According to news reports in Russia, the Russian Federation’s data protection authority – Roscomnadzor – may be targeting Western companies for enforcement action. What appears to be the first enforcement action of this kind is directed at Twitter.
At the heart of the action is an assertion by the head of Roscomnadzor that, while Twitter has responded to thousands of requests for information from the U.S. government, the company has not responded to over 100 requests for user information from the Russian agency. In its letter to Twitter, Roscomnadzor demanded that the company explain its position regarding the disclosure of user personal data to Russian law enforcement authorities. The agency is asserting that Twitter’s alleged refusal to respond to its requests constitutes failure to comply with Russian laws, including those directed to counter extremism.
The enforcement action by Roscomnadzor is not unexpected in light of the current geopolitical climate, and could be a precursor to further enforcement actions, including with respect to Russia’s data localization requirements that are slated to come into force on September 1, 2015. The localization law requires companies to maintain information about Russian citizens within the Russian Federation, and imposes a variety of penalties for violations, including the authority to prevent offending companies from operating in Russia by blocking their access to local hosting and telecommunications infrastructure.
We encourage our readers who are attending the IAPP Summit in Washington, DC to stop by the session in which Vera Shaftan, an attorney at the Norton Rose Fulbright’s Moscow office, will discuss Russian data localization laws and their impact on Western companies, and address compliance strategies.