Russian Data Storage
Our citizens, our rules: Clarification on the new Russian data storage requirements
New amendments to the Russian Federal Act on Personal Data are due to come into force on 1 September via Russian Federal Law No. 242-FZ "On the Amendments to Certain Legislative Acts of the Russian Federation to Clarify the Framework for Personal Data Processing in the Information and Telecommunications Networks".
The main thrust of the amendments is that local and foreign "operators" will be required to keep databases processing personal data of Russian citizens on Russian Federation territory and to provide information on the location of these databases.
The "ums", "errs" and theories on the possible interpretations of the new rules and terms such as "citizenship" as well as the practical implications of the rules have been numerous since the proposed amendments were published in July 2014.
Earlier this month, the Ministry of Communications of the Russian Federation tried to throw some light on the turbulent waters of interpretation through the publication of certain clarifications on its website.
Headline points are as follows:
Parties affected by the new rules
Any company operating in Russia or with a Russia-facing website that is using personal data in any way is likely to be affected by these changes. In practice, the rules will affect any companies which:
a) use a domain name related to Russia;
b) have a Russian-language version of their website (except for automatic translations etc);
c) allow payments on their website for goods, works or services in Russian RUB;
d) have advertisements on their website in Russian; or e) undertake agreements via their website (selling goods or services) that may be performed in Russia.
Inadvertent capture of personal data is out of scope
If a company intentionally collects Russian data, it must comply with the new rules. Conversely, the law does not apply to "unintentional" capture of personal data (e.g. unsolicited data – such as Russian correspondence).
International transfers of data outside Russia
International data transfers are not forbidden by the new rules. However, if personal data is to be transferred outside Russia, the transferring entity must put in place a data export agreement with the transferee, obtain data subject consent and ensure that it is generally compliant with Russian data protection requirements.
Companies will need to put a policy in place for determining an individual's citizenship. Failure to do so will mean that any collection of personal data from Russia is subject to the new localisation rules.
Consequences of non-compliance with the new rules
There are no fines proposed under the new rules. Currently, under the existing data protection regime, the Roskomndazor (the Russian data protection authority) (jointly with the public prosecution office) has the power to issue fines of up to RUB 10,000 (£100) for non-compliance with data protection regulations concerning the collection, storage and use of personal data.
Nevertheless, a "name and shame" process as well as website blocking measures may be exercised by the Russian authorities. If you run an online business model and Russia is a significant market, the possibility of website blocking is very real. It should also be noted that larger fines are expected to be introduced in the near future.
By adapting their operations to keep local copies of Russian personal data, companies are likely to engage in new storage activities and should ensure that any equipment and software used for local storage purposes is appropriately certified. Possible penalties for the use of non-certified data protection devices and software include a fine of up to RUB 25,000 (£270) as well as confiscation of such devices and software.
So, what now?
Companies who have any sort of Russia-facing services are advised to get up to speed on the new requirements as soon as possible. Even though the law will not apply retrospectively, and there has been an oral announcement by the Head of Roskomnadzor that the data localization rules will not be enforced until 2016, nothing formal has been put on paper about a grace period.
Even with the clarifications from the Ministry of Communications, it remains unclear exactly how the new rules will be implemented in practice.
Consequently, a "when in Rome…" approach may be the best strategy for foreign companies operating in Russia; prepare the grounds for more changes to come by appointing a spokesperson in Russia who can act on behalf of the company before the Roskomndazor, ensure that any service providers processing the personal data of Russian citizens on behalf of the company are aware of the rules, and make sure that their share of the responsibility is contractually flowed down to them.
With thanks to Pavel Savitsky, Counsel, Head of Intellectual Property & TMT, Borenius Attorneys Russia Ltd for the information provided.