Update: On 3 December 2019 the law imposing multi-million Ruble fines for infringing Russian data localization and information security laws has come into force. Since the law has already come into force, new fines may be imposed on companies based on results of Roskomnadzor’s inspections in 2020. Roskomnadzor has already identified the entities it plans to inspect in 2020 but may initiate unplanned inspections as well based, for example, on data subject complaints or its online monitoring of company activity.
On June 13, 2019, a new draft bill imposing multi-million ruble fines for infringing Russian data localization and information security laws—multiplying the maximum penalty under current law by a magnitude of 240—was submitted to the State Duma (the lower chamber of Russian Parliament). This would supplement existing fines, which we reported were previously increased in 2017.
Vietnam’s new Law on Cybersecurity has garnered much attention due to its sweeping attempt to regulate online content available to internet users in Vietnam. Among its more controversial provisions are the requirements that both foreign and domestic online service providers store personal data of Vietnamese end-users in Vietnam, surrender such data to Vietnamese government authorities upon request, and supervise user posts to remove “prohibited” content (defined to include content viewed as disparaging of the Vietnamese government and/or government officials or state agencies). The law also requires offshore service providers to open branches or representative offices in Vietnam, presumably to facilitate enforcement of the Cybersecurity Law against them.
On June 12, 2018, the Vietnamese National Assembly passed the Law on Cybersecurity (the “Cybersecurity Law”), which will take effect on January 1, 2019. Among other aims, the law seeks to regulate data processing methods of technology companies that operate in Vietnam and restrict the Internet connections of users who post “prohibited” content. The seemingly broad application of the law’s provisions understandably caused concern among foreign tech companies serving Vietnamese end-users with fears of mandatory data localization and requirements to establish a physical presence in Vietnam.
India’s Committee of Experts has submitted a draft Data Protection Bill for review by the Ministry of Electronics and Information Technology. The Bill represents an important milestone for India, which has yet to enact comprehensive, principles-based data protection regulation, lagging a trend set in recent years by Singapore, the Philippines and others in the region playing catch up to Hong Kong and Japan, which have both had such regulation in place for years now.
Two weeks ago, certain territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2018 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including with Russia’s data localization requirement. The inspection plans contain a number of prominent multi-national and Russian companies.
On 19 May 2017, the Cyberspace Administration of China released a revised draft of its Security Assessment for Personal Information and Important Data Transmitted Outside of the People’s Republic of China Measures. The draft emerged just over a week after public comments closed on the first draft of the measures. the Second Draft Export Review Measures do, to an extent, relax some of the more stringent requirements stated in the First Draft Export Review Measures and originally due to become law on 1 June, 2017 when China’s Cyber Security Law takes effect. However, the revised draft measures as set out in the Second Draft Export Review Measures still leave a significant compliance challenge for multi-national businesses operating in China . We explore the Second Draft Export Review Measures below.
On 11 April 2017 the Cyberspace Administration of China published a circular calling for comments on its draft Security Assessment for Personal Information and Important Data Transmitted Outside of the People’s Republic of China Measures. Public comments are open through 11 May 2017.
At the end of 2016, territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2017 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including data localization. The inspection plans contain a number of prominent multi-national and Russian companies.
In a case with major significance for foreign online businesses that do business in Russia, on Thursday, 10 November the Moscow City Court sustained a lower court ruling that granted the request of the Russian Data Protection Authority to block access to social network LinkedIn within Russian territory. Although the data localization requirement took effect in September 2015, this is the first case of Russia blocking access to a foreign online business due to non-compliance with the Russian data localization requirement. There had been some doubt regarding how rigorously the data localization requirement would be applied, and this case indicates that at least in some circumstances, Roskomnadzor will aggressively push for websites to be blocked. Similar online services should examine their compliance with the data localization requirements in light of this decision.
Media reports this week broke the news that a Russian court of first instance ruled this past August to block LinkedIn from Russian Internet users for violating Russia’s data localization law, which requires websites and other businesses that collected personal data from Russian citizens to store that data within the territory of Russia. According to the available court ruling, an appeal was filed and a hearing is scheduled for that appeal on 10 November 2016.
It has been a year since Russia’s data localization requirement came into force in September 2015, requiring companies to store within Russia databases containing personal data they collect from Russian citizens. Exactly one year later, the Russian Data Protection Authority, Roskomnadzor, issued a news release on the first year of enforcement.
