Early in July 2014, the Russian Federal Act on Data Protection was amended to require that personal data of Russian citizens be first processed and stored on servers located within the territory of Russia. Initially, the amendments were expected to come into force Sept. 1, 2016. However, on December 21, 2014, Russian President Vladimir Putin signed the law with an effective date of Sept. 1, 2015.
Many legal scholars and businesses felt the law was rather hastily drafted and required clarification. As a result, a number of business associations consulted with the Roskomnadzor (the Russian Data Protection Authority) in an effort to obtain clarification, particularly related to onward transfer and jurisdictional reach. Following this period of consultation, the Russian Ministry of Communications released additional guidance and clarified a number of points within the law. Roskomnadzor continues to release Information adding additional clarification and certainty to the law. The following answers to some frequently asked questions provides a high level summary of the Act and highlights the most important points:
1) Are non-Russian companies required to comply with the new data localization law?
Yes. The requirement applies when personal data of a Russian citizen is processed. Non-Russian organizations are required to comply where:
- They have a Russian domain name;
- The organization has a Russian language version of its website;
- The organization’s website allows payment in Russian RUB;
- The organization’s website displays advertisements in the Russian language; or
- Agreements available on the company’s website may be performed in Russia (delivery of goods or services in Russia).
The Roskomnadzor recently issued a diagram detailing the process it will follow in auditing organizations located outside of Russia for compliance with the law. Currenlty, the diagram is only available in Russian, but the issuance of additional information makes clear that the Roskomnadzor fully intends to investigate non-Russian organizations for noncompliance.
2) Is the law retroactive?
No. The law does not apply to personal data collected prior to Sept. 1, 2015, unless or until the database containing the personal data is updated with additional or new information. At that time, the data must be localized on servers within Russia.
3) Can the data be transferred to a third country—one outside of Russia?
Yes. Transfer to third parties located outside of Russia, for secondary processing, is permitted. However, the transfer must still comply with any existing requirements such as making certain there is an appropriate agreement in place with the third party that ensures the transfer and processing meets the data protection measures required under Russian law. Transfers to the United States (and many other jurisdictions) are not deemed adequate under Russian law and so may require consent of the data subject for onward transfer.
4) What are the penalties for noncompliance?
While pre-existing monetary penalties for noncompliance are nominal ($200 fine for organizations and $20 fine for individuals), more concerning may be the authority of the Roskomnadzor to block access to an organization’s website or domain name.
5) What does all of this mean for you and your organization?
If you, or a third party on your behalf, collect or store data of Russian citizens:
- You will need to analyze whether that data is, in fact, personal data under Russian law.
- If it is personal data, you will need to be sure to first process and store the data on servers located within the Russian Federation.
- If the data will then be subject to an onward transfer to a country not deemed adequate, you should obtain the data subject’s consent for the transfer.
- Additionally, you should evaluate any vendors or suppliers providing services that collect, process or store personal data of Russian citizens on your behalf and whether they have localized the data in Russia. If they have not and/or cannot, then you will need to evaluate alternatives, considering any future data collection or updates to data collected and stored prior to Sept. 1, 2015.
Need more help understanding the impact of the Russian Federal Act on Data Protection for your organization? Contact us anytime.