B2B: Russian Data Localization in Brief

The MT Conferences section does not involve the reporting or the editorial staff of The Moscow Times.


Anastasia Zagorodnaya
Of Counsel
Dentons

The so-called Data Localisation Law (Amendments to the Federal Law of the Russian Federation of July 27, 2006 No. 152-FZ "On Personal Data", introduced by the Federal Law of the Russian Federation of July 21, 2014 No. 242-FZ "On Introducing Amendments to Certain Legislative Acts of the Russian Federation in Part of Specification of Procedure for Processing of Personal Data in Information and Telecommunication Networks".) that has spurred numerous discussions over the past year became effective on September 1, 2015. If you haven't had a chance to look at this issue, here's the gist along with the latest developments.

The New Rules

The core amendment implemented by the Data Localisation Law is the new Clause 5 added to Article 18 of the Personal Data Law. It provides that while collecting personal data, including by means of the Internet, the operator must ensure that recording, systematization, accumulation, storage, modification and retrieval of Russian citizens' personal data is done using databases located on the territory of Russia, save for certain exceptions.

The exceptions mentioned are generally not business related. Additionally, the Data Localization Law introduced a new Article 15.5 to the Law On Information, Information Technologies and on Protection of Information, which establishes a procedure for limiting access to the information processed in violation of the Russian legislation on personal data (it is conventionally considered as targeting mainly websites through which personal data is collected improperly). This would permit offending websites to be blocked.

Practical guidance

Vladislav Arkhipov
Of Counsel
Dentons, Cand.Sc. Law, Associate Professor at St. Petersburg State University

Given the brief wording of the localization requirement, a lot was left unclear. Various interpretations were discussed in the press and in closed industry meetings and specialized conferences. In the beginning of August the Ministry of Telecom and Mass Communications issued the long-awaited comments on the key issues based on feedback from the business and academic community, as well as competent authorities (available at http:minsvyaz.ru/ru/personaldata/#1438548328715).

Key Issues

Jurisdiction — who do the new rules apply to?

The law is effective on the territory of Russia, therefore, covers resident Russian companies, as well as representative offices and branches of foreign companies involved in data processing. In addition, websites expressly targeting Russian users (it is expected that such targeting should be defined by a combination of factors, such as for example domain name, language, payment processing etc.), most likely will be considered as being 'directed at' Russia, and as such, from the Russian perspective, should be compliant with these mandatory rules of Russian law. Although Russian courts may further refine this approach, it is reasonable to expect that it will be used in practice.

Scope — what do the new rules apply to?

The new rules apply to the operations expressly listed in the Data Localization Law. Other actions (e.g. use of data, remote access, deletion) are not affected. Contrary to the initial perception by many foreign companies, the law does not create a data export ban. Data can be transferred abroad as long as the primary' or 'entry-level' database used for recording upon collection, storage and further update is inside Russia. A broad concept of a 'database' is being adopted by the authorities: any aggregate of data recorded in electronic systems or paper card files.

In the context of uncertainty shaped by lack of further binding regulatory guidance, it is recommended to comply with cross-border transfer rules to the greatest extent possible, including obtaining individual consents, conclusion of data transfer agreements between data controllers and recipient entities. You may also need to comply with the procedures for collection and processing of data and cross-border transfer of data contained in internal policies.

As per the Ministry's clarification, the new rules cover only "intentional" collection of personal data directly from a data subject or via third parties specifically engaged for such collection. This means that data that was not requested (e.g. a random email from a data subject containing personal data) or data received from a third party, which independently collected it from the data subjects, are out of the scope.

The Ministry also explained that a company should make its own reasonable determination as to what data concerns Russian citizens or take the view that any information collected from Russian territory relates to Russian citizens.

Timing — no retroactive effect

Personal data collected before the effective date (September 1, 2015) is not covered; however, operations listed in the new rule concerning old data (e.g. update) will trigger the need to comply.

It is possible (and Roskomnadzor has made a statement on this) that inspections made by the end of 2015 will only be limited to companies stated in the official plan of inspections (available in Russian at the Roskomnadzor official website: http:rkn.gov.ru/docs/plan_print_20151.docx). However, out-of-plan investigations are also possible based on a complaint made by a data subject.

While the requirement to localize data is a hot topic, companies operating in Russia should not forget that the general requirements of the Russian personal data law, including those on internal policies and security measures, should be observed.


The MT Conferences section does not involve the reporting or the editorial staff of The Moscow Times.