Data Localization Audits Begin in Russia For Some
Companies collecting Russian citizens’ personal data are now subject to Russia’s data localization law and potentially face an audit by the Russian communications regulator, Roskomnadzor. The Russian government plans to audit 317 companies by the end of 2015, or 0.012% of all companies it believes are working with personal data in Russia. However, Roskomnadzor does not plan to audit foreign-based companies until 2016, giving transnational companies more time to comply with the accelerated deadline. But this is not a free pass to companies based outside of Russia, as Roskomnadzor reserves the right to inspect any company. The Ministry of Communications, the agency that oversees Roskomnadzor, released unofficial, non-binding guidance in August 2015, the only written regulatory guidance issued to date, to answer questions about how the law will likely be applied. The following is a brief summary of some of the key clarifications.
Likely enforcement targets
The law is vaguely written to apply to any online or offline data operator that processes any Russian citizen’s personal data, including the recording, systematization, accumulation, storage, update, change, or retrieval of that data. The guidance specifically called out two types of personal data-collecting organizations that will likely be targeted: (1) those with a physical presence in Russia, and (2) those that target Russian consumers over the Internet. The Ministry clarified that the second group of organizations does not automatically include any website accessible from Russia. Criteria to determine whether a website is directed towards Russians include the site’s domain name (e.g., .ru, .su, .moscow), whether there is a Russian-language version of the website, the presence of Russian-language ads, and the ability to process transactions in Russian rubles.
Moreover, the guidance indicates that organizations that receive personal data from another organization as part of a legitimate, routine business activity are not intended targets. This would include personal data such as employee contact information received in an email, but would not extend to an organization that deliberately collects personal data from third parties.
Finally, there is an exemption for personal data processed for the purpose of pursuing objectives envisioned by Russian law. According to the guidance, Russian and foreign airlines are exempt because of international treaties covering commercial air travel. The guidance is decidedly less elucidating regarding the routine processing of employees’ personal data. Although employee data processing is subject to Russian legal requirements, it would be best for organizations to consider this data subject to the law until a clearer position develops.
The guidance confirms that the law will not apply retroactively. Any data collected before September 1, 2015 is not subject to the new storage and documentation requirements, so long as the personal data is not changed. If the previously collected personal data is changed or updated, the law applies to that revised data.
The law applies to Russian citizens’ data, but the law and the new guidance does not provide a systematic way to determine citizenship. The guidance suggests that if it is not reasonably clear, organizations should apply the data storage requirements to any personal data from Russia.
The clarifications did elaborate on the storage requirements and restrictions set forth in the law. Initial collection and any updates or changes need to occur on Russian servers, and such servers must act as the primary database. However, organizations may use, transfer, remotely access, delete, and store data on a secondary database outside of Russia. The guidance indicates that cross-border transfer is acceptable under the law so long as it complies with other cross-border transfer requirements.
While the guidance is instructive, its unofficial, non-binding status necessitates that businesses err on the side of caution when developing a response to the law until a clearer picture of enforcement develops.