We are now almost two months into the era of Russia’s Data Localization Law, which came into force on 1 September. While some expected immediate enforcement, the Russian Data protection Authority, Roskomnadzor, has not yet taken any action for a violation of data localization requirements. Last month, Roskomnadzor did take formal enforcement action to block a website and add it to register of violators of data subject rights (link in Russian) for maintaining an illegal Internet database containing the contact details of over 1.5 million Russian citizens. This enforcement, however, was not for violation of the data localization law, but rather for the illegal collection and dissemination of personal data under other Russian data protection laws.
In addition to the enforcement action, Roskomnadzor has published a handful of other updates on its website about compliance with data protection law and localization requirements.
On 3 September, Roskomnador published a short update (Russian) stating that it has started to receive information on the location of data operators’ databases, “including foreign ones.” On this same topic, a Roskomnadzor representative, Ms. Gafurova, commented publicly at a recent event of the Franco-Russian Chamber of Commerce on data protection that Roskomnadzor received to date approximately 2,000 notifications on the location of the data operators’ databases and approximately 1,500 information letters on the same. These notifications were made in response to the new requirement introduced under the Data Localization Law that organizations required to file data processing notifications with Roskomnadzor must now include the physical locations of their databases in their filings.
In response to many comments in the media related to whether the Data Localization Law applies to foreign entities, Roskomnadzor on 7 September published a statement on its website (Russian) confirming that any company collecting personal data from Russia, irrespective of its place of incorporation, may be audited for compliance with the Data Localization Law. The statement includes a diagram that demonstrates how Roskomnadzor will assess the compliance of a non-Russia-based website that collects data from Russian citizens, which Roskomnadzor may block in Russia in case it uncovers that the website is not complying with the Data Localization Law or other Russian data protection laws. The enforcement activity described in the diagram aligns with unofficial clarifications about the Data Localization Law that were published in August on the website of the Ministry of Communications (which oversees Roskomnazdor), in which the Ministry stated, as a general rule, that the Data Localization Law will apply to the Internet activity of foreign organizations that is targeted to a Russian audience.
As a final development, Mr. Zharov, the Head of Roskomnadzor, stated in one of his recent interviews (Russian) that the Data Localization Law has so far been a success. He commented that not only does the law protect the rights of Russian citizens, but also has boosted investment in the Russian economy and the development of the Russian IT industry, citing the actions of companies like Samsung, Orange, and IXCellerate that have opened data centers in Russia.
As we reported previously, Roskomnadzor is still working its way through its 2015 inspection plan, so it is still possible that there will be enforcement of the Data Localization Law by the end of the year. Also, in the next few months Roskomnadzor is expected to publish its 2016 inspection plan, at which point we will know more about which local and foreign businesses may be subject to compliance audits.