As we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory. The Ministry’s website also provides a mechanism to ask further questions online. In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law.
In September 2015 the Russian Data Localization Law will come into force, requiring organizations that collect personal data from individuals located in Russia to store that data within Russian territory. In this blog post, we summarize recent developments on how the law will be applied, including the unexpected publication of regulatory guidance issued by the government this week.
With the September 2015 effective date of Russia’s Data Localization Law less than six months away, the Russian data protection authority, Roskomnadzor, has still not issued any formal guidance on how it interprets the law’s broad requirement that companies must process and store the personal data of Russian citizens within Russia. Roskomnadzor has, however, recently held a series of meetings with different industry groups about the law. While Roskomnadzor’s views as expressed in these meetings do not constitute a formal position, they provide insight into how the regulator is likely to interpret the law.
On 24 February, the Russian State Duma (the lower chamber of the Russian Parliament) adopted in the first reading a draft law introducing amendments to the Russian Code on Administrative Offences that would increase the amount of the fines imposed for violating Russian data protection laws and introducing a differentiation of the relevant offences’ types. Notably, the Draft Law does not introduce any separate fine for violating Russia’s new Data Localization Law, although there is still a possibility that this could be modified as the legislative process progresses.
On 31 December, the Russian President signed into Federal Law No. 526-FZ a proposal to change the effective date of Russia’s Data Localization Law, first passed last summer, from 1 September 2016 to 1 September 2015.
On 17 December, the State Duma (the lower chamber of the Russian Parliament) passed legislation that would change the effective date of Russia’s new law requiring the local storage in Russia of the personal data of Russian citizens (Data Localization Law) from 1 September 2016 to 1 September 2015. The legislation currently is subject to the Federation Council’s (the upper chamber of the Russian Parliament) and president’s approvals.