On July 21, 2014, Russia adopted Federal Law No. 242-FZ, “On Amendments to Certain Legislative Acts of the Russian Federation for Clarification of the Procedure of Personal Data Processing in Information and Telecommunication Networks” (“Federal Law No. 242-FZ”), which introduces a number of changes to existing Russian data protection laws. Specifically, it amends Federal Law No. 152-FZ, “On personal data,” by establishing a localization requirement for personal data processing.
What makes Federal Law No. 242-FZ important is its effective date. It was initially scheduled to come into force on September 1, 2016. However, on December 31, 2014, Federal Law No. 526-FZ was enacted, which changed the effective date of Russia’s Data Localization Law to September 1, 2015.
Under the new law, “personal data operators” are required to process and store Russian citizens’ personal data using databases located in Russia (i.e., “localization” of data). A personal data operator is a legal entity or individual that organizes or performs the processing of personal data, and determines the purposes and scope of such processing. The definition of personal data under Federal Law No. 242-FZ is similar to that adopted by the various European data protection laws (i.e., any information directly or indirectly related to any identified or potentially identifiable person, including name, date and place of birth, address, etc.). While the law broadly defines processing as any action or combination of actions performed on or with personal data, the localization requirement most importantly applies to recording, systemization, accumulation, storage, confirmation (renewal, editing), and extraction of personal data performed in accordance with part 1 of article 6 of Federal Law No. 152-FZ, except for processing enumerated in subsections 2, 3, 4, and 8 of part 1, article 6. The law also requires data operators to notify the Roskomnadzor, (Russia’s DPA) of the location of the servers where Russian personal data will be processed prior to commencing the processing.
Scope of the Regulations
The parameters of the new data localization requirement are not entirely clear. The Roskomnadzor has not interpreted the legislation’s applicability to foreign data operators (including foreign websites processing personal data of Russian citizens). Traditionally, Russian data protection legislation has applied only to Russia-based data operators and foreign data operators with a legal presence in Russia (e.g., those with subsidiaries, representative offices, etc.) that process personal data in Russia. If the same determination is made with respect to this legislation, data operators without a legal presence in Russia would be excluded from the localization requirement.
It is not clear whether the law prohibits processing of Russian citizens’ personal data with the use of databases located outside Russia in addition to processing within Russian borders (e.g., for the purposes of back-up or duplicate storage). However, the prevailing view is that, even if a foreign company has no legal presence in Russia, but provides online services available to Russian citizens, it still may fall within the scope of the Amendments.
A similar approach is found in Russian legislation on the protection of consumers’ rights. Article 1212(1) of the Russian Federation Civil Code provides that, in a situation where a company operates in the consumer’s country of residence, or by any means transfers its activities to that country’s territory (e.g., provides for online services available to Russian citizens), the mandatory rules of the consumer’s country of residence will apply to the contract between such company and the Russian citizen regardless of the governing law of the contract. Such position and its broader interpretation generally correspond to the proposed purposes of the Amendments, i.e., to protect the personal data of Russian citizens everywhere.
The head of Roskomnadzor indicated this position in an interview by noting that the mere fact that Roskomnadzor will be able to block access to a certain website of a foreign company leads to the conclusion that the drafters of the Amendments did not intend to limit their scope only to foreign companies processing the personal data of Russian citizens with branches and representatives offices located in Russia. It is likely that Roskomnadzor will further clarify its position when it publishes its policy for enforcement of the law to provide data operators with guidance for compliance, which is anticipated in the Spring of 2015.
Regardless, the implication is that personal data operators, including non-Russian companies with a legal presence in Russia, will be required to either establish Russia-based data processing and storage facilities or rent such facilities from Russian providers. It is going to be important to begin the segregation processing activities within the organization or provision for processing and storage facilities within Russia in 2015.
Additional Clarification Expected
The legislation currently does not provide for specific penalties, but general administrative liability for violations of Russian legislation on personal data would apply. Corporations could face fines up to RUB 10,000 for failure to comply with the new localization requirements. Moreover, lack of compliance could result in the website or service being blocked or restricted from within Russia by the Roskomnadzor. There have not been any official commentary, clarification or guideline publications from the Roskomnadzor, but some public, and at lease informal guidance is expected in the Spring.