Companies that do business in Russia or with Russia residents have been struggling to understand the Federal Law No. 242-FZ (“Data Localization Law”). The law, passed in July 2014, contains a series of amendments to Russian laws to “Specify the Procedure for Personal Data Processing by Information and Telecommunications Networks.” The need to understand the requirements of this new Data Localization Law has become even more urgent since its effective date has been advanced to September 1, 2015. While the original draft of the law planned to take effect as September 1, 2016, the Russian President signed an amendment to the law on December 31, 2014 , which advanced its effective date to September 1, 2015. To date, there is still significant uncertainty regarding the meaning and interpretation of Federal Law 242-FZ
Among other things, the Data Localization Law 242-FZ amends several provisions of the current Russia Data Protection Law. In particular, it amends Article 18 of the Data Protection Law to require all companies holding personal data (with some exceptions) to host their servers on Russian soil. The new Article 18(5) provides:
When collecting personal data, including collection via Internet information and telecommunication network, an operator shall provide a record that the organization, accumulation, storage, update and retrieval of personal data of citizens of the Russian Federation is held on databases located within the Russian Federation.
At the highest level, the direction is simple. Data about Russian residents must be stored in Russia. The affected entities are data operators – i.e. entities performing the functions of data controller or data processor -. These include subsidiaries and representative offices of foreign companies that collect and process personal data of Russian nationals residing on the Russian territory.
Exceptions to this requirement include, for example: the processing of personal data for implementing an international agreement, administration of justice, enforcement of court rulings, and provision of public and municipal service, mass media, or creative work.
The law requires these data operators, to record, organize, store, update or retrieve personal data on servers that are physically located in the Russian Federation. However it is not clear which specific entities are concerned. For example, does a company that does not have operations or a physical presence in Russia but collects data, emails or content from Russia resident have to comply with the law?
There are other significant interpretation questions. For example, does the fact that a copy of the data is stored in Russia prohibit any form of processing outside Russia? Can data stored in Russia be transferred out of Russia, for further processing outside of Russia? The literal wording of the law does not explicitly require data operators to perform data processing only within the Russian territory. It just requires that a copy of the data be stored in Russia. However, the provision might be interpreted differently when clarifying regulations are issued.
Notification of Server Location
Like most data protection laws throughout Europe, Russia’s current law on the protection of personal data, in its Article 22, requires covered entities to notify Roskomnadzor, the Russian agency in charge of personal data, before proceeding to the processing of personal data. With the enactment of the Data Localization Law, covered entities will have to indicate, in addition, the location of the databases that contain the personal data of Russian citizens in their notification form that are filed with Roskomnadzor.
Violation of the Data Localization Law
The Data Localization Law grants Roskomnadzor significant new powers: the power to block access from the Russian territory to the websites that violate the Data Localization law, and the power to organize a register of infringers. Banned domain names, network addresses, and other details will be recorded in that special state register of law infringers.
In addition to this blocking and black listing, the current sanctions under the Russian Data Protection Law will apply. The current fines are between RUB 5,000 to RUB 10,000. In addition, a responsible data officer may be fined personally, up to RUB 1,000. It is not clear whether the fines will be computed on a per incident basis or according to the number of data record affected.
Interpretation of the Data Localization Law
The provisions of the Data Localization Law are vague and can be construed in different ways. To date, there is little tangible and precise information on the proposed interpretation of the law. Subordinate legislation, for example in the form of regulations or guidelines, is expected to the adopted in 2015 before the new Data Localization Law comes into force.
In the meantime, during first months of 2015, Roskomnadzor held a series of conferences with industry groups to discuss the specifics of data storage in Russia and ways and mechanisms for controlling the physical location of data. These discussions were conducted on an informal basis, and are not intended to provide an official position. The information provided during these meetings is not legally binding. It is only an incomplete preview of the potential interpretation of the law by the Russian regulator.
Key points discussed during these meetings include:
- The Data Localization Law would only apply to personal data of Russian citizens who are located in Russia at the time of the collection of these data.
- All data operators would be affected, whether they are Russian or foreign. The key factor would be the collection of personal data from the Russian territory.
- The law would apply only to the collection the personal data directly from the individual.
- Any structured set of personal data would be subject to the law, irrespective of the format and means of processing. Thus, electronic databases, archives, and card files would be subject to the law.
- Organizations would be required to store their primary database in Russia, where all processing should be performed.
- It would not be sufficient to store a copy of the database that is primarily stored elsewhere.
- Data stored in Russia would be transferable outside Russia if the transfer complies with the Russian cross-border transfer rules.
It is expected that more specific guidance will be provided in the near future, hopefully before the September 1, 2015 date. We will keep following these developments.