Media reports this week broke the news that a Russian court of first instance ruled this past August to block LinkedIn from Russian Internet users for violating Russia’s data localization law, which requires websites and other businesses that collected personal data from Russian citizens to store that data within the territory of Russia. According to the available court ruling (in Russian), an appeal was filed and a hearing is scheduled for that appeal on 10 November 2016.
The Russian data protection authority, Roskomnadzor, brought the action claiming that LinkedIn violated the data localization requirement in addition to other general Russian data privacy laws, for example by collecting personal data from non-users without their consent before the registration process was completed. Violations of these laws are punishable by a fine or by blocking the website from Russian Internet users, and in this case Roskomnadzor pursued the latter penalty.
In interviews, Roskomnadzor officials stated that LinkedIn drew the agency’s attention due to a number of recent incidents involving the privacy and security of user data. According to Roskomnadzor, the agency sent two warning requests to LinkedIn to obtain information about their compliance but did not receive a response. Roskomnadzor further stated that because LinkedIn does not have legal presence in Russia, it filed the claim requesting to block access in Russia in order to protect the rights and interests of Russian citizens.
LinkedIn responded that it had “been in touch” with Roskomnadzor about data localization, but had “not been granted a time to meet.” LinkedIn did not attend the initial hearing in the case. The website has not actually been blocked in Russia pending appeal, which will be heard on 10 November 2016.
This enforcement demonstrates that in addition to Roskomnadzor’s more methodical approach to investigating compliance through planned inspections, it also will select targets for enforcement based on contemporaneous reports of non-compliance. Moreover, it reinforces the belief that one of the targets for enforcement will be consumer online services, including foreign ones.