In the update, Roskomnadzor stated that an absolute majority of the inspected companies comply with the data localization requirement and that noncompliance is low.
We last reported on Russia’s data localization law earlier this year when the Russian data protection authority, Roskomnadzor, released its inspection plan for 2016. Since then, Roskomnadzor has been conducting compliance inspections both according to the plan and in individual cases when it has reason to do so. The results of those inspections and recent […]
Debated in Parliament since 9 December 2015, the French Digital Bill was subject to a Senate vote on 3 May 2016, two weeks before publication of the General Data Protection Regulation (GDPR) in the EU’s Official Journal. The Digital Bill as voted for by the French Senate on 3 May 2016 includes a data localization […]
In mid-January, the territorial divisions of Russia’s Data Protection Authority, Roskomnadzor, uploaded their 2016 plans for conducting inspections of local companies’ compliance with Russia’s data localization requirements, and there are a number of prominent multi-national companies on the list.
We are now almost two months into the era of Russia’s Data Localization Law, which came into force on 1 September. While some expected immediate enforcement, the Russian Data protection Authority, Roskomnadzor, has not yet taken any action for a violation of data localization requirements. Last month, Roskomnadzor did take formal enforcement action to block a website and add it to register of violators of data subject rights for maintaining an illegal Internet database containing the contact details of over 1.5 million Russian citizens. This enforcement, however, was not for violation of the data localization law, but rather for the illegal collection and dissemination of personal data under other Russian data protection laws.
On 1 September 2015, Russia’s much anticipated data localization law came into force. In recent interviews with European CEO and The Financial Times, Natalia Gulyaeva, partner in Hogan Lovells’ Moscow office, highlighted some key elements for multinationals to consider when doing business in Russia. In the interviews, Natalia explains that Roskomnadzor is not likely to conduct compliance audits on large multinational companies for some time and will allow for the transfer of data out of Russia as long as the primary database is inside Russia. She also highlighted that because Russia’s definition of “personal data” is very broad, companies should treat all information used to assist in the identification of individuals as “personal data.”
Today, on 1 September 2015, the Russian Data Localization Law came into force. So far there have been no unexpected developments or reports of any unplanned inspections by Roskomnadzor, the Russian Data Protection Authority. Existing planning documents, however, provide some predictability for organizations subject to the law about the schedule under which Roskomnadzor plans on conducting compliance inspections.
As we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory. The Ministry’s website also provides a mechanism to ask further questions online. In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law.
In September 2015 the Russian Data Localization Law will come into force, requiring organizations that collect personal data from individuals located in Russia to store that data within Russian territory. In this blog post, we summarize recent developments on how the law will be applied, including the unexpected publication of regulatory guidance issued by the government this week.
Thank you to everyone who participated in the Hogan Lovells webinar “Russia Data Localization Update: New Details Emerge from Meetings with Russian Regulator” on 2 April 2015. This update follows an October 2014 presentation by Hogan Lovells that outlined Russia’s newly enacted Data Localization Law. In this webinar, Hogan Lovells privacy and data protection Natalia Gulyaeva and Bret Cohen provided insight into the expectations of Russian regulators as the September 2015 implementation deadline approaches.
With the September 2015 effective date of Russia’s Data Localization Law less than six months away, the Russian data protection authority, Roskomnadzor, has still not issued any formal guidance on how it interprets the law’s broad requirement that companies must process and store the personal data of Russian citizens within Russia. Roskomnadzor has, however, recently held a series of meetings with different industry groups about the law. While Roskomnadzor’s views as expressed in these meetings do not constitute a formal position, they provide insight into how the regulator is likely to interpret the law.
On 24 February, the Russian State Duma (the lower chamber of the Russian Parliament) adopted in the first reading a draft law introducing amendments to the Russian Code on Administrative Offences that would increase the amount of the fines imposed for violating Russian data protection laws and introducing a differentiation of the relevant offences’ types. Notably, the Draft Law does not introduce any separate fine for violating Russia’s new Data Localization Law, although there is still a possibility that this could be modified as the legislative process progresses.
On 31 December, the Russian President signed into Federal Law No. 526-FZ a proposal to change the effective date of Russia’s Data Localization Law, first passed last summer, from 1 September 2016 to 1 September 2015.