In September 2015 the Russian Data Localization Law will come into force, requiring organizations that collect personal data from individuals located in Russia to store that data within Russian territory. In this blog post, we summarize recent developments on how the law will be applied, including the unexpected publication of regulatory guidance issued by the government this week.
After many requests for compliance guidance since the law was enacted last summer, on Monday 3 August, the Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing the law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date. We are currently reviewing and synthesizing this guidance, so stay tuned to the blog for a further update soon.
In addition to asking for guidance, this past year the business community has persistently lobbied the Russian government to postpone the effective date of the law at least to September 2016, the date of the law when initially passed. The latest attempt took place in June within the St. Petersburg International Economic Forum when the Association of European Businesses (AEB) asked the Russian President to “freeze” implementation of the law until September 2016. There were no further official comments from the President’s Administration in response to this request. However, the Minister of Communications, Mr. Nikiforov, commented thereafter that there are no plans to postpone the effective date.
Mr. Nikiforov also commented that airline companies would be exempted from the Data Localization Law, as they process personal data in accordance with international treaties, one of the law’s exceptions. Recently, it also was reported that the Ministry of Communications provided the Ministry of Transport with a letter making the same claim, although without indication of the exact international treaties that apply.
Notwithstanding the unofficial clarifications issued by the Ministry of Communications, Roskomnadzor, the Russian data protection authority, has still not issued any of its own written clarifications on enforcement of the law. Nevertheless, over the past few months it has regularly met with concerned industry and trade associations. The latest of these group meetings took place on 23 June with AEB and on 10 July with the Russian Association for Electronic Communications (RAEC). In these meetings, Roskomnadzor generally reiterated its position from industry meetings held earlier this year on how the law should be interpreted. For our analysis of the results of those meetings, click here.
In these meetings, Roskomnadzor also indicated that it expected those businesses which are already registered as data operators in Russia to promptly supplement their notifications with the location of their databases, as required by Russian law. Roskomnadzor also commented that it is aware that its position that the employee data should not be exempted from the Data Localization Law differs from the position of the Ministry of Communications. This interpretation may be adjusted in the course of discussions between the authorities, but for now the conservative position is to treat employee data as subject to the localization requirements.
Finally, the Head of Roskomnadzor, Mr. Zharov, recently commented that the agency’s audit function had developed a list of 317 companies that it would inspect for compliance with the localization requirements by the end of 2015. Mr. Zharov did not name all the companies from this list, but he did mention a few, such as the St. Petersburg Branch of Rostelecom, Scartel, and Lukoil-Inform. Having checked the unified plan for state authorities inspections, we have found all the named organizations there. Therefore, businesses listed on the unified plan may be likelier to face a compliance audit by the end of the year.