Russia’s data localisation law coming soon – is your organisation prepared?

Russia’s law on data localisation will enter into force on 1 September 2015. Organisations processing personal data of Russian citizens should start reviewing their data processing activities to ensure that they comply with the new requirements.

What’s new?

The aim of the new Federal Law[1] (the “Law”) is (1) to ensure personal data of Russian citizens are stored in databases located in Russia and (2) to provide the ability to limit access to personal data which is processed in violation of this requirement.

Under the Law, individuals and entities processing personal data (“Operators”) will be required to:

  • ensure recording, systematisation, accumulation, storage, specification and extraction[2] of personal data of Russian citizens is carried out using databases located in Russia (the exceptions are limited and usually not applicable); and
  • inform the Roskomnadzor[3] about the location of databases that contain personal data of Russian citizens.

In addition, the Roskomnadzor will have authority to limit access to personal data which is processed in violation of the Russian law on personal data (for example, by blocking the domain name of a website, its network address and indexes of pages). Information about violators will be included in a separate register to be held by the Roskomnadzor.

The Law also amends existing law so that the effective restrictions on the frequency and reasons for audits conducted by State authorities are not applicable to control over the personal data processing.

Open issues

Currently, there are no subordinate regulations to clarify how the Law will be applied although it is expected that such regulations may be adopted in future. State authorities may interpret the requirement of the Law in two different ways:

  1. Narrowly, as an entire restriction on processing personal data of Russian citizens in databases located outside Russia; or
  2. Broadly, as allowing processing of personal data of Russian citizens abroad if such personal data is also kept by a Russian Operator in databases located in Russia.

Nevertheless, based on the private clarifications and publicly available data, a narrow interpretation of the Law is highly likely.

What steps should organisations undertake?

Organisations should start reviewing whether they comply with the new requirements prescribed by the Law before 1 September 2015. Organisations should then:  

  • initiate legal and organisational measures in order to bring any personal data processing system in compliance with these new requirements; and
  • submit to the Roskomnadzor (a) informational letter (notification) specifying the location of databases containing personal data of Russian citizens – for operators already registered in the Register of operators, or (b) a notification on processing personal data specifying, in particular, the location of databases that contain personal data of Russian citizens – for operators who are not yet registered.

How can we help?

Our specialists have extensive experience in the area of data protection and will be happy to assist you in complying with the requirements of the Law. In particular, we can:

  • provide you with written comments outlining how the Law is currently interpreted by the State authorities, as well as covering an analysis of how it will be applied in your particular situation and our recommendations for your organisation; and  
  • prepare a notification to the Roskomnadzor on personal data processing or, in the event that it has been already provided by your organisation, an update for the Roskomnadzor with respect to information that is currently contained in the Register of Operators.   

[1] “On modification of separate legal acts of the Russian Federation regarding specification of the order of personal data processing in information and telecommunication networks" dated 21 July 2014 No. 242-FZ

[2] All listed actions fall within the scope of the definition of personal data processing

[3] A governmental agency in charge of control in the sphere of communications, information technologies and mass media

Evgeniy Gouk | Head of IP/IT Team, Leader of law practice in St.Petersburg | PwC Legal Russia
[email protected] | +7 (812) 326-6969 ext 4961

More articles by Evgeniy Gouk

Andrey Odabashian | Head of legal team in pharmaceutical practice | PwC Legal Russia
[email protected]  | +7 (495) 967 60 00, ext. 4963

More articles by Andrey Odabashian