How to comply with the Russian requirements on localisation of personal data
November 2017 | EXPERT BRIEFING | DATA PRIVACY
Recently, important changes to the Russian legislation on personal data have entered into force, requiring a response from foreign companies doing business in Russia. The new version of the Federal Law of the Russian Federation ‘On Personal Data’ (the Personal Data Law) introduced a duty on all companies working with the personal data of Russian citizens to locate any databases containing their personal data in Russia starting from 1 September 2015 (Article 18 (5)).
The government says this requirement was enacted to prevent the illegal use of Russian citizens’ personal information and to protect their constitutional rights to privacy, personal and family secrets. Although the localisation requirements became effective in September 2015, the government has increased its compliance enforcement in the past few months.
Considering that these amendments have substantial meaning for all foreign companies that conduct business in Russia, it is important to be aware of the requirements.
At present, the key explanations that clarify these legal regulations are issued by the Ministry of Communications and Mass Media of the Russian Federation (Ministry of Communications) and by the Federal Service for Supervision in the Sphere of Communications, Information Technologies and Mass Communications of the Russian Federation (Roscomnadzor).
The new requirements have already affected many international blue-chip companies active in Russia, such as Aliexpress, eBay, PayPal, Uber and Booking. Moreover, LinkedIn’s network activity was officially blocked in Russia due to a violation of these requirements.
According to Article 18 (5) of the Personal Data Law, a personal data operator is obliged to ensure recording, systematisation, accumulation, storage, clarification (updating, modification) and extraction of the personal data of Russian citizens using databases located in the territory of the Russian Federation.
Scope of the new requirements
А company will be obliged to comply with the requirement to localise personal data only if it passes the following tests.
Business activity test. The rules apply only to a certain range of subjects. This includes Russian companies, branches and representative offices of foreign corporations, as well as other legal entities incorporated outside Russia that do not have an official presence in Russia but are active in the local market. This applies if an international company uses the domain names “.ru, .рф”, has a Russian-language version of the company’s internet site or a Russian advertisement, receives payment in Russian rubles or delivers goods to the Russian Federation, or in other similar cases. At the same time, other foreign companies that implicitly gather the personal data of Russians while carrying out their commercial activity remain out of the scope of these legal modifications. Implicit effect in this case arises when Russian citizens report their personal data while using any international internet-resources which are not directed at Russia. So, any company doing business in Russia or with Russians may be covered by the law even if it is not registered in Russia.
The Personal Data Law provides several exclusions under which these subjects can be relieved from the above duty. These exceptions mostly concern the activities of different state authorities under international treaties, the administration of justice, providing state and municipal services (including foreign embassies), mass media organisations and other subjects that operate on the basis of international agreements or legislation (Article 6, Article 18 (5)). A good example is airlines which are covered by a number of international conventions.
Data operation test. A company will be recognised as an operator only if the company performs certain actions with personal data, i.e., information related directly or indirectly to an individual (Article 3 (1) of the Personal Data Law). The explicit and exhaustive list of such data is not provided by law, but in practice such information generally includes passport data, full name, date of birth, phone number, email address and other information. It is important to note that information can only be considered as personal data if it can identify a specific person. Furthermore, the rules of localisation apply to operators only if they carry out certain actions intentionally, in particular: collecting, recording, systematisation, accumulating, storing, clarifying (updating and modification) and extracting personal data.
Other activities involving personal data such as use, transfer (distribution, provision), depersonaliation, blocking, removal or destruction can be performed using databases outside of Russia. This means that Russian law does not prohibit the further processing of Russians’ personal data abroad if this information was previously included in a Russian database and is updated there as necessary.
Accordingly, if a company passes the above tests, it will be recognised as an operator of personal data and must localise its databases in the Russian Federation. These legal requirements are applied exclusively to the provisions that have arisen as of 1 September 2015, so there is no need to transfer to the Russian Federation personal data collected before this date.
