New Russian Data Localization Law Now in Effect
Friday, October 23, 2015
As of September 1, Russia’s new Data Localization Law is in effect. The legislation requires that businesses collecting data of Russian citizens, including on the Internet, must record, store, update, change, and retrieve the personal data of Russian citizens in databases located within the territory of the Russian Federation. Copies of those stored databases containing personal data can then be offshored (presumably subject to compliance with other existing Russian data laws on off-shoring of personal data).
There still have not yet been any official clarifications by Roskomnadzor, the Russian Data Protection Authority, on how it will interpret some of the broader terms of the law. The Roskomnadzor did announce that it had a list of 317 companies that will be assessed for compliance (although the list doesn’t seem to be available) and that any enforcement actions with regard to any additional companies would not be undertaken until 2016. Also, while fines are possible, it seems that the main enforcement punishment will be closing down the Russian website of the offending company and adding the company to a public list of offenders.
There are exceptions, the clearest one being the consent of the data subject, although it’s not clear whether a generic survey consent that did not expressly state that the personal data will be offshored and not maintained on Russian servers would be considered sufficiently informed to meet the consent requirements. At this time, assessing what specifically is required for compliance and the level and nature of enforcement is difficult. Accordingly, the environment seems to be a mixture of “wait and see” combined with taking steps either to get into compliance or to make compliance quickly possible once the nature of compliance/enforcement is made clearer.