Russia’s much publicized changes to its data protection rules come into force as of September 1, 2015.
These changes are broadly, and vaguely, written and apply to almost anyone handling the personal data of Russian citizens, whether one is located in Russia or abroad. The law will apply even to entities located outside of Russia.
The amendments introduce a number of changes. Most notably, these changes include:
- Data operators must ensure that essentially all recording, processing and storage of personal data of Russian citizens is done using databases located in Russia.
- In addition to the existing requirement for data operators to notify the Data Protection Authority (Roskomnadzor) of their handling of personal data of Russian citizens, data operators must now also notify Roskomnadzor of the location of the database in Russia where that personal data is stored - in practice, however, this requirement is applicable only to Russian legal entities and Russian offices or branches of foreign companies and organizations.
- Roskomnadzor will be able to initiate a process for restricting access to information that is processed in violation of the law. This may include blocking websites, via court order.
- Those operating in violation of the law will be entered into a special register of Infringers of Rights of Data Subjects.
Broad and vague
The new rules are broadly written so as to apply to virtually all data operators handling personal data of Russian citizens, whether or not the data operator is located in Russia. This means that even those who are operating outside of Russia will still need to understand and comply with these rules.
The rules are vaguely written and no official clarifications have been promulgated. Some government officials have informally commented, while emphasizing that these comments are only their personal opinions and not official positions or clarifications. As we are now in July, there seems to be little chance that official clarifications or regulations will be issued before the new rules come into force, which means that one must deal with the rules as they are written now.
As written, the rules leave many open questions, such as how multinational companies and organizations which keep data outside of Russia as a normal course of business should comply with the local database requirement. It is unclear whether the new rules will allow keeping of mirror databases in Russia as well as outside of Russia or whether the "primary" database must be kept in Russia. Moreover, the new rules appear not to affect the ability to transmit personal data outside of Russia (and this was repeatedly confirmed by Roskomnadzor officials in informal public statements), but it is still unclear how all of this fits together.
It is also unclear how Roskomnadzor will go about enforcing these new rules.
Time is short: businesses need to act now
The problem faced by data operators is that they must understand the risks and implement strategies for compliance in a short period of time, based upon unclear new rules.
The situation is especially acute for those data operators who are not located in Russia, because compliance with the new rules may require significant planning and utilization of local Russian resources, which may come into short supply as the deadline for compliance draws closer.
We strongly advise anyone conducting business in Russia or with Russian citizens to consider these new rules and strategies for compliance right away.