Russian legislators have accelerated the introduction of the requirement for the localisation of personal data. Under the localisation requirement an operator while collecting personal data must ensure the recording, systematisation, accumulation, storage, rectification (update, change) and extraction of Russian citizens’ personal data using databases located in Russia. This requirement was initially introduced in July 2014 and was set to become effective on 1 September 2016. However, shortly after its introduction certain state officials claimed it should apply from the beginning of 2015; but for the majority of businesses this would be impossible to achieve and the new deadline was set for 1 September 2015.

There are some statutory exceptions to the above localization requirement, including: the processing of personal data for the purposes set out in an international treaty which the Russian Federation is a party to or in the law or for the performance of functions, rights and obligations that are imposed on the operator by Russian legislation.

Failure to comply with the requirement may result in a number of negative consequences for an operator, including the right of the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications (Roscomnadzor) to seek the termination of the operator’s ability to utilise hosting and/or communication services.