The Russian Data Protection Authority (Roscomnadzor) massively sends out inquiries about the fulfilment of the personal data localization requirement to international companies doing business in Russia. A failure to respond in due time may lead to administrative fines, blockage of access to websites, and other penalties.

Who is at risk?

According to the available information, Roscomnadzor addresses its inquiries to non-Russian legal entities that provide online B2B or B2C services of any kind to Russian customers. These companies may or may not have a physical presence (office) in Russia.

What is the purpose of inquiries?

The purpose of inquiries is to check whether and how the non-Russian companies obey the personal data localization requirement prescribed by Art.18(5) of the Federal Law ‘On Personal Data’ No. 152-ФЗ dated 27 July 2006, as amended. In particular, the data controllers (operators) are obliged, under several exemptions, ‘to ensure recording, systemization, accumulation, storage, clarification (update, change), and extraction of personal data of Russian Federation nationals with the use of databases located in the territory of the Russian Federation when collecting this personal data in any manner, including via the Internet’ (the Localization Requirement). The Localization Requirement may be understood such that it is illegal to collect personal data originated from Russian nationals, whether they be the website users, customer’s employees, contractors, or others (the Russian Data), and directly record it on a non-Russian server without involving a database installed on a Russia-based server. The Localization Requirement cannot be obviated even with a data subject’s written consent.

The exceptions from the Localization Requirement include the fulfilment of a legal obligation, participation in a litigation, activities related to mass media, science, literature or art, etc.

According to the inquires available to us, Roscomnadzor requires to present evidence of compliance, such as block diagrams, confirmations of purchase of servers, agreements with Russian data centers, etc.

Who must comply with the localization requirement?

According to the explanations published by the Ministry of Digital Development, Communications and Mass Media (only in Russian: https://digital.gov.ru/ru/personaldata/ ), the Localization Requirement applies to websites ‘intended for the territory of the Russian Federation’, even where their owners do not have a physical presence in that country. Such intention should be revealed with the following test:

  1. website has a Russian domain name (.ru, .рф, .su, .москва, .moscow, etc.); and/or
  2. website has content in Russian language provided that at least one of the following conditions is met:
  • online payments in Russian rubles; and/or
  • contracts concluded through the website must be performed in Russia; and/or
  • website contains Russian advertisements; and/or
  • there are other circumstances clearly evidencing that the business strategy of the website owner includes the Russian market.

Additionally, the recently adopted Federal Law “On Activities of Foreign Persons in the Information and Telecommunication Network Internet in the Territory of the Russian Federation” No.236-ФЗ dated 01 July 2021 (the Internet Law) states that the Localization Requirement applies to non-Russian legal entities, other organizations, and natural persons who own a website (or at least a page on a third-party website), mobile app, and/or IT system that meet certain criteria defined in the Internet Law.

What is the deadline?

The standard response time is 30 days from the day when a Roscomnadzor’s inquiry was received. The response should be submitted by or on behalf of the company that received the inquiry.

What are the risks?

The non-fulfilment of the Localization Requirement may entail administrative fines up to RUB 6 000 000 (approx. USD 82 000) on a company and/or up to RUB 200 000 (approx. USD 2 700) on the company’s responsible managers (usually, the CEO and the DPO) for a first-time breach. A repeated breach may lead to a fine up to RUB 18 000 000 (approx. USD 246 000) on a company and/or up to RUB 800 000 (approx. USD 10 800) on the company’s responsible managers. The fines are imposed in a court procedure.

As of 1 July 2021, Roscomnadzor may apply the following measures to the non-compliant legal or natural persons / web-services without recourse to courts (Art.10(4) of the Internet Law):

  • partially or completely block access to a website, mobile app, or another web-based solution within the territory of Russia;
  • restrict money transfers to a non-Russian person from Russian individuals and legal entities;
  • prohibit a non-Russian person from conducting cross-border transfers of personal data;
  • restrict advertising or adding a foreign web-resource to search engine results;
  • other measures.

What to do?

If your company received an inquiry, it is advisable to respond in due time. Given the high risks, the language of the response should be carefully considered and accompanied with evidence of compliance.

If your company has not received an inquiry yet, keep monitoring the incoming mail and consider how your company may fulfil the Localization Requirement.