Ensuring compliance with legal requirements
What does the term ‘database’ actually mean? Under the Civil Code of the Russia Federation (Article 1260), a database is a complex of independent materials (articles, calculations, regulatory acts, court decisions and other similar materials) systematised in such a way that these materials can be found and processed with the help of a computer. In this regard, the Ministry of Communications has explained that for the purposes of localisation, databases should be maintained only in electronic form. It is worth noting that foreign companies have an opportunity to move their databases to the Russian Federation either completely or partially (i.e., they can transfer only personal data content, but not the rest of the information).
Amendments to the Personal Data Law require operators to notify Roscomnadzor of their intention to process personal data by providing information on the location of the database (Article 22 of the Personal Data Law).
Roscomnadzor exerts strict control over companies fulfilling their localisation duties in different ways. It can launch an off- or on-site audit. During the audit, a state department usually examines notifications sent by the operator and can require any necessary information, for example, confirmation of the place where databases are stored.
Liability for non-compliance with localisation requirements
At present, the only sanction for breach of legal obligations is provided by the Federal Law ‘On Information, Information Technologies and Information Protection’ (Law on Information).
According to Article 15.1 of the Law on Information, when Roscomnadzor detects violations, it files a petition to the court requesting that the company be added to the Register of personal data violators. Within three business days from the date of the court decision, Roscomnadzor notifies the company that it must remedy the violations. If a company does not comply within three business days of receipt, the hosting provider is obliged to limit access to the relevant information resource. From this moment, the internet site will be blocked in Russia, however it will not cease to function in the other countries.
It should be mentioned that in order to ensure compliance with the law, Roscomnadzor has already audited a number of international giants acting in Russia, including Microsoft Russia, Samsung Electronics Rus Company, Vkontakte, Lamoda and others. Besides that, Roscomnadzor officially announced that some of the blue-chip corporations acting in Russia like Aliexpress, eBay, PayPal, Uber and Booking decided to move their relevant databases into the Russian Federation before they were audited.
The most important practical case illustrating the activity of Russian authorities in this field is the LinkedIn social network case. On 4 August 2016, Tagansky District Court resolved that the LinkedIn internet site was intentionally collecting the personal data of Russian citizens without using a Russian database. As a result, it decided that LinkedIn Corporation, as domain name administrator, violated Russian legislation. On the basis of this decision, Roscomnadzor blocked the LinkedIn social network from Russian users. Furthermore, the Moscow City Court in the appeal supported the above decision.
The most significant point in this case was that the court rejected LinkedIn’s main argument that it could not be subject to Russian jurisdiction due to the absence of a legal presence in Russia, i.e., LinkedIn did not have a subsidiary or branch in Russia. That was the first test in court for a multinational corporation not located in Russia. The test confirmed the extraterritorial nature of the law.
Notably, Roscomnadzor recently issued a warning to another social network, Facebook, which has not yet confirmed its consent to install databases in the Russian Federation. The state body noticed that it will definitely block Facebook if it fails to comply with this obligation.
What companies need to do
Russian requirements governing personal data have created significant costs for companies that do business in Russia or deal with the personal data of Russian citizens. Compliance with this law requires the involvement of lawyers and IT specialists to create systems and policies for dealing with personal data. Companies which already conduct activity in Russia need to review their database content and their system for dealing with personal data in Russia. Some databases obviously need to be relocated to Russia and moving them to the cloud will not solve the issue based on local practice. So, the initial advice is to review what you have, assess how you collect the data, decide whether you really need it and select the information which needs to be stored locally in Russia. The rest will be a matter for the IT and legal teams.
Alexander E. Karpukhin is a partner and Daria A. Sivkova is a lawyer at Orient Partners. Mr Karpukhin can be contacted on +7 915 434 4232 or by email: firstname.lastname@example.org. Ms Sivkova can be contacted on +7 916 301 8906 or by email: email@example.com.
© Financier Worldwide
Alexander E. Karpukhin and Daria A. Sivkova