Does New Russian Personal Data Law Ban International Business?

March 29, 2015

On 1 September 2015, a new law on personal data protection issues will come into force in Russia. Its effect is that companies processing personal data of Russian citizens must store such data in databases located on the territory of the Russian Federation. 

The amendments have been under discussion for a long time. Initially the effective date was to be 1 September  2016 but, since under the newly signed law the effective date of these amendments is now 1 September 2015, all companies processing personal data of Russian citizens in databases located outside Russia have less than half a year to make their systems compliant with the new requirements. 

Who is affected by the new law? 

The new rules apply to all companies processing personal data of Russian citizens. They will have a major effect on Internet giants such as Google, Facebook, Twitter, Yahoo! and Amazon, as well as online stores, online resources used for booking airline tickets and hotels, insurance companies and other organizations processing personal data of Russian citizens. 

The new law does not clarify whether it will apply to foreign companies that do not have a physical presence in Russia but still collect personal data of Russian citizens, or how the Russian authorities will go about monitoring the data processing activities of such companies. The Russian regulatory authority Roscomnadzor is expected to issue relevant clarifications on this issue. 

Black list of data operators and penalties 

In addition to the requirement that databases be located in Russia, the new rules also provide for including those who violate this requirement into a special register of violators (a “black list”) and blocking access to their web sites. 

Apart from including violators in the black list and blocking access to their web sites, there are also penalties for violating the requirements for personal data processing. The current version of the Russian Administrative Offences Code sets these sanctions at a surprisingly low level, with fines in the amount from €4 to €7 for company officials and €40 to €70  for the legal entity for each violation. 

It is worth mentioning that companies can now be fined separately for each violation in regard to each person whose data is stored improperly. For example, if a company is found at fault for violations in processing its employees’ personal data, a fine may be calculated by multiplying the fine rate by the number of employees. 

In addition, on 24 February 2015 the State Duma of the Russian Federation gave tentative approval for the amendments in the Administrative Offences Code that increase liability for violations of personal data processing. In particular, these amendments envisage increasing the penalty for violations in processing personal data of special categories (ethnicity, nationality, political views, health status etc.) up to approximately €4200 Euro for each violation.  

It is likely that the amendments increasing penalties for violating the Personal Data Law requirements will be adopted soon. 

No more processing of personal data of Russian citizens abroad? 

The Russian Personal Data Law pertains only to the storage of personal data in Russia and does not prohibit companies from transferring personal data of Russian citizens outside the Russian Federation. 

It therefore appears that companies may maintain databases with personal data of Russian citizens abroad, provided such personal data is initially stored in databases located in Russia. Any updating of the personal data of Russian citizens must also initially happen in the databases located in Russia. Afterwards, the updated information may be transferred to databases located outside Russia, provided the requirements of the Personal Data Law for transfer of such information are satisfied. 

However, there exists a risk that Russian authorities will take a conservative approach in interpreting the new law and will allow transfer of Russian citizens’ personal data abroad, but not the storage and processing of such data abroad. Taking into account a divergence of views in regard to personal data storage issues, it is reasonable to wait for Roscomnadzor’s official clarifications. 

Consequences for business 

It is obvious that the new amendments in Russian Personal Data Law will first of all affect multinational companies present in Russia, which use databases outside Russia. As a result, such companies may have to bear substantial expenses in order to set up servers in Russia. 

For such companies, it is reasonable to create a database in Russia, in which the personal data collected in Russia will be stored, and then to transfer data from such database to existing databases located abroad (provided the Russian authorities do not take the most conservative approach and prohibit storage of Russian citizens’ personal data outside Russia). 

It is also reasonable for such companies to consider the possibility of anonymizing personal data (ie taking measures aimed at making it impossible to identify the owner of such data without additional information) in order to reduce the scope of data to be stored in Russia, as well as to ensure that their data processing procedures and internal documents are in compliance with the Russian law. 

As for companies that need to use special software or equipment in their business activity, which is not supported in Russia (eg hotels, airline companies), the most reasonable solution is to initiate discussion with the Russian regulator Roscomnadzor to ensure that an adequate approach is developed for their particular situation. 

The consequences of the new law should be less significant for companies that store personal data on servers of external organizations providing such services, as such companies may simply transfer their data to service providers whose servers are located in Russia. 

In view of several issues remaining unclear in regard to the new regulations, it is reasonable for companies that process Russian citizens’ personal data to enter into dialogue with Russian authorities before September in order to receive relevant clarifications and instructions for applying the new personal data law requirements before the new requirements become mandatory, so as to have ample time to make the necessary adjustments to their operations. 

Rimma Leshcheva is Senior Associate at the Russian law firm, Capital Legal Services: rleshcheva@cls.ru