There have been growing calls recently for better data protection worldwide. The issue of how to ensure the safety of personal data has become even more acute with the recent revelations on the levels of global surveillance. Russian legislators have followed the trend for introducing new data privacy regulation. However, concerns have been voiced that the scope of proposed measures in Russia seems wider than the perceived data protection threats.
In early July, the Russian Parliament adopted amendments to the data protection legislation in relation to the storage of personal data (“Amendments”). The Amendments require all personal data relating to Russian citizens to be stored in Russia. Although the Amendments do not stipulate this expressly, this requirement is likely to be interpreted as prohibiting storage of such data outside of Russia. It is not yet clear however whether any backup overseas would be permitted. To become effective, the Amendments now need to be approved by the President and be officially published, steps which are expected to be carried out later this month. The Amendments are subject to a two-year deferral period and are therefore due to take effect from 1 September 2016.
The Amendments apply to all forms of personal data which Russian citizens use for registration purposes, online shopping, sending e-mails, etc. Concerns have been raised that the Amendments will impede the operation of major internet services such as online booking, social networking, data storage, payment systems and certain services used by banks and mobile operators. In addition, the restrictions will affect not only the use of foreign services for the storage of personal data but also Russian services which use cloud and other data exchange technologies (eg Russian air carriers using online booking in which personal data is processed outside of Russia).
The approach which the Amendments seek to introduce differs from the approaches in many other jurisdictions, including the EU. For instance, there is no absolute prohibition in the EU on storing or processing personal data outside the European Economic Area (“EEA”). If data controllers in the EU wish to store personal data outside the EEA, they may typically do so provided they have the data subject’s consent or if they can demonstrate that the personal data will be afforded an adequate level of protection. Pursuant to the Amendments, the data subject’s consent to the storage of personal data outside of Russia would not help override the restriction in Russia referred to above.
The Amendments also introduce the concept of a blacklist for internet services containing information which is being processed in breach of Russian data protection legislation. An internet service may only be blacklisted on the basis of a court order. If blacklisted, the regulator will work with the internet service, the internet host provider and the telecommunications services provider to ensure that the internet service amends its practices and complies with the relevant legislation. Where these entities are operating from outside the Russian Federation, there may be jurisdictional difficulties for the regulator in seeking compliance with the legislation. However, the regulator will have the ultimate sanction of blocking access within Russia to a non-compliance internet service if changes are not made to comply with the legislation.
If the Amendments are approved by the President, major online services and other users of personal data may be required to invest in building or leasing data storage servers in Russia.