Confusion and concern have surrounded Russia’s personal data localization law since it went into effect on September 1, 2015. The law mandates that data operators that collect personal data about Russian citizens “record, systematize, accumulate, store, amend, update and retrieve” data using databases physically located in Russia. Prior Duane Morris Alerts (October 16, 2015, September 2, 2015,and June 15, 2015) have addressed a number of the most salient requirements of the new law. The October 16, 2015, Alert summarized the progress on implementation of the law to date and discussed the predictions by Roskomnadzor (the Russian agency responsible for enforcing the law) and various commentators about future enforcement.
With more than six months of history now in the books, a review of how the law has been implemented and enforced is worthwhile; and consideration of future implementation, including expanded enforcement, is prudent.
2015 in Review
Initial indicators signal that Roskomnadzor is wholeheartedly committed to enforcement of the new law. In the remaining months of 2015 following enactment, Roskomnadzor conducted 302 inspections for compliance with the new localization rule. Roskomnadzor Head Alexander Zharov reported that the 2015 inspections revealed few and minor infractions and indicated that he anticipated violations would be corrected promptly and that no fines would be imposed on the violator companies. Nevertheless, despite the seemingly mild outcomes from the 2015 inspections, companies may be hasty to assume that future violators will be immune from harsher consequences. Rather, it may be useful to consider the enforcement of the data localization law in the larger context of Roskomnadzor’s goals and actions.
In 2015, Roskomnadzor restricted access to roughly 7,300 websites found by Russian courts to host sundry and/or impermissible content. Among the more notable blocked sites were several Wikipedia articles (unblocked after articles about narcotics were revised) and Yahoo’s sports site (sports.yahoo.com). More on point for the protection of personal data, in 2015, Roskomnadzor listed more than 100 websites on the Register of Personal Data Infringers and restricted access to over 30 websites for violating the Law on Personal Data, of which the data localization law is a subsection. As just one example, Roskomnadzor reported that it blocked access to an Internet database containing personal data on more than 1.5 million Russian citizens and that, on September 9, 2015—mere days after the law went into effect—it listed the database on the Register of Personal Data Infringers. At the time of this writing, the site, abonenty-chast2.pw, remains blocked. It may not be unreasonable to conclude, therefore, that the enforcement of the data localization law may follow Roskomnadzor’s wider protocol of blocking violating websites.
Plans for 2016
Roskomnadzor has pledged, and has already initiated, an expanded effort to enforce data localization in 2016. Mr. Zharov declared that Roskomnadzor plans to inspect and evaluate more than 1,000 organizations for their compliance with the law in 2016. And the expanded scope of scrutiny is no mystery. Roskomnadzor has published a roster of audits planned for 2016, including the specific dates for the planned inspections. There seems to be little doubt that the list may be updated as the year progresses, and prudence suggests that companies should review the list at a minimum, and Roskomnadzor’s website in general, for updates. The list already contains the names of many high-profile foreign entities; and it also confirms Zharov’s earlier prognosis that 2016 audits will focus heavily on organizations with a large electronic commercial footprint.
Large Companies Impacted
Although Roskomnadzor suggested that the focus of its initial inspections would be on small and medium-sized companies, it appears that the initial strategy morphed quickly. In September 2015 (the same month the law was enacted), Roskomnadzor notified Facebook and Twitter, among others, of the requirements of the law, underscoring that both companies are subject to the law and would face audits “sooner or later.” The change was particularly significant with regard to Twitter as Roskomnadzor previously stated that Twitter would not be required initially to comply with the law because it does not collect the type of data targeted by the law. The Russian branch of a global auto manufacturer was also audited in 2015. The published schedule confirms that numerous additional large companies are targeted for inspection in 2016.
In light of the expanding enforcement of the data localization law, a number of foreign companies have publicly expressed, by words and/or actions, their commitment for compliance. For example, Roskomnadzor has reported that companies like Samsung, Lenovo, EBay, Uber, PayPal, AliExpress and Booking.com—none of which have historically hosted their data in Russia—have indicated that they will move applicable data to Russian servers. Samsung has already opened a large data center in Russia. And "data hosts" have been quick to capitalize on the intended increased enforcement. Orange and IXCellerate have expanded their sphere of influence to host the data of companies with no Russian data servers.
Companies that do not comply with the data localization law may face a number of potential consequences. Initially, per Zharov’s aforementioned statement, Roskomnadzor has instructed violators to remedy their defaults prior to facing harsher penalties. The Russian Code of Administrative Offences allows for the imposition of fines in the event of a failure to cure a violation. Continued and/or uncorrected violations may result in the blockage of a company’s website. Though Roskomnadzor has historically blocked websites only pursuant to a court order, Zharov has indicated that Roskomnadzor may be given the autonomy to block websites without such an order. Though it is not currently known what circumstances would prompt Roskomnadzor to pursue this stiffer sanction, companies should be aware of all potential consequences in the event of a violation, or worse, continued noncompliance. The far-reaching detrimental consequences of being included on the Register of Personal Data Infringers or, worse, of having Russian online presence completely blocked are apparent—though likely avoidable.