How to comply with the Russian requirements on localization of personal data
Cheers to all businesses operating in Russia. In this article, we will look at challenges that foreign companies can face related to the Russian data privacy law.
On 2 December 2019, Federal Law No. 405-FZ on Introducing Amendments to Certain Legislative Acts of the Russian Federation entered into force. It introduced high penalties for individuals, officials and legal entities for the failure to localize databases with personal data of Russian citizens in Russia. Three years ago, LinkedIn was blocked on the territory of Russia for this violation.
The law provides (parts 8 and 9 of Article 13.11 of the Code of Administrative Offences of the Russian Federation) that for the first violation the fine will range from 1 million to 6 million rubles for legal entities, and for the second violation - from 6 million to 18 million rubles.
Compliance with the new legislation is strictly monitored by Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).
The goal pursued by Roskomnadzor is to influence large international corporations, which target Russian users on their way to localization of data in Russia, since the latest courts with Facebook and Twitter have resulted in nothing but fines of 3,000 rubles.
According to the regulator, the new fines should change the situation and force foreign companies to localize databases with personal data of Russian citizens within the borders of the country.
Russian Data Localization Law – who is at risk?
According to the law, any organization that stores the information of Russian nationals must move that data to Russian servers.
First, the innovation will apply to global business, i.e. international companies, because almost all their internal software (corporate accounting systems, intranets, HR systems, etc.) is often located abroad. It is also important for foreign web services, such as Twitter and Facebook, which have not provided localized systems. The novelty also affects developers of web-services, which initially decided to localize systems in Europe, although work for the Russian audience.
For non-compliance with localization requirements, as well as with the requirements of the Russian Federation law on personal data, Roskomnadzor can also block sites or restrict processing of personal data in non-localized databases. The representatives of the regulator can now check the localization of the site by means of field checks, establishing the location of a database containing personal information about Russians. They can check the location of the database containing personal information about the Russians by means of external web services - entering the address of the site and checking the location of the Internet service.
Therefore, companies whose information systems with personal data are located abroad, should consider transferring databases with personal data of Russian citizens to servers physically located within Russian borders.
What actions need to be taken to comply with the requirements on PD localization?
1. Determine where personal data is collected, processed and stored in your company; how data backup is performed and where backups are stored.
2. Determine whether the processed data personal or non-personal and whether it relates to the types of data that should be localized in Russia.
3. Identify which information systems (ERP, HR and accounting systems, CRM, etc.) and their databases can be subject to localization requirements.
4. Test your web sites for Data Localization Law compliance.
How can I get caught for not complying with the law?
It is easy for foreign firms operating in Russia to overlook details. National laws and regulations are these details that might be missed. Regulatory compliance can often seem boring and is not given a priority. Ignoring the importance of regulations could have adverse consequences.
For example, it is possible to impose fines for the lack of localization of internal information systems or suspend processing of personal data in these systems. However, such systems can be detected only during a direct, face-to-face audit, while websites can simply be blocked, as it is easier for Roskomnadzor to determine them - the supervisory authority can detect violations of requirements for processing of personal data simply based on an analysis of the website.
Therefore, the websites should be localized in priority, as it is easier to detect their non-localization.
The following factors may serve as evidence of targeting online activities on Russian nationals:
- Usage of Russian domain zone name (.ru, .su, .рф, .moscow, etc.)
- Russian version of website
- Pricing in rubles
- Availability of Russian phone numbers.
Finally, define possible ways of localization requirement fulfillment for each information system falling under such requirements.
In general, Roskomnadzor has more and more levers to control and oversee the implementation of the law on personal data. Therefore, international companies doing business in Russia should carefully check their compliance with the localization requirement.