Exactly two years have passed since amendments to Federal Law 152-FZ, On Personal Data, of 27 July 2006, (‘the Personal Data Law’), obliging data operators to store Russians’ personal data on servers in Russia, came into force. For now, it is too early to say that those failing to comply with these regulations is always punished. However, it is already clear that Russia’s lawmakers, in toughening the penalties and introducing new requirements are treating the matter extremely seriously, as are the country’s law enforcement authorities, as shown by one of the most high-profile cases in the last two years: the blocking of LinkedIn’s website in Russia. This article explains the requirements for data storage, situations when foreign companies need to comply, and the penalties for non-compliance.
What is personal data?
The definition in the Personal Data Law is very broad: any information related to a directly or indirectly identified or identifiable individual (‘data subject’).
What do data operators have to do?
Use servers located in Russia to store Russian citizens’ personal data collected by them.
When does the obligation arise?
Under section 18(5) of the Personal Data Law, operators collecting personal data, including via the internet, must ensure that Russian citizens’ personal data is recorded, classified, accumulated, stored, revised (updated or amended) and retrieved using databases located in Russia. There are some exceptions to this, set out in section 6(1) of the law, i.e. in item 2 (processing for purposes provided for by an international treaty to which Russia is part, or for exercising and performing functions, powers and obligations imposed on the operator by Russian law), 3 (processing in connection with an entity’s involvement in constitutional, civil, administrative or criminal court proceedings, or proceedings in arbitration courts, 4 (processing when providing state or municipal services) and 8 (processing for the performance of journalist’s activities, lawful media activities, or scientific, literary or other creative activities, provided that the data subject’s rights and legitimate interests are not violated).
Hence, under section 18(5) of the Personal Data Law, the obligation to store the data on a server in Russia arises only if personal data is being collected (and the other conditions are met). If there is no collection, the obligation does not arise.
The term ‘collection’ is not defined in the Personal Data Law. According to clarifications (‘the Clarifications’(1) from Russia’s Ministry of Telecom and Mass Communications (‘the Communications Ministry’), ‘collection’ means ‘a deliberate process of obtaining personal data by an operator directly from a data subject or through third parties especially engaged for this’. Where personal data is collected by another entity (e.g., an employer) and subsequently provided to a foreign entity for processing, that foreign entity is exempt from the personal data regulations, as it has not collected the personal data.
Article 18(5) of the Personal Data Law refers to the collection of Russian citizens’ personal data. However, it does not explain how a subject’s citizenship is to be determined. The Communications Ministry has also left this to operators to decide for themselves. It is recommended that the issue of determining citizenship be covered in the operator’s documents (for example, in its personal data processing policy). If this issue is ignored, according to the Communications Ministry, the obligations may be deemed to apply to all personal data collected in Russia.
It should be noted that even a subject’s consent to the processing of their personal data using foreign servers does not exempt the operator from having to use servers in Russia, as confirmed by the Clarifications.
Does the requirement to use a server in Russia apply to foreign companies?
Even if a foreign company operates online, with no physical presence in Russia, it may still be subject to this requirement if it meets the main criterion: that its activities are targeted at Russia.
According to the Communications Ministry, the following may serve as evidence of a company’s activities being targeted at Russia:
–the use of a domain name related to Russia (.ru, .рф, .su, .москва, .moscow, etc.);
– the existence of a Russian-language version of the company’s website, whether created by the site owner or by another party engaged by the owner (except for machine-translated versions), combined with any of the following:
the possibility for payments to be made in Russian rubles;
the possibility for goods to be supplied, services rendered, or digital content used in Russia, or other examples of contract performance in Russia;
the use of advertising in Russian linking to the website;
other factors providing clear evidence of the site owner intention to include the Russian market in its business strategy.
Therefore, if there is clear evidence that a foreign company’s activities are targeted at Russia, and the company collects Russian citizens’ personal data through its website, the company must store that data on servers in Russia (except in the cases of the exemptions provided by the Personal Data Law and outlined above).
Furthermore, if a foreign entity’s activities are targeted at Russia (in accordance with the above criteria), that entity is subject not just to the requirement to use a server in Russia, but also to other requirements of the Personal Data Law, including the requirement to notify an authorised body of the personal data processing, of the publication of a document defining the operator’s personal data processing policy, of the appointment of someone responsible for personal data processing, and so on.
Liability for non-compliance
The Russian Code of Administrative Offences (‘CAO’) includes various provisions on liability for non-compliance with the Personal Data Law. Foremost among these are the latest version of section 13.11 of the CAO, which defines seven administrative offences, as well as sections 5.39 (‘Refusal to provide information’), 13.14 (‘Unauthorised disclosure of restricted information’) and 19.7 (‘Failure to provide information’).
By European standards, the administrative penalties under these sections are small. For example, the maximum fine under sections 13.11 is just RUB 75,000 (approximately EUR 1,100 as at 1 September 2017). In addition, it is extremely difficult to enforce a fine imposed on a foreign company with no physical presence in Russia.
Even so, the Federal Service for Supervision of Communications, Information Technology and Mass Media (‘Roskomnadzor’), the agency responsible for protecting data subjects’ rights, has a much more practical way to deal with offenders: blocking their website.
Therefore, for foreign companies that are subject to, but have not complied with, the personal data obligations, the main penalty for non-compliance with the Personal Data Law is having their access to information processed in contravention of the legislation on personal data blocked.
Roskomnadzor also maintains a register of violators of data subjects’ rights. According to section 15.5(5) of Federal Law 149-FZ, On Information, Information Technologies and Information Protection, of 27 July 2006, an entry is made in the register if an operator’s violation of personal data legislation is confirmed by a court ruling that has taken effect.
Recommendations for foreign companies
To minimise the risk of their website being locked in Russia, foreign companies are recommended firstly to assess whether their activities fit the criteria for being targeted at Russia. If there is clear evidence that they are, the company needs not only to store Russian citizens’ personal data on servers in Russia, but also to comply with the other requirements of the legislation on personal data, and to be ready to cooperate effectively with Roskomnadzor.
1 The Clarifications are available at http: //minsvyaz.ru/ru/personaldata/#1438546529980 (accessed on 1 September 2017).