Data protection in Russia: slide safely
October 2016 | EXPERT BRIEFING | DATA PRIVACY
It has been a year since the data localisation law came into force in Russia on 1 September 2015 requiring data operators to localise the databases containing the personal data of Russian citizens.
Since then, the Russian Data Protection Authority (Roskomnadzor) has been conducting compliance inspections both planned and ad hoc (e.g., upon receiving a consumer’s complaint or as a result of monitoring news of mass media, etc.). The inspections’ results and Roskomnadzor’s public statements and updates shed light on the Russian DPA’s position as to the compliance measures required, as well as the consequences for noncompliance.
According to statements on its website, to date Roskomnadzor has conducted a total of 954 planned and 82 ad hoc inspections, and is planning on conducting another 479 inspections by the end of 2016. During the course of the inspections, 1822 violations have been identified but only 23 of them have been directly related to the violation of data localisation law. This is only 1.3 percent of the overall number of violations. Companies found to have committed a violation have been told to eliminate the violation and have been given a period of at least six months to remedy them. The provision of this grace period is in line with earlier an confirmation from Roskomnadzor that the Russian DPA is willing to work closely with those companies that wish to cooperate.
According to Roskomnadzor, the inspection plan is focused on companies with online activities aimed at a Russian audience, such as e-commerce platforms, credit organisations, insurance companies, etc. However, major social networks such as Facebook and Twitter have not yet been put on the radar, though according to Roskomnadzor they will be at some point in the future.
Though there are many positive aspects (a grace period, low fines, etc.) the practice confirms that it is better to get prepared for a regulatory inspection in advance, and there are certain steps that any company may follow.
The main step that any online business accessible in Russia should take is to assess whether its online platforms may be subject to Russian data localisation law, for example, whether the website has a Russian version or is placed on Russian top-level domain such as .ru, .su, .moscow, or the like, if there is a possibility for users to pay in Russian roubles, or there are other criteria which could demonstrate the intention of the website owner to include the Russian market in its business strategy. This assessment is important even if a company does not have an established legal presence in Russia. In the latter scenario, it might indeed be difficult for Roskomnadzor to enforce a fine against a foreign entity, but Roskomnadzor would still be in a position to block access to a particular website from the Russian territory due to noncompliance.
Following the above logic, one may conclude that if a website is merely accessible in Russia as in other countries, but has no clear intention to capture a Russian audience, the website should not be considered as being subject to the localisation requirement. In case a company’s website is primarily targeting the Russian audience, a compliance scenario should be developed so that Russian users’ personal data is localised. Usually, online platforms follow one of the following compliance options: use their own servers or use a third party’s servers located in Russia, e.g., with the help of data centres, both local and international having servers in Russia. Other options available are to limit information collected from the users, so that such information no longer constitutes personal data, or to depersonalise any personal data collected.
If a company has subsidiaries, branches or representative offices in Russia, a more complex compliance scenario would need to be developed, since a local business entity may be physically inspected by Roskomnadzor, which would inspect the company’s compliance with the data localisation requirement as well as its compliance with general obligations under Russian data protection regulations. Thus, each data operator in Russia is required to comply with both the data localisation requirement and general data protection law requirements. The main obligations include, in particular, the development of regulations on personal data processing and consent forms for different categories of data subjects, the management of data flows in order to comply with cross-border transfer rules, the appointment of a manager responsible for personal data processing compliance (this position is similar to a data privacy officer), the appointment of persons with access to personal data, developing and implementing technical measures needed to ensure personal data safety, and notifying Roskomnadzor about personal data processing, if needed, among others.
When developing internal regulations on personal data processing, it is required to capture, in detail, the overall procedure of personal data processing with regard to all the systems where personal data is processed.
Consent forms are required to be reviewed as to whether they contain all required information under Russian law, as well as in which form, written or simple, such consent needs to be obtained. For example, in cases where sensitive or biometric personal data is processed, or when a cross-border transfer of personal data is made to countries which are not considered by Roskomnadzor as ‘safe harbour’ countries, a written consent form will need to be obtained. In many cases, a simple form may suffice, but a regular check of the written simple form requirement is recommended.
The cross-border transfer of personal data is not prohibited under Russian law, but is restricted. Generally, cross-border transfers to countries not considered to provide adequate protection of the data subjects’ rights may be done only in cases where written consent from the data subject is obtained. Countries providing adequate protection are parties to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and those which are not parties to this convention but are specifically named by Roskomnadzor as providing an adequate level of data protection (generally, European countries are considered as ‘adequate’, while the US and Asian countries are not). As a result of these rules, all companies need to analyse their data flows and reroute them in a compliant way.
The development and implementation of technical and security measures is an important step which should ensure due protection of systems processing personal data, and is usually made on the basis of an internal technical audit and tests in accordance with data protection related technical requirements under Russian law.
Notifying Roskomnadzor about processing personal data is required upon commencement of personal data processing. Before filing a notification, it is important to check if no exemptions provided by Russian law (e.g., personal data is processed for compliance with Russian labour law requirements) apply to the data operator.
As to compliance with requirements set out under the data localisation law, it is vital to determine what information systems contain the personal data of Russian citizens, and how it would be feasible for a company to determine a Russian citizen (e.g., based on the IP address). Further, it is necessary to develop a compliance scenario, where basically the same options stated above for online platforms may be applied: use the company’s own servers or use a third party’s servers located in Russia, limiting or depersonalising personal data, etc. It is also recommended that companies add to the existing internal regulations provisions clarifying where the data of Russian citizens is stored, to which countries the data is transferred, the purpose of a transfer, etc. This would allow the data operator to have ready internal documents to present to Roskomnadzor during its inspections with regard to compliance with the data localisation requirement.
It is important to keep in mind that the exact compliance measures to be applied by each company are more easily defined upon conducting an internal audit by legal and technical in-house specialists or with the help of external counsel.
While the consequences of noncompliance, such as a low fine, may appear minor for some companies, they should take measures such as website blocking and reputational risks seriously. Roskomnadzor’s announcement shows that compliance action plans and the due implementation of legal and technical compliance measures are capable of allowing data operators to continue safely in the Russian data protection landscape.
Natalia Gulyaeva is a partner and Maria Sedykh is an associate at Hogan Lovells (CIS). Ms Gulyaeva can be contacted on +7 495 933 30 00 or by email: firstname.lastname@example.org. Ms Sedykh can be contacted on +7 495 933 30 00 or by email: email@example.com.
© Financier Worldwide
Natalia Gulyaeva and Maria Sedykh
Hogan Lovells (CIS)