A controversial data localization law in Russia that would require businesses to perform data storage and processing with servers located on Russian soil is set to go into effect on September 1, 2015, after an amendment passed late last year accelerated the law’s start date. Recently, the Association of European Businesses (“AEB”), an industry lobby group, raised concerns to the Russian government about industry’s ability to comply with the accelerated date. There is some indication that Russia may be considering giving businesses more time to comply.
On July 21, 2014, Russian President Vladimir Putin signed Federal Law No. 242-FZ, an overhaul of Russian data protection laws. The law most notably requires that the storage and processing of personal data of Russian citizens take place in databases on Russian soil. The effective date for the data localization provisions was originally scheduled for September 1, 2016. However, in December 2014, President Putin signed Federal Law No. 526-FZ, moving forward the effective date of the data localization law to September 1, 2015.
Russian newspapers recently reported that the AEB asked President Putin to push back the date of implementation to September 1, 2016, the original start date. A Kremlin spokesman confirmed that President Putin has ordered a review of the issue and may be considering giving businesses more time to comply.
Beyond the practical concerns with implementing the Russian law, some in the international community are wary of a growing trend toward data localization laws worldwide. Russian officials have cited the National Security Agency (“NSA”) documents leaked by former contractor Edward Snowden (currently residing in Russia) as a justification for data localization and as part of an effort to keep Russian communications somewhat more removed from the reach of U.S. intelligence services. The Snowden revelations have been cited by supporters of data localization in other countries as well. Others see a potential source of revenue if businesses can be forced to relocate some operations locally. Critics focus on the harm to innovation that data localization could inflict on cloud computing and other industries and the potential for local governments’ abuse of privacy and security.
Complicating the issue are jurisdictional questions arising from locating data centers overseas. These questions are highlighted in the ongoing legal battle in Microsoft Corp. v. United States, 14-cv-2985 (2d Cir.), Microsoft’s challenge to a U.S. court-issued search warrant for records maintained by Microsoft in servers located in Ireland.
South Korea, Brazil, Vietnam, Indonesia, and others currently have data localization laws in various stages of implementation. German Chancellor Angela Merkel reportedly supports European data localization. In any case, interested parties will be closely monitoring the Russian law’s implementation for insights into similar efforts on the horizon elsewhere.