Russia changes data protection storage law

In July 2014 the Lower Chamber of the Russian Parliament (“Duma”) passed Federal Law No. 242-FZ of 21 July 2014, sub-titled: "On introduction of amendments into certain legislative acts of the Russian Federation relative to clarification of procedure of processing of personal data in information and communication networks".

The law states that all operators of personal data who deal with the personal data of Russian nationals are obliged to use databases and servers physically located in the Russian Federation. An operator of personal data in the context of this law is, generally speaking, any company which collects and processes personal data.

Initially it was planned that these requirements would come into force from 1 September 2016, but the effective date was changed at the end of last year with Federal Law No. 526-FZ;  it now comes into effect on 1 September 2015.

The amendments to the law on personal data mean that where a company collects and processes personal data of Russian nationals (particularly, but not exclusively, via the internet), it must make sure that the servers storing the personal data are physically located in the Russian Federation. 

What does this mean for international companies in Russia?

Nowadays many large companies that work in Russia, especially international ones, maintain their databases on servers abroad and on cloud drives. Sometimes companies also keep their main database on a server in Russia, while a back-up database is stored on server(s) in other countries.

Unfortunately this approach will have to change from 1 September 2015. The problem here is that the provisions of the law are rather general and can be construed in different ways. For example, keeping the single copy of a database of personal data on server(s) located abroad shall be fully prohibited, while the possibility of keeping a back-up copy abroad provided that the main database is kept in Russia is not directly regulated by the law. It should be noted that certain clarifications in this respect (in the form of letters) were issued by the regulator, however according to Russian laws such documents may not be regarded as mandatory normative acts.

The requirements have to be further clarified by more specific sub-legal acts (by-laws) adopted by different state authorities in the area of electronic communication. Regrettably such by-laws are not available as of now, so at this particular moment nobody in Russia knows for sure which options with regard to personal data storage are prohibited and which are not after 1 September 2015.

We will constitute monitoring this issue and keep you updated.

Read more about doing business in Russia

Andrey  Korolev
Technical update

Keeping up to date

You can now receive our insights and regulatory updates direct to your inbox by choosing the topics and jurisdictions that most interest you. 

Subscribe to our e-Alerts.