On June 13, 2019, a draft bill[1] increasing fines for violations of Federal Law No. 242-FZ[2] (Data Localization Law) was submitted to the State Duma (i.e., the lower house of the Federal Assembly). Once the draft bills adopted, the maximum fine for legal entities under the Data Localization Law will be 6 million rubles (approx. 82,190 euros). The draft bill also provides increased sanctions for repeated violations of this legislation – the maximum fine is 18 million rubles (approx. 247,000 euros).

The intent of the draft bill is to induce foreign companies’ compliance with Russian data protection legislation. It is therefore important for companies doing business in Russia to assess their compliance with this legislation in order to mitigate the risk of increased fines.

I. The scope of data localization obligations

The collection and use of personal data in Russia is primarily governed by Federal Law No. 152-FZ[3] (Law on Personal Data). This law was significantly modified in September 2015 by the Data Localization Law. It introduced a new obligation on data controllers when collecting personal data of Russian citizens online or offline to “record, systemize, accumulate, store, update, change and retrieve such data in a database located within the territory of the Russian Federation.[4]

The Data Localization Law is primarily applicable to operators established in Russia in the context of that establishment. In its official guidance,[5] the Russian data protection authority (Roskomnadzor) confirmed that this law is also applicable to any data operator established outside Russia but conducting its business through the use of a website “aimed at the territory of Russia.” According to the guidance, a website is deemed to be “aimed at the territory of Russia" if it has a domain name associated with Russia (e.g., ru, su, Moscow) and/or a Russian version of the website contains one of the following features:

  • An option to pay in rubles
  • An option to perform a contract within Russia (e.g., provision of the agreed services in Russia)
  • Advertisement in Russia
  • Other features indicating the operator’s intention to target the Russian market

Those operators that satisfy the above-mentioned conditions must ensure that personal data they collect relating to Russian nationals should be processed through databases located in Russia. The data localization requirement does not apply to personal data of Russian citizens collected outside Russia if the operator does not target the Russian market (e.g., data of Russian citizens living outside Russia).

There are five exceptions to the data localization obligation, such as when processing is:

  • Required for meeting the goals of an international treaty or by statute, or for the purposes of compliance with obligations imposed on the data controller by the Russian legislation
  • Relates to the data subject’s participation in any kind of judicial proceedings, including arbitration
  • Performed for the purposes of law enforcement
  • Performed by government agencies providing public services
  • Performed by mass media or journalist in the course of their professional activities or scientific or other creative activities, if the rights and legitimate interests of data subjects are not harmed[6]

II. No impact on cross-border data transfer rules

The Data Localization Law did not amend the rules on cross-border data transfers. Indeed, Roskomnadzor confirmed that the Data Localization Law only provides that the database where the personal data is initially recorded must be located in Russia. However, the information from such database can later be transferred to databases located outside Russia, subject to the provisions of the Law on Personal Data on cross-border transfers.[7]

The Law on Personal Data allows transfers of personal data to a jurisdiction with adequate protection, subject to other provisions of this law and any restrictions of the Russian constitutional system. States that are parties to the Convention No. 109[8] of the Council of Europe are considered as providing an adequate level of protection as well as those states that were specifically named by Roskomnadzor as providing this level of protection.

Transfers of personal data to other jurisdictions can take place only in the following situations:

  • With prior written consent of the data subject
  • Under an international treaty
  • Under a federal law and if it is required to ensure the defense and security of the state or to protect the Russian constitutional system
  • To ensure the safety of the transportation system
  • In the context of the performance of a contract with the data subject
  • For the protection of life, health or other vital interests of a data subject or other persons when it is impossible to obtain the data subject’s consent

It should be noted that although Russian legislation does not require prior notification to Roskomnadzor of cross-border data transfer, such notification is required prior to the first processing of personal data,[9] unless a data operator is subject to an exemption. This exception applies if the data is:

  • Processed for employment purposes
  • Received in connection with a contract without further transfer of such personal data to third parties
  • Related to a processing by a public association or a religious organization
  • Made public by the data subject
  • Limited to the surname, first name and patronymic of the data subject
  • Necessary for facilitating one-time access by the data subject to the controller’s premises
  • Part of information systems of personal data that are classified as state-automated information systems or the one created to ensure public order
  • Processed without using automated equipment
  • Processed in accordance with legal requirements relating to the safety of the transportation system

This notification shall contain information regarding an eventual cross-border transfer of personal data, as well as a database’s localization.

III. Current sanctions applicable to violation of the data localization obligations

Currently, no specific penalty exists for failure to comply with the data localization obligation. The Russian Code on the Administrative Offenses provides a penalty for “failure to submit or untimely submission of data (information) to a state body.”[10] This penalty may be as high as 5,000 rubles (approx. 70 euros).[11] Such fines can be hardly regarded as efficient, especially compared to those provided under the General Data Protection Regulation[12] and companies’ size such as Facebook.

The only risk of noncompliance with the data localization obligation for foreign companies is therefore the right of Roskomnadzor to apply for a court order blocking access to a website through which the relevant data operator processes personal data in violation of Russian data protection laws. In November 2016, Roskomnadzor used this power, ordering major Russian internet providers to block access to LinkedIn for its breach of the Data Localization Law[13]; LinkedIn still does not work in Russia.

The increased sanctions for violation of the data localization obligation are likely to induce greater compliance by foreign companies with Russian data protection legislation, which provides a certain degree of flexibility, especially regarding requirements for cross-border data transfers. In this regard, Europe has more stringent rules as the GDPR restricts transfers of personal data outside the EU borders.