On June 13, 2019, a draft bill[1] increasing fines for violations of Federal Law No. 242-FZ[2] (Data Localization Law) was submitted to the State Duma (i.e., the lower house of the Federal Assembly). Once the draft bills adopted, the maximum fine for legal entities under the Data Localization Law will be 6 million rubles (approx. 82,190 euros). The draft bill also provides increased sanctions for repeated violations of this legislation – the maximum fine is 18 million rubles (approx. 247,000 euros).
The intent of the draft bill is to induce foreign companies’ compliance with Russian data protection legislation. It is therefore important for companies doing business in Russia to assess their compliance with this legislation in order to mitigate the risk of increased fines.
I. The scope of data localization obligations
The collection and use of personal data in Russia is primarily governed by Federal Law No. 152-FZ[3] (Law on Personal Data). This law was significantly modified in September 2015 by the Data Localization Law. It introduced a new obligation on data controllers when collecting personal data of Russian citizens online or offline to “record, systemize, accumulate, store, update, change and retrieve such data in a database located within the territory of the Russian Federation.”[4]
The Data Localization Law is primarily applicable to operators established in Russia in the context of that establishment. In its official guidance,[5] the Russian data protection authority (Roskomnadzor) confirmed that this law is also applicable to any data operator established outside Russia but conducting its business through the use of a website “aimed at the territory of Russia.” According to the guidance, a website is deemed to be “aimed at the territory of Russia" if it has a domain name associated with Russia (e.g., ru, su, Moscow) and/or a Russian version of the website contains one of the following features:
Those operators that satisfy the above-mentioned conditions must ensure that personal data they collect relating to Russian nationals should be processed through databases located in Russia. The data localization requirement does not apply to personal data of Russian citizens collected outside Russia if the operator does not target the Russian market (e.g., data of Russian citizens living outside Russia).
There are five exceptions to the data localization obligation, such as when processing is:
II. No impact on cross-border data transfer rules
The Data Localization Law did not amend the rules on cross-border data transfers. Indeed, Roskomnadzor confirmed that the Data Localization Law only provides that the database where the personal data is initially recorded must be located in Russia. However, the information from such database can later be transferred to databases located outside Russia, subject to the provisions of the Law on Personal Data on cross-border transfers.[7]
The Law on Personal Data allows transfers of personal data to a jurisdiction with adequate protection, subject to other provisions of this law and any restrictions of the Russian constitutional system. States that are parties to the Convention No. 109[8] of the Council of Europe are considered as providing an adequate level of protection as well as those states that were specifically named by Roskomnadzor as providing this level of protection.
Transfers of personal data to other jurisdictions can take place only in the following situations:
It should be noted that although Russian legislation does not require prior notification to Roskomnadzor of cross-border data transfer, such notification is required prior to the first processing of personal data,[9] unless a data operator is subject to an exemption. This exception applies if the data is:
This notification shall contain information regarding an eventual cross-border transfer of personal data, as well as a database’s localization.
III. Current sanctions applicable to violation of the data localization obligations
Currently, no specific penalty exists for failure to comply with the data localization obligation. The Russian Code on the Administrative Offenses provides a penalty for “failure to submit or untimely submission of data (information) to a state body.”[10] This penalty may be as high as 5,000 rubles (approx. 70 euros).[11] Such fines can be hardly regarded as efficient, especially compared to those provided under the General Data Protection Regulation[12] and companies’ size such as Facebook.
The only risk of noncompliance with the data localization obligation for foreign companies is therefore the right of Roskomnadzor to apply for a court order blocking access to a website through which the relevant data operator processes personal data in violation of Russian data protection laws. In November 2016, Roskomnadzor used this power, ordering major Russian internet providers to block access to LinkedIn for its breach of the Data Localization Law[13]; LinkedIn still does not work in Russia.
The increased sanctions for violation of the data localization obligation are likely to induce greater compliance by foreign companies with Russian data protection legislation, which provides a certain degree of flexibility, especially regarding requirements for cross-border data transfers. In this regard, Europe has more stringent rules as the GDPR restricts transfers of personal data outside the EU borders.
[1] https://sozd.duma.gov.ru/bill/729516-7.
[2] Federal Law No. 242-FZ of July 21, 2014, on full local storage and processing of personal data of Russian citizens.
[3] Federal Law No. 152-FZ of July 27, 2006, on personal data.
[4] Section 18(5) of Russian Law on Personal Data.
[5] Russian Ministry of Telecommunications, Processing and storage of personal data in Russian Federation (last updated Feb. 12, 2016 ): https://digital.gov.ru/ru/personaldata/.
[6] Section 6 of Russian Law on Personal Data.
[7] Article 12 of Russian Law on Personal Data.
[8] Council of Europe, Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, No. 108, Jan. 28, 1981.
[9] Article 22 of Russian Law on Personal Data.
[10] Facebook was fined 3,000 rubles (approx. 43 euros) for the failure to provide information about localization of Russian citizens’ data on Russian databases.
[11] Art. 19.7 of the Russian Code on the Administrative Offenses.
[12] Regulation (EU) 2016/679 of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; fine up to 10 million euros or 2 percent of
turnover, or up to 20 million euros or 4 percent of annual turnover.
[13]https://www.mos-gorsud.ru/rs/taganskij/cases/docs/content/27b4bb17-652a-4e2f-a101-d3c82bcdf2c4.