On September 1, 2015, a law came into effect regarding how the personal data of Russian citizens is stored. Although over a year has passed, the law is again making headlines as the social network LinkedIn was recently blocked for failing to comply with new legal requirements. Today, we’d like to clear up some of the confusion surrounding this legislation and what exactly is stipulated by it.
Federal law 242-FZ (dated 21.07.2014, on Amending Some Legislative Acts of the Russian Federation in as Much as It Concerns Updating the Procedure for Personal Data Processing in Information-Telecommunication Networks) states: “During personal data collection, inter alia, through the Internet, the operator shall ensure that databases located within the Russian Federation are used to record, systematize, accumulate, store, clarify (update or modify) and retrieve personal data of citizens of the Russian Federation, except for cases specified in clauses 2, 3, 4, 8 of part 1 of Article 6 of this Federal Law.” In other words, if any service handles the personal data of a Russian user in any way, this data must be saved on equipment physically located within the Russian Federation. We’d like to point out that this law does not prohibit data from being duplicated, meaning it can be saved both on a server in Russia and abroad at the same time.
The Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications of Russia (Roskomnadzor) has already identified several organizations that have not complied with the new law. The head of the agency, Aleksandr Zharov, mentioned four companies who have failed to meet the new requirements.
Zharov states that Roskomnadzor has inspected 600 companies, 4 of which have been given additional time to implement a system to comply with the new legislation.
Let’s look at a few points to see who is exempt from this law, how multinational companies have responded to it, and what the consequences are.
Russian citizens have the right to demand their personal data be deleted if they are hosted in violation of the law.
The Minister of Communications explained, “If any activity is regulated by international agreements or relevant legislation, they are not affected by this law.” The Ministry of Telecom and Mass Communications of the Russian Federation, for example, has exempt international airline reservation systems from the law (otherwise global systems like Amadeus, Galileo, and KIU would not include Russian airlines).
Approximately 45 000 organizations have submitted information to Roskomnadzor regarding where they store Russian users’ personal data.
Many major international organizations have complied with the legislation; Samsung, Lenovo, AliExpress, Ebay, PayPal, Uber, Booking.com, Apple, Google and many others have already moved their data. Facebook still remains unclear; according to the latest information, representatives of the social network have refused to move, and in theory, Roskomnadzor should block their resource (as they did with LinkedIn).
Thomas Myrup Kristensen, Facebook’s director of public policy in Scandinavia, Central and Eastern Europe, and Russia, has explained that Facebook does not consider the transfer financially sound, nnor does the company consider account information personal data.
The law understands “personal data” as “any information that is directly or indirectly related to an individual (the subject of the personal data)”. We can assume that email addresses are not considered personal data (its owner is “not defined” and “unidentifiable”), but the combination of email address and full name is. That is to say that Facebook accounts (for the most part) satisfy the definition set by Russian legislation. On June 14, it became known that the Ministry of Telecom and Mass Communications has suggested expanding this definition so that all private data (including a user’s search history) is considered personal data, but no final decision has been made.
In September, Roskomnadzor created a registry of companies who have violated the law on Personal Data; within the first two months, around 10 sites were added to the list. In addition to being blocked, owners of sites that do not comply with the law are threatened with a fine, ranging from 500 rubles (for individuals) to 10 000 rubles (for legal entities), in accordance with Article 13.11 of the Code of Administrative Violations. In addition to a fine, those who break the law on Personal Data face civil, criminal, and disciplinary charges. For the most serious offenses, fines can reach upwards of 300 000 rubles.
At the time of writing this article, information on 366 046 personal data operators have been noted on the Roskomnadzor site (Russian).
By the end of this year, Roskomnadzor plans to inspect roughly 900 more companies. According to information on Gazeta.ru, the agency issued a total of 10.4 million rubles in fines for the improper storage and processing of personal data. The Chief of the Department for Protection of Personal Data Owners’ Rights, Yuri Kontemirov, noted 1448 violations.
If a user is uncertain that their personal data is being stored properly, they can look that up. Firstly, they can ensure the service operator is listed in Roskomnadzor’s registry (Selectel’s registration number is 78-16-003207). Then they can submit a request for information on the location of their personal data; the law requires service operators to respond to such requests (at Selectel, all data is stored and processed in accordance with our regulatory documentation on gathering and storing personal data).
What are users entitled to request?
- Confirmation that the operator processes personal data
- The legal grounds and reasons why their personal data is being processed
- The purpose and means by which the operator processes personal data
- The name and location of the operator and information on individuals (other than operator’s employees) who have access to personal data or to whom personal data can be disclosed per an agreement with the operator or federal law
- Other personal data relevant to the individual and its source provided that no federal law dictates otherwise
- The time required to process personal data, including time personal data is stored
- The rights of the personal data owner provided by the current legislation
- Information about planned or completed international transfers of personal data
- The full name and address of the individual(s) or entity(-ies) that process personal data for the operator if processing will be or has been performed by such entity
Users are legally entitled to request this information and operators cannot refuse to provide it.
If you’re thinking about expanding to Russia, our specialists would be more than happy to help you find a suitable solution! You can reach them by e-mail at firstname.lastname@example.org, live chat from our home page, or even by phone at +7 (800) 555 0675. Otherwise, take a look at our services page or our partner, vScale.