Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Moscow Court Upholds Ruling to Block LinkedIn in Russia for Non-Compliance with Data Localization Law

shutterstock_366140141In a case with major significance for foreign online businesses that do business in Russia, on Thursday, 10 November the Moscow City Court sustained a lower court ruling that granted the request of the Russian Data Protection Authority (Roskomnadzor) to block access to social network LinkedIn within Russian territory.

As we described in an earlier post, Roskomnadzor brought the action claiming that LinkedIn violated the data localization requirement in addition to other general Russian data privacy laws, for example by collecting personal data from non-users without their consent before the registration process was completed. The court of first instance sustained Roskomnadzor’s claim on 4 August 2016. According to the text of the available first instance court ruling (in Russian), LinkedIn’s representatives did not attend the hearing of the court of first instance, but filed an appeal.

Below is a summary of the parties’ key arguments at the hearing:

  • LinkedIn representatives argued that they were not duly notified of Roskomnadzor’s claim and the lower court hearing. LinkedIn claimed that it did not receive an initial notice of the court proceedings, and received a second notice only one day before the hearing, which was not enough time to even request an extension, much less translate the documents from Russian and prepare for a hearing. Roskomnadzor insisted that they notified LinkedIn well before the hearing – on 9 July 2016 – and that LinkedIn should have received it if had taken due care.
  • LinkedIn also argued that LinkedIn’s US entity was an improper defendant. LinkedIn’s privacy policy states that its US entity only processes the personal data of US residents, while personal data of residents of other countries, including Russia, is processed by LinkedIn’s Irish entity. Roskomnadzor responded that its claim was appropriately directed at the owner of the online service.
  • Further, LinkedIn’s representatives argued at the hearing that Russian laws should not apply to its platform because LinkedIn does not have a presence in Russia, and its activity is international and not directed specifically to Russia. LinkedIn also claimed that there are no statutory rules clarifying what online activity is deemed to be directed to Russian customers and thus subject to the localization requirement. Roskomnadzor responded by arguing that the platform is subject to Russian law because it offers a Russian-language version that is available by default for users accessing the website from within Russia.
  • To demonstrate that LinkedIn’s servers are located in the US (and thus noncompliant with the localization requirement), Roskomnadzor presented publicly available data to the court from the WHOIS database, including the location of the server. LinkedIn representatives objected that this information should have been provided in the lower court proceedings, but did not comment on the actual location of the servers.
  • Roskomnadzor also claimed that LinkedIn collects personal data of unregistered users, in violation of Russian data protection law. LinkedIn responded that it did not collect any personal data of unregistered users.  Roskomnadzor, however, argued that LinkedIn’s collection of unregistered users’ IP addresses, device model numbers, and cookie files constituted personal data.
  • LinkedIn claimed that Roskomnadzor’s evidence, based purely on a visible inspection, was not sufficient, and that there was no proof that Roskomnadzor had actually checked the functions of the platform and undergone the registration procedure. Roskomnadzor countered that its claims were based on information available on the platform and in publicly available documents.
  • LinkedIn also argued that Russian citizens voluntarily provide their consent for LinkedIn to process their personal data, and, therefore, their rights are not violated. Instead, LinkedIn argued, blocking the platform itself would violate Russian citizens’ rights.  Roskomnadzor responded that regardless of whether the company is foreign or local, and whether it has a presence in Russia, it must comply with Russian data localization requirement if its activity is directed to Russia.

After considering the parties’ arguments, the Moscow City Court dismissed LinkedIn’s appeal, finding that the lower court’s decision was in accordance with the Russian privacy regulations, including data localization requirement. The ruling of the appeals court enters into force immediately.  LinkedIn, however, has the right to file the second appeal within six months.

According to a statement by a Roskomnadzor spokesman (in Russian), after receiving the full text of the ruling, Roskomnadzor will include LinkedIn in the register of violators of data subjects’ rights, and will send a notification to telecommunications companies to block access to LinkedIn from within Russia.

Although the data localization requirement took effect in September 2015, this is the first case of Russia blocking access to a foreign online business due to non-compliance with the Russian data localization requirement.  There had been some doubt regarding how rigorously the data localization requirement would be applied, and this case indicates that at least in some circumstances, Roskomnadzor will aggressively push for websites to be blocked.  Similar online services should examine their compliance with the data localization requirements in light of this decision.