On June 13, 2019, a new draft bill imposing multi-million ruble fines for infringing Russian data localization and information security laws—multiplying the maximum penalty under current law by a magnitude of 240—was submitted to the State Duma (the lower chamber of Russian Parliament). This would supplement existing fines, which we reported were previously increased in 2017.
Tag Archives: Roskomnadzor
Russia: Main Takeaways from Roskomnadzor’s Open Doors Day
Recently, the Russian Data Privacy Authority, Roskomnadzor, organized an Open Doors Day in honor of the International Data Privacy Day. During the occasion, Roskomnadzor officers presented on the authority’s 2017 enforcement activities. They followed this presentation with an open question and answer period, during which they responded to numerous questions raised by attendees. This post summarizes the key takeaways.
Russia Partially Releases 2018 Data Privacy Inspection Plans
Two weeks ago, certain territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2018 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including with Russia’s data localization requirement. The inspection plans contain a number of prominent multi-national and Russian companies.
Russian Data Protection Authority Publishes Privacy Policy Guidance
On 31 July, the Russian data protection authority, Roskomnadzor, issued guidance for data operators on the drafting of privacy policies to comply with Russian data protection law. Russia’s 2006 privacy law – Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” – requires, among other things, that Russian data operators must adopt a privacy policy that describes how they process personal data. This notice requirement is similar to the approach in Europe. Furthermore, data operators shall publish such a policy online when personal data is collected online or otherwise provide unrestricted access to the policy when personal data is collected offline. The guidance – although non-binding and recommendatory in nature – emphasizes the regulator’s compliance expectations and should therefore be taken into account by organizations acting as data operators in Russia.
Russia Increases Fines for Violations of Data Protection Laws
On 7 February 2017, the Russian President signed into law a bill introducing amendments to the Russian Code on Administrative Offences that increases the amount of the fines imposed for violating Russian data protection laws and differentiates the relevant offences’ types. The greatest increase raises maximum fines for certain violations from RUB 10,000 to 75,000 (approx. USD 170 to 1,260).The law will come into force on 1 July 2017.
Russia Releases 2017 Data Privacy Inspection Plans; Microsoft Passes 2016 Inspection
At the end of 2016, territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2017 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including data localization. The inspection plans contain a number of prominent multi-national and Russian companies.
Moscow Court Upholds Ruling to Block LinkedIn in Russia for Non-Compliance with Data Localization Law
In a case with major significance for foreign online businesses that do business in Russia, on Thursday, 10 November the Moscow City Court sustained a lower court ruling that granted the request of the Russian Data Protection Authority to block access to social network LinkedIn within Russian territory. Although the data localization requirement took effect in September 2015, this is the first case of Russia blocking access to a foreign online business due to non-compliance with the Russian data localization requirement. There had been some doubt regarding how rigorously the data localization requirement would be applied, and this case indicates that at least in some circumstances, Roskomnadzor will aggressively push for websites to be blocked. Similar online services should examine their compliance with the data localization requirements in light of this decision.
Russian Court Decrees LinkedIn Blocked in Russia for Non-Compliance with Data Localization Law
Media reports this week broke the news that a Russian court of first instance ruled this past August to block LinkedIn from Russian Internet users for violating Russia’s data localization law, which requires websites and other businesses that collected personal data from Russian citizens to store that data within the territory of Russia. According to the available court ruling, an appeal was filed and a hearing is scheduled for that appeal on 10 November 2016.
Russian Data Localization Update: A Year In
It has been a year since Russia’s data localization requirement came into force in September 2015, requiring companies to store within Russia databases containing personal data they collect from Russian citizens. Exactly one year later, the Russian Data Protection Authority, Roskomnadzor, issued a news release on the first year of enforcement.
In the update, Roskomnadzor stated that an absolute majority of the inspected companies comply with the data localization requirement and that noncompliance is low.
Russia Data Localization Update: Results from Regulatory Inspections Clarify Enforcement Approach
We last reported on Russia’s data localization law earlier this year when the Russian data protection authority, Roskomnadzor, released its inspection plan for 2016. Since then, Roskomnadzor has been conducting compliance inspections both according to the plan and in individual cases when it has reason to do so. The results of those inspections and recent […]
Russia Releases Data Localization Inspection Plan for 2016
In mid-January, the territorial divisions of Russia’s Data Protection Authority, Roskomnadzor, uploaded their 2016 plans for conducting inspections of local companies’ compliance with Russia’s data localization requirements, and there are a number of prominent multi-national companies on the list.
