Russia's law on personal data in practice
Article 4 minute read

Russia's law on personal data in practice

20 December 2016

Russia’s requirement for the personal data of its citizens to be housed in-country raised many questions and doubts when it was first announced. However companies that didn’t act may now be feeling the effect.

When it was first announced, Russia's new requirement for the personal data of its citizens to be housed in-country raised many questions and doubts. However companies that didn't act may now be feeling the effect.

The amendments to Federal Law no. 152-FZ "On Personal Data" (hereinafter – the Law) came into effect on September 1, 2015. They obliged personal data operators (hereinafter – Operators) to process the personal data of Russian citizens using servers located in Russia.

Since they were first passed the new requirements have raised a lot of questions from both operators and ordinary citizens - primarily due to the vague wording of the Law, the absence of the court practice, and even partially contradictory clarifications from the regulatory authorities.

Nevertheless, the direct interpretation of the Law required Operators – particularly foreign companies whose data centres are historically located outside of Russia – to transfer their servers to process the personal data of Russians in Russia, and within a short timeframe.

A tale of two approaches

More than a year since the Law amendments took effect, there have been two particularly high profile approaches to these requirements.

Google reportedly completed the transfer of its Russian user data to servers in Russia prior to the new Law's introduction. With a representative office in Russia, the new requirements directly affected Google's interests.

Business and employment-oriented social networking site LinkedIn on the other hand, does not have representation in the Russian Federation and has not transferred data processing to Russian servers. It continues to operate its data centres in the USA and just recently, following a suit filed by the Russian regulator, had its website blocked in Russia due to violation of the Law.

In its defense, LinkedIn representatives argued that the Law defies the principle of exterritoriality since the social network does not have a representative in the Russian Federation. They also highlighted that citizens provide their personal data voluntarily. However, the courts did not take these points into account.

TMF Group's experience

As an operator of personal data TMFGroup paid close attention to the matter of compliance from the moment of the draft law's introduction. Due to the complexity of the project, work to transfer servers began more than one year before the enforcement of the Law. We received relevant legal opinions, established relations and made numerous inquiries to the Russian regulator in order to define how the new requirements were applicable to external service providers such as ourselves; if there were any particularities or exceptions from the point of view of the data type, IT infrastructure etc.

The project of transferring data to Russian servers can be divided into organisational and technical measures:

  • Organisational measures included adoption or adaptation of existing internal company policies on confidentiality and data protection, and a renewal of threat classifications.
  • Technical measures included the development of data centres that met business requirements, implementation of the software and hardware parts and integration with existing IT infrastructure.
    TMF Group's Russian data centre is fully operational and meets the company's requirements for data processing and the provision of disk space for our clients. The process of transferring databases to Russia took around one year and a half to complete, and it's an experience we are always happy to share with our clients.

Points to note

These particularities may be useful for companies looking to introduce similar IT solutions in Russia:

  • Both hardware and software parts of a data centre should consist of equipment that properly protects the data; and this protection should correspond to a private threat model of a particular operator. The list and approach to this correspondence should be defined in accordance with internal company bylaws and the relevant Russian legislation.
  • If the data centre uses components that allow data encryption, then certification by the Federal Security Service is required in order to bring it to Russia. If these components were not certified by the producer, the company would need to obtain independent certification. This process may cause a lengthy delay.

The amendments to the Law on Personal Data have thrown Russian operators a dilemma, and understandably so: with a vague law wording it is necessary to define the approach to the interpretation. One approach is more conservative and leads to higher expenses or even makes functioning in the country impossible. The second approach is more flexible.

Taking into account the recent trends in Russian court practice, and overall tendencies in the legislation – eg. the recently-adopted requirement for long term storage of the history of communication applicable to Russian communication providers – it's prudent to say that within a conservative business risk assessment, all operators working with Russian user data are best to pay close attention to the data localisation requirements.

Need more information? Get in touch with our team in Russia.

Written by

Andrei Korolev

Head of Legal, General Director, TMF Russia

Insights and updates delivered to your inbox.

Sign up now