On 5 November 2014, the Russian Data Protection Authority, Roskomnadzor, held its fifth annual conference on “Personal Data Protection.” The conference provided insight into the motivations prompting the enactment of Russia’s data localization law – which requires the personal data of Russian citizens to be stored within the territory of the Russian Federation (see our recent webinar on the law) – and some of the regulator’s compliance expectations. The conference was well-attended by representatives of Russian and international companies, various foreign data protection authorities, and Roskomnadzor officials. The high turnout was expected, as many stakeholders have been anticipating the conference due to the lack of clarity to date on the obligations under the law and its effective date.
The conference was opened by Mr. Zharov, the Head of Roskomnadzor, who noted that Russia is not alone in enacting localization requirements, calling out similar requirements in China, India, and Singapore. He emphasized that the principle of allowance of cross-border data transfers remains unchanged, and such transfers can still be made in accordance with the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and the provisions of Russian data protection law.
Ms. Matvienko, the Head of the upper chamber of the Russian Parliament, spoke next via video conference. She stressed that under the law, Russians’ personal data would be better protected in the territory of Russia, and that the localization requirement is reasonable given recent international developments.
Next to speak was Ms. Bokova, a colleague of Ms. Matvienko, who voiced a similar sentiment about the importance of Russian control over personal data. Ms. Bokova warned against allowing one country to have full control over personal data from all over the world (noting that one such country already contained the databases of most major social networks, search engines, and global corporations), particularly in light of the information provided by former NSA contractor Edward Snowden in an era where western countries are implementing sanctions against Russia. Mr. Zheleznyak, the Deputy Head of the lower chamber of the Russian Parliament, similarly expressed his opinion that the borders within which personal data are stored can in many respects actually define the authority and jurisdiction of a country.
During the following sessions, attendees were provided the opportunity to ask questions to other participants of the conference, including the representatives from Roskomnadzor. Mr. Voblikov, a Deputy Head of one of Roskomnadzor’s departments, answered a number of questions about the data localization law (although he provided the familiar caveat of regulators worldwide that his responses were based on his personal opinion, and should not be construed as the official position of Roskomnadzor).
Mr. Voblikov stated that the purpose of the law is to ensure the storage of personal data of Russian citizens within Russia in order to better protect the data. He pointed out that the law contains no express prohibition on cross-border data transfers, but cautioned that in each case, such transfers should be conditioned on and connected with a legitimate purpose under Russian data protection law beyond mere storage. Mr. Voblikov also was asked whether a mirror of a foreign database stored within Russia would be compliant if it contained all of the required data of Russian citizens, to which he replied that in his opinion, a mirror database would not be considered compliant.
Mr. Voblikov further said that at this stage, there are no official clarifications on who is considered a “Russian citizen” whose data is subject to the law. He stated that in his opinion, all personal data collected in Russia – including from both Russian citizens and foreigners living in Russia – should be processed in accordance with the law. Mr. Voblikov also said in passing that in his personal view, the processing of employee data by employers located in Russia will be covered by the law.
Regarding the effective date of the law – which as enacted was 1 September 2016 but later expected to be changed to 1 January 2015 under a legislative initiative submitted to the Russian Parliament – Mr. Voblikov said that his understanding is that such initiative has stalled. He also said that to the best of his knowledge, Roskomnadzor has not started preparing any official clarifying guidance on the law, and he has no information on whether any such guidance will be prepared in the near future. Additionally, he said that independently from the data localization law, Roskomnadzor is preparing a personal data matrix, which would provide more clarifications on the general provisions of Russian data protection law.
Mr. Voblikov also commented on a controversial recent response by the president's administration to the Association of European Businesses, which stated – beyond the apparent obligations on the face of the law – that companies should not make copies of databases outside of Russia and that the law applies to the storage of personal data collected prior to the effective date. He noted that the response itself contains a caveat that it is based only on the personal opinion of the president's administration, and does not represent any official clarification, but did not comment on the substance of the president's administration’s response itself.
In general, the conference highlighted many challenges posed by the law, the lack of consensus on the law's provisions, and the need for further guidance by the regulator.