Russian Data Localization: Two Months In
We are now almost two months into the era of Russia’s Data Localization Law, which came into force on 1 September. While some expected immediate enforcement, the Russian Data protection Authority, Roskomnadzor, has not yet taken any action for a violation of data localization requirements. Last month, Roskomnadzor did take formal enforcement action to block a website and add it to register of violators of data subject rights for maintaining an illegal Internet database containing the contact details of over 1.5 million Russian citizens. This enforcement, however, was not for violation of the data localization law, but rather for the illegal collection and dissemination of personal data under other Russian data protection laws.
Russian Data Localization Law: First Day in Force and Schedule for Compliance Inspections
Today, on 1 September 2015, the Russian Data Localization Law came into force. So far there have been no unexpected developments or reports of any unplanned inspections by Roskomnadzor, the Russian Data Protection Authority. Existing planning documents, however, provide some predictability for organizations subject to the law about the schedule under which Roskomnadzor plans on conducting compliance inspections.
Russia Update: Regulator Publishes Data Localization Clarifications
As we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory. The Ministry’s website also provides a mechanism to ask further questions online. In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law.
Russian Regulator Publishes Data Localization Clarifications One Month Before Sept. 1 Effective Date, Plus Other Developments
In September 2015 the Russian Data Localization Law will come into force, requiring organizations that collect personal data from individuals located in Russia to store that data within Russian territory. In this blog post, we summarize recent developments on how the law will be applied, including the unexpected publication of regulatory guidance issued by the government this week.
Recording and Deck from Webinar: Update on New Russia Data Localization Law
Thank you to everyone who participated in the Hogan Lovells webinar “Russia Data Localization Update: New Details Emerge from Meetings with Russian Regulator” on 2 April 2015. This update follows an October 2014 presentation by Hogan Lovells that outlined Russia’s newly enacted Data Localization Law. In this webinar, Hogan Lovells privacy and data protection Natalia Gulyaeva and Bret Cohen provided insight into the expectations of Russian regulators as the September 2015 implementation deadline approaches.
Russia Data Localization Law Update and Webinar: New Details Emerge from Meetings with Russian Regulator
With the September 2015 effective date of Russia’s Data Localization Law less than six months away, the Russian data protection authority, Roskomnadzor, has still not issued any formal guidance on how it interprets the law’s broad requirement that companies must process and store the personal data of Russian citizens within Russia. Roskomnadzor has, however, recently held a series of meetings with different industry groups about the law. While Roskomnadzor’s views as expressed in these meetings do not constitute a formal position, they provide insight into how the regulator is likely to interpret the law.
Russia Plans to Increase Fines for Violating Data Protection Laws
On 24 February, the Russian State Duma (the lower chamber of the Russian Parliament) adopted in the first reading a draft law introducing amendments to the Russian Code on Administrative Offences that would increase the amount of the fines imposed for violating Russian data protection laws and introducing a differentiation of the relevant offences’ types. Notably, the Draft Law does not introduce any separate fine for violating Russia’s new Data Localization Law, although there is still a possibility that this could be modified as the legislative process progresses.
Russia Changes Effective Date of Data Localization Law to September 2015
On 31 December, the Russian President signed into Federal Law No. 526-FZ a proposal to change the effective date of Russia’s Data Localization Law, first passed last summer, from 1 September 2016 to 1 September 2015.
Russian Data Localization Law May Now Come into Force One Year Ahead of Schedule, in September 2015
On 17 December, the State Duma (the lower chamber of the Russian Parliament) passed legislation that would change the effective date of Russia’s new law requiring the local storage in Russia of the personal data of Russian citizens (Data Localization Law) from 1 September 2016 to 1 September 2015. The legislation currently is subject to the Federation Council’s (the upper chamber of the Russian Parliament) and president’s approvals.
Insights from the Russian Data Protection Authority’s Conference on Personal Data Protection
In a recent client alert, partner Natalia Gulyaeva and associate Maria Sedykh from the Hogan Lovells Moscow Office joined associate Bret Cohen from the Hogan Lovells Washington, D.C. office to highlight key insights from the fifth annual conference on “Personal Data Protection” hosted by Roskomnadzor, Russia’s Data Protection Authority.
Recording and Deck from Webinar on New Russia Data Localization Law
Thank you to everyone who attended our webinar last Tuesday on the new Russian law introducing rules requiring the local storage of the personal data of Russian citizens. For those who were unable to make it, linked to this blog post are a recording of the entire webinar and a copy of the slide deck.