By Paul Sutton, Head of Legal Advisory Group, Radius
On September 1, 2015 — just yesterday — important amendments to the Russian data protection and information legislation (“the Amendments”) were brought into legal force. Multinationals operating in and outside Russia must be aware of the new legislation, as it applies to any business that collects data from Russian nationals, even a business selling goods online that has absolutely no on-the-ground presence in Russia.
The Basics of Russia’s New Data Protection Laws
The purpose of the Amendments is to further provide for national “digital sovereignty” within Russia by requiring that the personal data of Russian citizens be processed on servers located within Russia itself. Basically, Russia is tightening its grip on the data of its citizens.
The Amendments require that all data operators (i.e., establishments performing functions both of “controllers” and of “processors,” in EU terms) process and collect the personal data of Russian citizens on servers located within Russia. The Amendments apply to branches and representative offices of foreign legal entities operating in Russia, and to foreign companies without a presence in Russia that process the data of Russian citizens.
The Amendments do not regulate the processing of the personal data of individuals who do not hold Russian citizenship, even where that data is collected within Russia. In practice, however, this distinction may well present problems for entities where the personal data of both Russian and non-Russian citizens is being processed. For example, a foreign entity operating in Russia that employs both Russian and non-Russian citizens will likely not want to create two separate databases for storing its employee data.
Ongoing Compliance with the New Laws
The Amendments as written are far from clear. Two areas in particular — jurisdiction and cross-border transfers of data — have yet to be clarified. As for jurisdiction, foreign companies with a legal presence in Russia clearly must comply with the new laws. It is possible that for the immediate future Russian authorities will be less concerned about foreign entities operating in Russia with no permanent establishment, but even this position may harden in the near term. It is difficult to predict how the authorities will enforce these new laws in practice and no doubt the next 12-24 months will be a testing time for any organization doing business in Russia and employing Russian nationals. It should be noted that the Russian data protection authority (Roscomnadzor) has been given powers to deal with breaches of the new personal data legislation by blocking Russian public access to the websites of offending companies. Roscomnadzor will also keep record of those companies that don’t comply, which could have ramifications for companies looking to expand into Russia in the future.
Furthermore, it is unclear at the moment whether foreign companies under the Amendments are able to maintain a separate “mirror” database of the personal data of Russian citizens after that information has initially been collected and stored on a Russian server.
At present the financial sanctions for breaching the Russian data protection laws are relatively low in comparison to those applicable in the EU, but substantial increases are expected in the future. It is therefore advisable for any organization processing the data of Russian citizens to consider what Russian data it has, in what ways the organization processes the data and, importantly, where the servers are physically located. It may be necessary to relocate the server function to within Russia to be compliant with the new laws.
Finally, it is important to bear in mind that though the new Amendments are now in effect, compliance guidelines and recommendations will continue to evolve. It is therefore critical for multinationals that collect the data of Russian citizens to keep abreast not only of any future legal changes, but to related official clarifications and the ongoing enforcement practices of Russian authorities.