Sidley does not practice law in Russia, so the information here is based on our understandings from public sources and discussions with local counsel. This article should not be construed as advice about Russian law.
We are rapidly approaching the effective date for the so-called Russian “data localization law,” a development that prompted considerable backlash from the global business community and could have significant consequences for entities operating in the Russian market. In July 2014, Russia adopted Federal Law No. 242-FZ, which in effect requires that information a company holds pertaining to Russians must be stored on servers physically located within Russia. These obligations apply to individuals in their capacity as employees as well as consumers; thereby impacting even companies that do not maintain brick-and-mortar operations in Russia.
While there is significant ambiguity about how the law will be enforced, and questions remain about the substantive thrust of its provisions, the Russian government has held firm that companies are obligated to comply with the provisions of the law by its effective date – September 1, 2015. In June 2015, the Russian government indicated that it would not issue any further clarifications or interpretations to the law, nor would the September 1 date be further extended.
Background on Federal Law No. 242-FZ
Federal Law No. 242-FZ amends the Russian Federal Law on Information, Information Technology and Information Protection, and requires Russian data operators to:
Store the personal data of Russian citizens on servers in Russia; and Notify the Russian data protection authority, the Roskomnadzor, of the servers’ location(s)
Personal data is construed broadly under the law, as “any data that relates directly or indirectly to an individual who can be identified by this data.”
Rozcomnadzor has noted that the law is applicable to all legal entities – including foreign entities – whether or not they have a physical presence in Russia. The law is not retroactive; as such, databases with personal data created before September 1, 2015 can be used after that date; however, updates to those databases (that impact Russian personal data) after that point can only be done in conjunction with a primary server/database physically located in Russia.
The terms of the law do not explicitly prohibit cross-border transfers of personal data or restrict data processing to Russian-based servers, though any data transfers would require a basis in Russian law. Companies that violate the law will be listed in a register of violators, subject to a fine, and potentially have their websites blocked.
In June 2015, the Russian Ministry of Communications issued a response to a letter from the Russian Association of European Business offering their interpretation of the data localization law. While the Ministry of Communications is not entitled to provide an official interpretation, it remains informative; notably:
A company’s obligations under the data localization law should be fulfilled by placing a database in a Russia-based data center. The amount of data contained in the local Russian database must be either larger or equal to the amount of data transferred outside of Russia. The Ministry’s opinion is that the data localization law does not alter existing provisions on cross-border data transfer. As such, they seem to indicate that cross-border transfers of personal data will still be permitted after 1 September 2015, provided that (i) the provisions of the Russian Law On Personal Data are met and (ii) the primary database is located in Russia.
Despite significant pushback from the business community in response to the burdensome requirements of the law, recently released documents appear to show that the Russian government not only plans to move forward with enforcement of the law, but has contemplated an inspection regime with third party compliance auditors. Accordingly, companies that do business with Russian citizens should evaluate the state of their current IT infrastructure and determine if any actions are necessary in advance of the September 1, 2015 effective date.