Data Protection Report - Norton Rose Fulbright

Russia’s data protection authority, Roscomnadzor, has held a number of meetings with business associations to respond to the wave of questions that have arisen about the interpretation and application of Russia’s personal data localization law.

The law, which enters into force on September 1, 2015, requires that an operator, while collecting personal data, ensures the recording, systematization, accumulation, storage, rectification (update, change) and extraction of Russian citizens’ personal data using databases located in Russia.  The meetings sought to address at least two key concerns — whether data stored locally could also be transferred outside of Russia, and the reach of the law’s jurisdiction.

During the meetings, representatives of Roscomnadzor explained their understanding of the localization requirement. The opinions expressed at the meetings will provide useful guidance for businesses – though such statements are not official interpretations of the law, but rather the personal views of the Roscomnadzor representatives. It should also be stressed that the representatives’ interpretation does not always strictly follow the law on personal data. The possibility that the localization requirement will be implemented in a way different from that currently depicted by Roscomnadzor cannot be excluded.

One of the major concerns expressed with respect to the localization requirement is whether the personal data of Russian citizens is permitted to be stored abroad in any capacity. Roscomnadzor has commented that the localization requirement does not prohibit the transfer and storage of data abroad, but that the initial collecting of data from individuals and any updating of that data should be done through a database located in Russia.  Accordingly, Roscomnadzor said that there should always be a database located in Russia through which the initial input or any updates should pass in the first instance.  After that, the data may be copied and transferred to foreign databases subject to compliance with cross-border transfer requirements – in particular, the cross-border transfer of such data should have the same purpose as initially declared when the information is collection, and written consent of the individual may be required in certain cases.

Another unclear issue is the scope of the individuals who may be subject to the requirement. Roscomnadzor explained that, apart from Russian companies, branches and representative offices of foreign companies, the localization requirement may apply to foreign companies that have operations in Russia, even if such operations do not create a permanent establishment in Russia. The localization requirement also applies to foreign companies if their operations are performed through the Internet and such operations are targeted at Russian consumers (e.g., an offer for goods or services in Russian aimed at Russian consumers).

We will continue follow the developments associated with the Russian localization requirement and provide relevant updates on the blog.  The data localization law is slated to go into effect on September 1, 2015. Failure to comply with the requirement may result in a number of negative consequences for an operator, including the right of the Federal Service for Supervision in the Sphere of Communications, Information Technology and Mass Communications (Roscomnadzor) to seek the termination of the operator’s ability to utilise hosting and/or communication services.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.