On 2 December, a new law was introduced in Russia to enable substantial administrative fines to be imposed on organizations and individuals that fail to comply with data localization requirements. Both legal entities and responsible managers (e.g. the Data Protection Officer or the CEO) can be fined under the new regime.
By way of recap, in 2015, Russia introduced a data localization law, requiring “data operators” to ensure that recording, systematisation, accumulation, storage, refinement and extraction of personal data of Russian citizens is done using databases located in Russia. Essentially, the law means that initial collecting and any updating of the personal data of Russian citizens should be made through a database located in Russia . In 2015, this law did not give the Russian data protection authority (the Roscomnadzor) the ability to impose any meaningful monetary penalties. Instead, the Roscomnadzor was able to block websites that it deemed to be non-compliant.
Under the new law, fines for first time offences for legal entities can be between USD 16,000 – USD 96,000, increasing to USD 288,000 for repeat offences. Fines for responsible managers can be between USD 1600 – USD 3200, increasing to USD 12,800 for repeat offences.
The questions this beg are: what does this mean and what next?
This may be an indication that enforcement action is on the horizon. There has been little widespread enforcement of the data localization rules, apart from some high profile cases (such as when LinkedIn was blocked in 2016), and some think that the reason for this was because the Roscomnadzor did not have the ability to fine. Organisations that handle Russian personal data should review their level of compliance with the requirements and ensure that they have filed the appropriate notifications with the Roscomnadzor.