On July 21, 2014, Russia adopted Federal Law No. 242-FZ, “On Amendments to Certain Legislative Acts of the Russian Federation for Clarification of the Procedure of Personal Data Processing in Information and Telecommunication Networks” (“Federal Law No. 242-FZ”), which introduces a number of changes to existing Russian data protection laws. Specifically, it amends Federal Law No. 152-FZ, “On personal data,” by establishing a localization requirement for personal data processing.

Effective Date

What makes Federal Law No. 242-FZ important is its effective date. It was initially scheduled to come into force on September 1, 2016. However, on December 31, 2014, Federal Law No. 526-FZ was enacted, which changed the effective date of Russia’s Data Localization Law to September 1, 2015.

Regulated Activity

Under the new law, “personal data operators” are required to process and store Russian citizens’ personal data using databases located in Russia (i.e., “localization” of data). A personal data operator is a legal entity or individual that organizes or performs the processing of personal data, and determines the purposes and scope of such processing. The definition of personal data under Federal Law No. 242-FZ is similar to that adopted by the various European data protection laws (i.e., any information directly or indirectly related to any identified or potentially identifiable person, including name, date and place of birth, address, etc.). While the law broadly defines processing as any action or combination of actions performed on or with personal data, the localization requirement most importantly applies to recording, systemization, accumulation, storage, confirmation (renewal, editing), and extraction of personal data performed in accordance with part 1 of article 6 of Federal Law No. 152-FZ, except for processing enumerated in subsections 2, 3, 4, and 8 of part 1, article 6. The law also requires data operators to notify the Roskomnadzor, (Russia’s DPA) of the location of the servers where Russian personal data will be processed prior to commencing the processing.

Scope of the Regulations

The parameters of the new data localization requirement are not entirely clear. The Roskomnadzor has not interpreted the legislation’s applicability to foreign data operators (including foreign websites processing personal data of Russian citizens). Traditionally, Russian data protection legislation has applied only to Russia-based data operators and foreign data operators with a legal presence in Russia (e.g., those with subsidiaries, representative offices, etc.) that process personal data in Russia.  If the same determination is made with respect to this legislation, data operators without a legal presence in Russia would be excluded from the localization requirement.

Effective Requirements

It is not clear whether the law prohibits processing of Russian citizens’ personal data with the use of databases located outside Russia in addition to processing within Russian borders (e.g., for the purposes of back-up or duplicate storage). However, the prevailing view is that, even if a foreign company has no legal presence in Russia, but provides online services available to Russian citizens, it still may fall within the scope of the Amendments.

A similar approach is found in Russian legislation on the protection of consumers’ rights. Article 1212(1) of the Russian Federation Civil Code provides that, in a situation where a company operates in the consumer’s country of residence, or by any means transfers its activities to that country’s territory (e.g., provides for online services available to Russian citizens), the mandatory rules of the consumer’s country of residence will apply to the contract between such company and the Russian citizen regardless of the governing law of the contract. Such position and its broader interpretation generally correspond to the proposed purposes of the Amendments, i.e., to protect the personal data of Russian citizens everywhere.

The head of Roskomnadzor indicated this position in an interview by noting that the mere fact that Roskomnadzor will be able to block access to a certain website of a foreign company leads to the conclusion that the drafters of the Amendments did not intend to limit their scope only to foreign companies processing the personal data of Russian citizens with branches and representatives offices located in Russia. It is likely that Roskomnadzor will further clarify its position when it publishes its policy for enforcement of the law to provide data operators with guidance for compliance, which is anticipated in the Spring of 2015.

Regardless, the implication is that personal data operators, including non-Russian companies with a legal presence in Russia, will be required to either establish Russia-based data processing and storage facilities or rent such facilities from Russian providers. It is going to be important to begin the segregation processing activities within the organization or provision for processing and storage facilities within Russia in 2015.

Additional Clarification Expected

The legislation currently does not provide for specific penalties, but general administrative liability for violations of Russian legislation on personal data would apply.  Corporations could face fines up to RUB 10,000 for failure to comply with the new localization requirements. Moreover, lack of compliance could result in the website or service being blocked or restricted from within Russia by the Roskomnadzor. There have not been any official commentary, clarification or guideline publications from the Roskomnadzor, but some public, and at lease informal guidance is expected in the Spring.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Tomaszewski John Tomaszewski

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how…

John Tomaszewski specializes in emerging technology and its application to business. His primary focus has been developing trust models to enable new and disruptive technologies and businesses to thrive. In the “Information Age”, management needs to have good advice and counsel on how to protect the capital asset which heretofore has been left to the IT specialists – its data.

John’s expertise in the understanding of a company’s data protection and management needs provide a specialized point of view which allows for holistic solutions. A good answer should always solve at least three problems.

John has been a co-author of several information security and privacy publications, including the PKI Assessment Guidelines and Privacy, Security and Information Management: An Overview; as well as publishing scholarly works of his own on the topic. He has also provided input to the drafting of various security and privacy laws around the world; including the APEC Cross-Border Privacy Rules system. He is a frequent speaker globally on the topics of cloud computing, Self Regulatory Organizations (“SROs”), cross-border privacy schemes, and secure e-commerce.