Photo of Vera Shaftan (RU)

On 2 December, a new law was introduced in Russia to enable substantial administrative fines to be imposed on organizations and individuals that fail to comply with data localization requirements.  Both legal entities and responsible managers (e.g. the Data Protection Officer or the CEO) can be fined under the new regime.

Russia’s data protection authority, Roscomnadzor, has held a number of meetings with business associations to respond to the wave of questions that have arisen about the interpretation and application of Russia’s personal data localization law.

The law, which enters into force on September 1, 2015, requires that an operator, while collecting personal data, ensures the recording, systematization, accumulation, storage, rectification (update, change) and extraction of Russian citizens’ personal data using databases located in Russia.  The meetings sought to address at least two key concerns — whether data stored locally could also be transferred outside of Russia, and the reach of the law’s jurisdiction.