Russian Legal Update
Recent changes have been made to Russian personal data legislation which will require, inter alia, that personal data concerning Russian citizens be stored locally in Russia, with a few exceptions. In addition, it gives Russian citizens the right to appeal to the proper authorities to block access to personal data processed in breach of Russian law based on a court ruling.
The amendments were mainly introduced to the Russian law on personal data protection* (the “PD Law”) through a law passed on 21 July 2014**. Please note, however, that they will become effective only on 01 September 2016.
Processing of Personal Data in Russia
In general, the PD Law sets out a relatively unclear definition of “personal data”, defining it as “any information directly or indirectly related to an identified or identifiable individual”***. The amendments mentioned above would require, broadly speaking, that any such information which falls under this scope now be stored and processed on databases located in Russia. Please note that there are not any restrictions requiring that the processing of Russian citizens’ personal data be solely processed in the Russian Federation, nor are there any new restrictions on the cross-border transmission of personal data. Unfortunately, due to the ambiguity of the wording of the amendments and statements from lawmakers in the press, it is unclear how the new regulations will be interpreted and enforced by the competent Russian authorities.
In addition, the amendments will introduce a new blacklist (i.e., Register of Violators of Personal Data Subjects’ Rights – the “Blacklist”) which would effectively block sites which do not comply with personal data regulations. Please note that companies may only be added to the Blacklist based on a court decision. In addition, personal data subjects will be given the ability to appeal to the competent Russian authorities to block access to personal data processed in breach of Russian law (if so ruled in a court decision). The new amendments set out the procedure and terms in which this procedure will be implemented.
Potential Consequences for Your Business
These latest amendments will most significantly affect the operations of foreign businesses in Russia (including representative offices, branches and subsidiaries), many of which store personal data exclusively abroad. In addition, online booking services and social networking sites will also be obligated to record and store personal data using Russian-based servers.
- A foreign company without any presence in Russia processes the personal data of Russian citizens using servers located outside of Russia. What are the consequences?
As mentioned above, violators of the requirements in the PD Law may be added to the Blacklist if so ruled by a competent court. However, the exact interpretation by the courts in this case will be important.
For example, what will happen if a Swedish website records and stores the personal data of Russian citizens on servers located in Sweden? Will the court treat this as a breach of the PD Law? More importantly, will the website be blocked by Russian internet providers if the Swedish company is placed on the Blacklist?
Based on a literal interpretation of the PD Law, personal data “operators” to which the PD Law applies are Russian companies, individuals and the representative offices of foreign companies (i.e., residents). Individuals and companies with no presence in Russia are currently treated as non-residents and therefore do not fall under the definition in the PD Law of “operators”. This would tend to indicate that the PD Law would not apply to the Swedish company listed above. However, on the other hand, there are not any restrictions in the PD Law regarding the companies which may be included onto the Blacklist. Therefore, this issue will need to be clarified before the amendments take effect in 2016.
- A foreign company with a representative office in Russia processes personal data in a foreign country only. What are the consequences?
The processing of personal data by residents (which includes foreign companies with representative offices in Russia) will be considered to be unlawful in such cases. If personal data will be processed over the internet through a website, that website could be added to the Blacklist based on a court ruling unless the violation is remedied by the website.
- A Russian company transfers the personal data of its employees (Russian citizens) to its parent company with consent in writing from those employees. Will this be regarded as a breach of the PD Law?
We assume that the amendments to the PD Law will not affect the transfer of personal data abroad in these cases. There is also ambiguity in the wording on this case as well, so we will need to wait for further clarification.
There are a number of issues which remain unclear and the Russian government has already formed a working group to consider changing the wording of the amendments. The local press has also actively discussed whether or not the new rules will apply to foreign companies without a presence in Russia. Nevertheless, considering the possible implications of the amendments, we recommend that companies which process Russian citizens’ personal data look into the technical and legal possibilities of processing personal data within Russia’s borders. We will update you accordingly as any new information may be received on this issue.
FOR MORE INFORMATION ON THE CHANGES OR ON RUSSIAN PERSONAL DATA REQUIREMENTS IN GENERAL, PLEASE CONTACT:
Deputy Head, Moscow Office
Moscow: Tel. +7 (495) 662-6434 | Mobile +7 (964) 575-3511
St. Petersburg: Tel. +7 (812) 363-3377 | Mobile +7 (921) 330-4063
Tel. +7 (495) 662-6434 | Mobile +7 (903) 597-02-60
*Federal Law No. 152-FZ on Personal Data dated 27 July 2006
**Federal Law No. 242 on Introducing Amendments to Certain Legal Instruments of the Russian Federation Related to Personal Data Processing over Information and Telecommunications Networks dated 21 July 2014
***Article 3 of the PD Law