From 1 September 2015, Russia will impose restrictions on the processing of the personal data of its citizens outside Russian territory. This Legal Alert contains a brief overview of several legislative changes which may affect international companies operating in Russia.
The amendments state that the data operators (entities performing the functions of both controllers and processors, to use international terminology) are obliged to ensure recording, systemisation, accumulation, storage, clarification (update, change) and extraction of personal data of citizens of the Russian Federation with the use of databases located in the territory of the Russian Federation when collecting this personal data in any manner, including via the Internet (the Localisation Requirement).
The Localisation Requirement, which will be incorporated into the Federal Law On Personal Data Nr 152-ФЗ dated 27 July 2006 (the PDL), may be understood in such a way that it will be illegal to collect personal data of Russian citizens, immediately send it to servers located outside of Russia and then process this data without the involvement, one way or another, of a Russia-based data store. Consequently, Russian offices of international companies will be unable to use global ICT Systems in the same way as before. Many e-business companies may suffer problems with their Russian operations too.
The amendments do not touch upon the PDL s rules allowing transborder transfer of personal data. For that reason, it seems legal to connect Russian data stores to global ICT Systems or send the data to affiliated entities which are located abroad. However, many practical issues remain unanswered. It is unclear whether or not it will be possible to duplicate all data processing operations carried out on a Russia-based server to a foreign server and vice versa. The amendments say nothing about personal data collected before their entry into force.
We note that the Localisation Requirement does not cover the personal data of non-Russian citizens and stateless persons, even if their data is collected in Russia. It would be possible to continue processing such data in the same way as now as long as it is separated from the data of Russian citizens.
The Localisation Requirement provides for several exceptions, but only one of them is of value to most of international companies. Under a certain interpretation, the Localisation Requirement could be seen to be inapplicable to personal data of the Russian employees. Specifically, the obligation to process data in Russian databases will not be applicable if personal data is processed either for purposes stipulated by an international agreement of the Russian Federation, for purposes set out in law or for exercising the powers or performing the functions and obligations of data operators under Russian law. The purposes for which employers process the data of their employees are defined by law (Article 86 of the Labour Code); moreover, most of these purposes relate to the fulfilment of the employer s obligations and the exercise of the employer s powers, which are also specified in the Labour Code. We note, however, that this approach cannot be applied to job applicants.
Notifying Roscomnadzor of the Location of Servers
Under Article 22 of the PDL, before a data operator proceeds to processing any personal data, it must notify the Russian data protection authority (Roscomnadzor) in writing of its intention to do so. By way of exception, it is not mandatory to notify Roscomnadzor, for example, of the processing one’s own employees’ data or the data of contractors used in order to conclude or execute a contract with them, provided that such data is not transferred to third parties without the express consent of the data subjects.
When the amendments become effective, the notification form will also include information on the location of the databases where personal data of Russian citizens is stored. Russian law does not clarify whether data operators will be obliged to update notifications that have already been filed.
Strengthening Personal Data Inspection Procedure
Beginning from 1 September 2015, the provisions of the Federal Law ‘On Protection of Rights of Legal Entities and Individual Entrepreneurs When Performing State Control (Supervision) and Municipal Control’ Nr 294-ФЗ dated 26 December 2008, establishing the procedure for the organisation and execution of state inspections, would no longer be applicable to Roscomnadzor’s inspections of personal data operators. This amendment may lead to an increase of supervisory activities in the sphere of personal data.
Blockage of Websites for Violations of Personal Data Laws
Roscomnadzor will be given powers to block access from Russian territory to websites if illegally processed personal data is placed on them (e.g. if they do not fulfil the Localisation Requirement). For this purpose, Roscomnadzor will enter the banned domain names, network addresses and other details in a special state register. A website can be blocked only on the grounds of a court act. The website owner will be informed of the violation of personal data laws prior to blocking the website and will have one day to rectify this violation voluntarily. The website owner will have the right to apply for the exclusion of its website from the state register after all personal data violations have been rectified or if a court reverses the act on the blockage of access to the website.
Most probably, these rules will apply to social networks, blogs, online shops, customer services and other websites through which personal data can be accessed. From a formal point of view, there are no legal grounds to apply new blockage procedures to websites collecting personal data and sending it to data stores provided that this data is not placed on webpages (feedback forms, whistle-blowing systems, etc.).
Apart from the blocking of websites, Russian law provides for surprisingly low sanctions for non-compliance with the PDL. As a general rule, a company will have to pay a fine of RUB 5,000–10,000 (approx. EUR 90–180) for each violation of the PDL. A responsible officer of a company (e.g. CEO or data protection officer) may also be fined personally (the amount of the fine is at most RUB 1,000, which is approx. EUR 18). A failure to eliminate violations at the instruction of Roscomnadzor will be considered non-compliance with an order of a state authority and will entail additional sanctions. Obviously, it may not be possible to bring ICT systems/web-services into line with the Localisation Requirement within a short term.
The Russian Government introduced a bill (the bill in Russian) strengthening the liability and establishing new types of personal data violations. Currently, the bill has passed the first of three readings in State Duma (a chamber of Russian Parliament). According to the current version, a data operator which does not comply with the Russian personal data legislation may be fined for several data privacy violations at the same time. The total amount of fines may reach several thousand euros.