On 10 September 2019 the Russian State Duma in its first reading adopted a draft bill increasing fines for non-compliance with data localisation requirements. If this draft bill becomes law, the proposed fines could amount to a maximum of RUB 6 million (approximately EUR 125,000) for a first offence and RUB 18 million (approximately EUR 250,000) for a repeat offence. Three readings by the Russian State Duma are required for any bill to pass the Duma which is the Russian parliament.

The authors of the draft believe that non-compliance with the data localisation requirement threatens the safety of Russian citizens and important informational infrastructure as well as impedes the fight against terrorism.

Up to now Russian legislation has contained no fines for the breach of data localisation rules and the Russian data protection authority (Roskomnadzor) could only initiate the blocking of the infringer’s website. Things started to change following the cases of Twitter and Facebook, who were reportedly failing to comply with the data localisation requirement and the related requests of Roskomnadzor to provide information on compliance. The relevant fines for a failure to provide information are very low (up to RUB 5,000), while the fines issued to Facebook and Twitter were even lower, i.e. RUB 3,000 in each case.

Since 1 September 2015 Russian laws have contained a requirement that the personal data of Russian citizens must be stored and processed using databases located in Russia. This requirement can be complied with for instance by placing the database with personal data of Russian citizens in a Russia-based data centre or server.