On September 1, 2015, Russia’s new law requiring data localization, Russian Federal Law No. 242-FZ (“Russia’s Data Localization Law”) became effective. Although Russia’s Data Localization Law makes multiple changes to existing laws, a single sentence contains the core of the new obligation that parties operating in Russia have:
When collecting personal data, including by means of the information and telecommunication network “Internet” the operator must provide the recording, systematization, accumulation, storage, adjustment (update, alteration), retrieval of personal data of citizens of the Russian Federation with the use of databases located in the territory of the Russian Federation, except for the cases specified in paragraphs 2, 3, 4, 8 of Article 6(1) of [Federal Law No. 152-FZ “On Personal Data”].1
Russia’s Data Localization Law creates uncertainty for companies that do business with Russian citizens in the Russian Federation. Moreover, Russian regulators will have considerable discretion with regard to how they interpret and enforce the law. Less than a month before Russia’s Data Localization Law went into effect, Russia’s Ministry of Telecom and Mass Communications (“the Ministry”) published clarifications of the law. Although the Ministry’s clarifications are not legally binding, they are the only interpretations of Russia’s Data Localization Law that any part of the Russian government has offered.
Because the legal and regulatory landscape under Russia’s Data Localization Law remains uncertain, companies that do any business with Russian citizens or in Russia should contact experienced counsel at this early stage of the law’s development for guidance on how to comply with the law and to keep abreast of the law’s development.
- What Falls Within the Scope of the New Law?
Russia’s Data Localization Law has a potentially wide reach. To be subject to the law’s requirements, an entity must satisfy several criteria. First, an entity must be an “operator,” which includes governments, individuals, and companies that “process” (e.g., collect, store, or alter) “personal data.”2 Therefore, “operator” can easily encompass a wide variety of companies that do business with Russian citizens. Importantly, all employers (including any multi- national entity with a Russian presence) that have Russian employees would qualify as “operators.”
Third, according to the Ministry, Russia’s Data Localization Law covers an operator if it (1) physically operates in Russia or (2) owns a website that “targets Russia.” The Ministry clarified that for a website to target Russia, the website must involve:
- the use of a domain name related to Russia or its constituent territory (e.g., .ru, .su, .moscow, or their Cyrillic equivalents); and/or
- the availability of a Russian language version of the website created or commissioned by the website’s owner; this would not, however, include versions of the website translated into Russian by automatic translation plugins.
Additionally, the Ministry explained that they will look at whether any of the following elements are present:
- the option to make payments in Russian rubles;
- the option to execute an agreement on the website, which will (a) be performed in the territory of Russia, and (b) manifest as the use of digital content or the delivery of goods or services in Russia;
- advertising for the website in Russian; or
- other circumstances that clearly indicate that the website’s owner intended to include the Russian market in his business strategy.
Based on the Ministry’s clarifications, a wide swath of websites would qualify as “targeting Russia.”
Additionally, the Ministry explained that Russia’s Data Localization Law applies based on when the operator processes the data in its possession. Therefore, the law does not operate retroactively to data processing that pre-dated the law. However, the Ministry also clarified that Russia’s Data Localization Law applies to data that an operator collected before the law went into effect, but processed after the law’s effective date.
- What Is Exempt from the New Law?
There are two categories of exemptions from Russia’s Data Localization Law. The first category comes from the new law’s text. The second category comes from the Ministry’s clarifications.
A. Textual Exemptions
Based on references to a different Russian statute, the new Russian Data Localization Law identifies four exemptions.5 According to those exemptions, the law does not apply when an operator processes personal data: (1) pursuant to an international agreement to which Russia is a party;6 (2) to render justice;7 (3) to perform functions of the Russian federal government or a Russian municipal government;8 or (4) to pursue professional journalism, lawful mass media activity, lawful scientific activity, lawful literary activity, or other lawful creative activity, unless doing so infringes on the rights and lawful interests of the personal data subject.9
The international agreement exemption is particularly noteworthy. According to the Ministry, for example, airlines process the personal data of Russian citizens pursuant to various international agreements that Russia is a party to10 when airlines do the following: (1) book passengers, (2) process tickets, (3) issue tickets, (4) create baggage receipts, and (5) create other shipping documents. On that basis, the Ministry explained that the new law does not apply to airlines and their agents when they engage in such conduct. Importantly, none of the relevant treaties explicitly addresses the regime of collecting and processing of personal data.
B. Exemptions Identified in the Ministry’s Clarifications
The Ministry’s clarifications identified three additional exemptions.
First, according to the Ministry, Russia’s Data Localization Law does not reach the following types of conduct that involve otherwise covered data: (1) making decisions based on the data, (2) transmitting data, (3) depersonalizing data,
(4) blocking data, and (5) erasing data. The Ministry did not define these categories and, as mentioned above, Russian regulators will have considerable discretion with regard to how they interpret and enforce the law.
Second, the Ministry explained that the new law does not apply to entities that obtain personal data by chance (i.e., without solicitation).
Third, according to the Ministry, the new law does not apply to data that one legal entity acquires from a second legal entity if the information acquisition occurs in the course of lawful business activity (e.g., if contact details of a designated representative are provided in a contract).
III. What Obligations Does the New Law Impose?
Based on the text of Russia’s Data Localization Law and the Ministry’s clarifications, the law imposes two new major obligations on covered entities.
First, unless an exemption applies, covered entities must use databases physically located in Russia to process the personal data of Russian citizens. The Ministry, however, explained that Russia’s Data Localization Law allows a covered entity to (1) process the personal data of Russian citizens and (2) transmit the personal data of Russian citizens to locations outside of Russia if such a copy of the data transmitted or processed abroad is equivalent in scope to the data kept in Russia. This is a relief for all international employers that, due to internal business processes, need to transfer the personal data of their employees to other jurisdictions. The Ministry also clarified that if a covered entity processed the personal data of Russian citizens using paper records (rather than with an electronic database) in Russia, digitized the data, and sent the data to a database outside of Russia, the new law would not require the covered entity to also have an electronic database in Russia, as retaining the paper records in Russia would satisfy the localization obligation. Additionally, the Ministry explained that Russia’s Data Localization Law does not prohibit remotely accessing a database physically located in Russia that processes the personal data of Russian citizens.
Second, the Ministry clarified that when a covered entity obtains particularized and informed consent from a Russian citizen before collecting his personal data (a requirement that was introduced by the Personal Data Law No. 152-FZ of 2006), Russia’s Data Localization Law implies the obligation of the covered entity to request from the individual information about his citizenship. Additionally, according to the Ministry, in the absence of requests for citizenship information from data subjects, all personal data originating from Russia shall be deemed to pertain to Russian citizens.
With those new obligations identified, consider their potential effect on Russian citizens. The obligations will increase the cost of selling goods and services to Russian citizens. Moreover, the Ministry explained that a Russian citizen’s consent to have his personal data processed outside of Russia does not exempt a covered entity from the law’s obligations. Therefore, Russia’s Data Localization Law could result in Russian citizens having fewer non-Russian sellers from which to purchase goods and services.