Pepeliaev Group advises that new requirements for the Russian Federation citizens' personal data to be kept in electronic form in Russia may be introduced as early as on 1 January 2015.
On 24 September 2014, draft law No. 596277-6 was passed in its second reading by the State Duma of the Federal Assembly of the Russian Federation. The draft law changes the date for the entry into force of Federal Law No. 242-FZ dated 21 July 2014 "On amending certain items of the legislation of the Russian Federation to specify the procedure for processing personal data in IT networks" ("Federal Law No. 242-FZ").
The draft law proposes to bring forward to 1 January 2015 the date for Federal Law No. 242-FZ to enter into force.
We remind the reader that Federal Law No. 242-FZ was signed on 21 July 2014. It provides that a data operator has the obligation to use databases located in Russia in order to process Russian citizens' personal data. According to the current version of the law, the new requirements are to take effect only on 1 September 2016.
For more detail about Federal Law No. 242-FZ, please see PG's alert dated 15 September 2014.
Therefore, if the State Duma passes the draft law in question in the third reading with the law then being approved by the Federation Council and signed by the Russian President without any amendments being made to it, the new requirements to store Russian citizen's personal data in electronic form in Russia will take effect on 1 January 2015.
Pepeliaev Group’s comment: Taking into account the dynamics of the enactment of the draft law, it is highly likely that this change of the date will be finally approved soon enough. The draft law was put before the State Duma in early September this year. On 19 September 2014 the draft law was already approved in the first reading, and on 24 September 2014 it was passed in the second reading.
To think about, to do
We recommend that companies be ready to work in the new conditions for personal data processing and prepare themselves to face monitoring by the regulator Roskomnadzor of their compliance with personal data legislation. This should include in particular:
- arranging the company's and its employees' activities in terms of processing personal data in line with the new legal requirements;
- developing and implementing the necessary internal regulations;
- taking technical measures required to protect personal data;
- obtaining relevant licences and other permits.
Among other things, this will prepare the companies for Roskomnadzor's supervisory activities well in advance, with a view to managing (mitigating or ruling out) the risk of liability being imposed on the company or of other enforcement measures being taken as a result of such regulation.