Information, Technology & Communications | Tax
Companies Are Required to Store and Process Personal Data of Russian Citizens on Russian Territory
On 21 July 2014 Russia adopted a law that, subject to certain limited exceptions, requires all companies that collect and process personal data of Russian citizens to use databases located in Russia (the “Law”).1 Non-compliance with these rules may result in a company’s website being blocked for Russian users. The new rules will become effective 1 September 2016.
Starting from September 2016, companies that collect personal data of Russian citizens, primarily operators of social media sites, online postal and booking services and similar websites, are required to maintain databases for the purpose of storage and processing of such personal data on Russian territory. The Russian regulatory authorities will be able to block access to websites violating this requirement based on a relevant court decision.
The Law does not expressly require that operations with the personal data of Russian citizens be performed solely with the use of Russian databases and does not additionally restrict cross-border personal data transmission. Based on a literal interpretation of the Law, Russian databases may be simply used within already existing data processing models and facilities. At the same time, due to the ambiguity of the wording of the Law, future law enforcement practice may potentially develop in a more restrictive manner. Furthermore, in the long-term perspective operators of relevant websites might face the risk of a “server-based” taxable permanent establishment in Russia.
What the law says
Creating Databases in Russia
General Requirements. In accordance with the Law, operators of web resources through which personal data of Russian citizens are collected must ensure that the databases used to record, systemize, accumulate, store, amend, update and retrieve data be located in Russia. Note that the definition of “personal data” is very broad under Russian law. Personal data include any information that directly or indirectly relates to a particular individual. There is no exhaustive list of such data, but normally it includes name, date of birth, passport data, address, education, family status and other information allowing the identification of an individual.
1. Federal Law No. 242-FZ dated 21 July 2014 “On Introducing Amendments to Certain Legislative Acts of the Russian Federation with regard to Personal Data Processing in Information and Telecommunications Networks.”
For further information please contact
Edward Bekeschenko +7 495 787 27 17 firstname.lastname@example.org
+7 495 787 27 09
+7 495 787 31 07
Arseny Seidov +7 495 787 27 37
+7 812 303 90 00
Baker & McKenzie —
White Gardens, 10th Floor
9 Lesnaya Street
Moscow 125047, Russia
Tel.: +7 495 787 27 00
Fax: +7 495 787 27 01
BolloevCenter, 2nd Floor
4A Grivtsova Lane
St. Petersburg 190000, Russia
Tel.: +7 812 303 90 00
Fax: +7 812 325 60 13
Information, Technology &Communications | Tax
2 Legal Alert July 2014
Scope of Restrictions. While the Law requires companies to process personal data of Russian citizens using Russia-based databases, in its language it imposes no other major restrictions, specifically:
– operators are not explicitly required to perform data processing operations solely with the use of Russia-located databases;
– cross-border transmission of personal data of Russian citizens is not additionally restricted as compared to the already effective rules;
– companies are not required to have the relevant Russia-based servers with the personal databases in their ownership.
Tax Implications. Currently, Russian law has no concept of a “server-based” taxable permanent establishment. However, many tax concepts developed by OECD countries are currently being implemented in Russia. In the long term companies operating Russia-based databases in connection with their commercial activities might face the risk of “server-based” permanent establishment claims in Russia, especially in the e-commerce and cloud computing market segments.
Sanctions for Non-Compliance
The Law provides for the creation of a Register of Personal Data Owners’ Rights Infringers (the “Register”). Companies violating the Russia-based database requirement will be included in the Register based on a relevant court ruling. The Russian communications authorities will be entitled to block access to websites of the infringers listed in the Register. A company may be excluded from the Register, and the relevant resource unblocked if the underlying court ruling is overturned or if the company demonstrates that it has discontinued the violation.
Actions to consider
The adoption of the Law would most significantly affect the Russian segment of businesses that use online personal data collection as a core element of their commercial activities.
The Law raised major coverage in the media. Responding to this reaction the Government convened a working group to discuss and develop necessary amendments to the Law that would mitigate its negative impact on business. Thus, the current wording of the Law may be amended before it becomes effective.
We will closely monitor the developments in this area. At this stage we recommend to those of our clients who are involved in the collection and processing of Russian nationals’ personal data, and who currently do not use a Russia-based personal database, to explore the legal and technical possibilities of creating such a Russia-based personal database while managing the tax and other risks associated with the same.
This LEGAL ALERT is issued to inform Baker & McKenzie clients and other interested parties of legal developments that may affect or otherwise be of interest to them. The comments above do not constitute legal or other advice and should not be regarded as a substitute for specific advice in individual cases.