Today, on 1 September, the Russian Data Localization Law came into force. So far there have been no unexpected developments or reports of any unplanned inspections by Roskomnadzor, the Russian Data Protection Authority. Existing planning documents, however, provide some predictability for organizations subject to the law about the schedule under which Roskomnadzor plans on conducting compliance inspections.
Roskomnadzor’s plan for conducting inspections in 2015 is available on its website here. This list does not currently include any large, non-Russia-based Internet companies. Indeed, Roskomnadzor’s press spokesman Vadim Ampelonsky confirmed in recent comments that the agency does not plan to inspect non-Russia-based Internet companies until the at least January 2016, further noting that Roskomnadzor’s 2016 inspection plan will be approved in the fourth quarter of 2015 by the General Prosecutor’s Office.
This position was reinforced in comments reported in the Wall Street Journal:
“We understand that in transnational companies where offices are spread globally, it takes a while to make a decision,” said Vadim Ampelonsky, spokesman for the regulator, adding that checking on companies like Google would take resources the regulator doesn’t have. “There’s only that much we can physically do.”
Notwithstanding the inspection plan, Roskomnadzor also has said that it reserves the right to conduct a spot check on any organization subject to the Data Localization Law, if it suspects or receives a report of noncompliance,
Roskomnadzor and the Russian Government also this past month published some additional documents pertaining to its enforcement of the Data Localization Law, all effective 1 September 2015. These documents serve as the formal basis for the regulator’s use of its enforcement mechanism to block access to websites that violate the law, as well as its launch of a register of data operators that violate the law.
- Roskomnadzor’s Order No. 84 of 14 August 2015 approving the procedure for interaction of the operator of the register of violators of the law and hosting providers, and the procedure for communications operators to obtain access to the information contained in such register;
- Roskomnadzor’s Order No. 85 of 17 August 2015 on approving the application form to be used by data subjects requesting to restrict access to their information processed in violation with Russian privacy laws; and
- The Russian Government’s Decree No. 857 of 19 August 2015 on the register of violators of the rights of data subjects.
Roskomnadzor still has not adopted its long-awaited procedure for conducting inspections, nor has it published the new notification form that data operators must file under general Russian data protection laws when they start processing personal data, which after the enactment of the Data Localization Law must include the location of their databases containing personal data of Russian citizens.