On 02 December 2019, Russia put into effect a new law introducing hefty fines for non-compliance with the personal data localization requirement. The law may affect international and local companies who fail to process Russian nationals’ data in certain ways within the borders of that country.
The localization requirement was established in September 2015. At that time, Russia did not accompany that requirement with any monetary liability except for a modest fine of approx. USD 80 for not informing the Data Protection Authority (Roscomnadzor) about the physical address of the databases containing personal data of Russian Federation nationals (the Russian Data).
The businesses were supposed to ensure their compliance with the localization requirement during four previous years, but many of them have put this cost-consuming task on the back burner. This year, they will likely find a lump of coal in their Christmas stockings. In particular, new Para 8 and 9 of Art.13.13 of the Code for Administrative Offences provide the following fines for the non-compliance:
|Offender||First-time offence||Repeated offence|
|Legal entity||RUB 1 000 000 – 6 000 000 (approx. USD 16 000 – 94 000)||RUB 6 000 000 – 18 000 000 (approx. USD 94 000 – 282 000)|
|Responsible manager||RUB 100 000 – 200 000 (approx. USD 1600 – 3 200)||RUB 500 000 – 800 000 (approx. USD 8 000 – 12 500)|
The responsible manager of a legal entity is usually the data protection officer or the chief executive officer (especially, if the data protection officer has not been appointed). The supervisory bodies decide at their own discretion which person(s) – a responsible officer, a legal entity or both of them – is/are to be accused of an offence depending on the circumstances of the case. Roscomnadzor has the power to initiate an administrative offence case and deliver it to court for the final resolution.
Who is at risk?
The localization requirement applies to the data operators. The Federal Law On Personal Data No.152-ФЗ dated 27 July 2006 (the Personal Data Law) does not use the GDPR terms controller and processor and defines its own term data operator as the entity “which, alone or jointly with others, organizes and/or conducts personal data processing as well as determines the purposes of the data processing, scope of the processed personal data, and the data processing actions (operations)”. Although the terms data operator and controller are not identical, they play similar roles.
Consequently, all international companies and their Russian offices must obey the localization requirement if they handle the Russian Data in the same way as the GDPR controllers do. The processors acting on behalf of the data operators can mitigate their risks by imposing the localization responsibilities on the data operators. The relevant obligations and indemnity clauses can be added to the data processing agreements.
How to comply?
The localization requirement states that “the data operators must ensure recording, systemization, accumulation, storage, clarification (update, change) and extraction of personal data of Russian Federation nationals with the use of databases located in the territory of the Russian Federation when collecting this personal data in any manner, including via the Internet…” (Art.18(5) of the Personal Data Law). Hence, this requirement regulates both online and offline data processing.
This may be understood in a way that it is illegal to collect the Russian Data and record it to a non-Russian data store without involvement, one way or another, of a database physically located in Russia (local database). According to the explanations published by the Ministry of Digital Development, Communications and Mass Media (the Ministry), such local database must be compiled immediately upon collection of the Russian Data. A copy of the local database can be transmitted to a non-Russian data store because the cross-border transfers are allowed. The Personal Data Law does not have any extraterritorial scope and, therefore, the transmitted Russian Data can be processed according to the laws applicable to the destination data store including the GDPR. The Ministry has explained that the data operator must not delete the local database unless the Russian Data is deleted from the non-Russian data store (https://digital.gov.ru/ru/personaldata/).
The data operators must notify Roscomnadzor of the physical address of the Russian data center (server) where the local database is stored. If this data center (server) is owned by a third party, the notification must contain the owner’s business details.
Are there any exceptions?
First, the localization requirement does not apply to personal data originated from non-Russian nationals. The Ministry recommends localizing all personal data collected in Russia if the data operator is unable to determine the nationality. For instance, a web-store may single out Russia-based users with their IP addresses.
Second, in case of online data processing the authorities apply the localization requirement only to websites intended for the Russian market. Hence, the website owners should check whether their websites pass the test introduced by the Ministry (Russian domain zone or Russian language together with payments in rubles, and other criteria).
Third, the localization requirement does not apply if the processing is necessary for the compliance with a legal obligation, participating in litigation and in several other cases that are not relevant to most of commercial companies.
International companies doing business in Russia should carefully check their compliance with the localization requirement. It seems reasonable to do a privacy audit under Russian law. The good news is that many companies have successfully developed and implemented their localization solutions since 2015. Their experience can be utilized.