Russia’s new Data Localisation Law went live yesterday on 1 September. Many companies with operations in Russia are scratching their heads about how to comply.
The new law applies to businesses with a physical presence in Russia or with websites “directed at” Russian users (eg. sites that use Russian domain names, Russian language or transact in roubles are all likely to be caught).
The new rules say that where you collect data about Russian citizens, you must store it on a database in Russia. This doesn’t have to be the exclusive location for processing. It is sufficient that the Russian database is your primary or “entry-level” database. You can export the data outside Russia subject to compliance with the usual data protection export rules (these will usually require individual consents and transfer agreements).
There are some exemptions for airlines, associated agents and others. There has also been discussion about whether HR data is caught by the rules but the cautious approach is to assume that it is. However, as local Russian rules often require local paper records for HR, it may be that you already have a primary Russian “database”. This needs checking for any business with Russian employees.
Please note that the new rules also apply to situations where personal data about Russian citizens is collected “purposefully” or by third parties hired for this purpose. Routine exchange of e-mail correspondence between businesses does not trigger the rules.
How reliable are the recent “clarifications”
Much of the above has been fleshed out by recent clarifications issued by the Russian Ministry of Telecoms and Mass Communications. These are persuasive but non-binding. They have also (importantly) not been issued by Roskomnadzor (the Russian data protection authority) and Roskomnadzor is not obliged to follow them. In addition, we really have to wait for Court decisions to give us a better steer on how the new rules will be implemented in practice. This all comes as cold comfort for anyone trying to actively plan for compliance now. Should you, for example, incur the cost of changes to IT architecture and set up new Russian databases or wait for the dust to settle?
There is little doubt that some countries are adopting data localisation laws that require significant databases about local citizens to be held on “local soil”. The argument is often advanced that this is about protecting those citizens’ data from hacking and other abuse. A counter argument is that this is about ensuring that local authorities can access that data for law enforcement, surveillance or other purposes. Russia is not the only jurisdiction with rules of this sort. Think about China and their restrictions on the export of anything involving “state secrets” (defined extremely widely, as you would expect). The FT also reported, this week, that Russian regulators had recently fired a warning shot when they briefly blacklisted the Russian version of Wikipedia although this was reversed.
TV and Media companies
Many TV and media companies have invested in Russia in recent years. There is a potential exemption in the general data protection law here that applies to professional journalists and mass media activity but we understand that this is unlikely to cover a media company’s employees (so not HR data). Nevertheless, for those in this sector, this is worth considering further.
As mentioned above, airlines and associated persons also benefit from exemptions although this is purely on the basis of the non-binding clarifications (rather than the letter of the law).
What are companies doing in practice?
Many companies (and industry bodies) have been having talks with Roskomnadzor in private. This is the way to get a better steer on how to comply in the absence of Court decisions or other guidance.
We know of other companies who have jumped in and set up Russian databases (at least for their more material repositories of data). The FT has quoted a number of companies as having been named by Roskomnadzor for having agreed to move data to servers in Russia. This includes Ebay, PayPal, Lenovo, Samsung, Booking.com and Uber.
Roskomnadzor could impose penalties for non-compliance. Fines are still relatively low in Russia but Roskomnadzor can also block websites used to collect or process Russian citizen data in breach of the rules which would be a huge issue for anyone with a digital presence. The Wall Street Journal also reported that Russia is “postponing a showdown” with the technology titans (including Facebook and others). The suggestion is that Roskomnadzor won’t be checking up on compliance until at least January. Roskomnadzor has listed the companies it plans to inspect this year and unless you are on the list, you may be able to breath a little easier for now. Please let us know if you would like us to check the list for you.
When this Data Localisation law was first proposed, many doubted that it would be brought into force. There is no avoiding it now! Companies need to assess (at the very least) the manner in which they collect data about Russian citizens, the location of relevant databases and talk to IT about whether the architecture can be changed to fit within the new rules. You can then take a view as to when to introduce the changes based on the risk level. We will also keep a close watch on Russian Court decisions and guidance in the coming months.