After threatening to move the effective date of its new data localization law from September 1, 2016 to January 1, 2015, Russia settled on a more reasonable, albeit accelerated, timeline. At the end of December, Russia enacted Federal Law No. 526-FZ, which changed the effective date of its new data localization law, Federal Law No. 242-FZ (“242-FZ”), to September 1, 2015. Although it is a full year earlier than originally announced, the amended effective date is a relief to companies grappling with the potential ramifications of the law and the proposed January 1 effective date.
242-FZ will clearly affect companies with Russian offices or subsidiaries that collect personal data from Russians, such as social networking companies, retailers, and banks. The law requires Russian data operators to (1) store Russians’ personal data on servers in Russia and (2) notify the Russian data protection authority, the Roskomnadzor, of the servers’ location(s). It is still unclear if the requirement extends to foreign data operators that do not have a physical presence in Russia. It is also unclear whether the law applies only to Russian citizens or also foreigners living in Russia, but an official of the Roskomnadzor has suggested that it applies to any employee in Russia. The terms of the law do not explicitly prohibit cross-border transfers of personal data or restrict data processing to Russian-based servers, though any data transfers would require a basis in Russian law. Companies that violate the law will be listed in a register of violators, subject to a fine, and potentially have their websites blocked.
There has been widespread confusion and conflicting statements about the law since its passage. The Roskomnadzor has yet to issue any official guidance. In November 2014, it held a conference focusing on the law, but officials only expressed personal views. In many instances, these views have conflicted with other commentators, most notably the President’s Administration to the Association of European Businesses whose unofficial “clarifications” suggested that the law would retroactively apply to collected personal data and that the data stored on Russian servers should not be copied onto servers outside of Russia. It is expected that the Roskomnadzor will issue some guidance prior to the effective date of the law.
Russian government officials emphasize that the purpose of the data localization law is to better protect the security of Russians’ personal data. They also argue that no single country should have a monopoly on user data, such as a country which may be home to the world’s major search engines, social networks, and online commerce platforms. While the law has been positioned as a response to the Snowden leaks, critics have stressed that in practice, data localization laws merely permit national governments to control information and monitor citizens’ activities, as best illustrated by China’s current system.
Update 9/4/2015: Russia’s data localization law is now in effect. Read our updated guidance here.
Photo by happy_serendipity from Flickr
Photo cropped from original
