We would like to take this opportunity to inform you about new developments regarding Russian data protection laws.
It is to be noted in particular that since 2015 personal data ("PD") of Russian citizens must be stored in Russia, as a matter of principle. Experience has shown that the pertinent authorities make full use of the range of sanctions provided by the data protection laws. The following is a summary of a memo which was drawn up by Russian attorney colleagues describing (i) the scope of the applicable laws and (ii) the intensification of the sanctions for breaches. With regard to the sanctions, the amendments to the Code of Administrative Offence passed the third reading on 27 January 2017 and most likely will be approved by the President.
On 1 September 2015, a law amending various Russian data protection laws came into force (the “Law”).
In particular, the Law amended the law on personal data ("Personal Data Law") by introducing new obligations with regard to the storage of Russian citizens' PD.
Basic concepts and definitions
The Law applies, in particular, to PD operators and IT system operators.
The Personal Data Law is silent about its extra-territorial scope of application. However, based on the definitions of an IT system operator and PD operator, it is concluded that if a foreign entity, a public body or another entity processes PD of Russian citizens, it is bound by the Personal Data Law or PD-related international treaties.
In other words, the Personal Data Law, including the sanctions with regard to breaches, applies to the processing of Russian citizens' PD outside Russia.
Therefore, it would be correct to conclude that the Law applies to all legal entities and physical persons involved in the processing of PD, including foreign legal entities which are not represented in any way whatsoever within Russia. The Law basically addresses two main issues:
Obligation to use Russian data centres
The second part of the Law imposes an obligation on all companies, organisations and persons which process, or promote the processing of, PD of individuals, referred to as "operators", to "ensure the recording, systematisation, accumulation, storage, modification and extraction of personal data of Russian citizens using data centres located in the territory of the Russian Federation during the course of gathering personal data, including via the Internet".
In other words, Russian citizens' PD gathered by operators must be stored by servers/data centres located in the Russian Federation.
More specifically, operators are only exempt from the above obligation, i.e. they are allowed to store Russian data in foreign data centres, if such processing is required:
Giving notice to the Federal Service for Supervision of Communications, Information Technology and Mass Media ("RKN")
The Law introduced an amendment to the Personal Data Law which imposes an obligation on operators to notify the RKN on the exact location of servers/data centres where Russian citizens' PD is or will be stored.
This is with the exception that a PD operator has the right to process data without giving notice to the RKN if inter alia employees' PD is processed, PD is deemed to be publicly accessible or PD includes only the first, middle and family names of PD owners.
A failure to give notice to the RKN, specifying the database location, may be deemed to constitute a breach of the Personal Data Law and, for that matter, entail imposition of administrative sanctions.
The above obligation applies to all types of Russian and foreign companies regardless of the areas of business they are involved in, e.g. tourism, transportation, e-commerce, banking, telecommunications, IT, etc., because the key factor is the gathering/processing of Russian citizens' PD.
Cross-border transfer of PD
The current Personal Data Law allows for cross-border transfers of PD provided that such data is transferred to (i) a country which is a signatory to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data CETS No. 108, or (ii) a country approved by the RKN (see Order No. 274 of the RKN dated 15 March 2013 which approved 19 countries), or (iii) another country, subject to an individual's consent to such cross-border transfer of his or her personal data.
Implementation of the above obligation might work in the following way if interpreted rationally. PD of Russian citizens can be stored both (i) in Russia as a mandatory requirement, and (ii) abroad, subject to duly obtaining a Russian citizen's consent to cross-border transfer and consent to the storage of his or her PD outside Russia. Therefore, PD will be duplicated in both Russian and foreign data centres.
Widespread discussions about physical and technological arrangements for PD storage in Russia are underway. Two key approaches are identified: (1) building domestic centres or (2) leasing space on servers located in Russia.
In view of the above and based on a conservative analysis of current legislative developments on information and PD issues, it is assumed that:
A data controller can face civil, administrative or criminal liability if there is a breach of Personal Data Law.
The amendments to the Code of Administrative Offence passed the third reading on 27 January 2017 and most likely will be approved by the President.
The amendments introduce 7 new offences of breach of data protection legislation and increase the penalties for breach of data protection law. In particular, the draft law provides for the maximum penalty in the amount of 75,000 rubles (approximately EUR 1,300) for lack of consent from personal data holder to process his/her personal data or if the consent contents do not comply with the requirements stipulated by law.