian data localisation requirements. The proposed fines could amount to a maximum of RUB 6 million (approximately EUR 85,000) for a first offence and RUB 18 million (approximately EUR 255,000) for a repeat offence.

The authors of the bill believe that non-compliance with the data localisation requirements threatens the safety of Russian citizens and important informational infrastructure as well as impedes the fight against terrorism.

Up to now Russian legislation has contained no fines for the breach of data localisation rules, and the Russian data protection authority (Roskomnadzor) could only initiate the blocking of the infringer’s website (as they did for example in case of LinkedIn). Things started to change following the cases of Twitter and Facebook, who were reportedly failing to comply with the data localisation requirement and the related requests of Roskomnadzor to provide information on compliance. The relevant fines for a failure to provide information are very low (up to RUB 5,000), while the fines issued to Facebook and Twitter were even lower, i.e. RUB 3,000 in each case.

Since 1 September 2015 Russian laws have contained a requirement that the personal data of Russian citizens must be stored and processed using databases located in Russia. This requirement can be complied with for instance by placing the database with personal data of Russian citizens in a Russia-based data centre or server.

Having in mind the increased fines companies working in Russia and collecting Russian personal data are encouraged to revisit the topic of data localization and to have a closer look at their compliance measures.