What does the new law do?
It introduces a requirement for personal data of Russian citizens (individuals) to be processed by data operators who collect such personal data using data centres located in the Russian Federation.
When will it be in force?
The law has been enacted but the proposed commencement date has been changed several times; but it is now 1st September 2015 and there’s no indication of any further postponement.
What happens if we breach it?
Roskomnadzor, the Russian Data Protection Authority, can block websites and online resources of businesses, as well as impose fines.
Does it apply to our global business?
No, it applies to companies with a presence in Russia. Roskomnadzor has expressed the view that this means that the law applies to the operators who are either Russian companies, foreign companies with a Russian presence or foreign operators where the collection of personal data is in connection the activity on the territory of the Russian Federation (such as offering products or services to Russian citizens in Russia via the internet).
So a UK company can ignore the law if it doesn't do business in Russia - even if it employs Russian citizens?
Correct. Similarly if a Russian citizen applies for a position at such a company by posting their resumé on the company’s website which is hosted outside Russia, there is no requirement to save a copy in Russia.
What if we do business in Russia but we hold data on a Russian employee or customer in connection with another part of our business?
Provided you can establish that the data is not related to the business in Russia it is not affected by the new law. This might not be clear cut. For example you would need to consider whether customer’s business at the New York branch resulted from the company’s marketing activities in Russia. In practice it would be hard for Roskomnadzor to prove that it did, but the risk of challenge will exist wherever an operator has a Russian presence. If the Russian and non-Russian business activities are operated by different entities within a group this would make the position clearer.
If we do have data which is subject to the new law, does it mean we have to move our existing databases to Russia?
The new rules do not have retroactive effect which means that they do not apply to already existing databases. That said, in practice if any update is required to the personal data in such database then the new rules will start to apply. So, in practice it freezes the content of your existing databases unless you move them to Russia. Since many data protection regimes require the accuracy of databases to be maintained and enable the data subject to require that its data be corrected, it may not be practicable to maintain a "frozen" database outside Russia.
Should we separate out our data on Russian citizens and store it separately from that on other data subjects?
This requires a cost-benefit analysis for each company. Don't forget the law only applies to data on Russian citizens in connection with a Russian activity. So as a first step it might be simpler to identify data related to the Russian activity and isolate that.
If we locate data on Russian citizens in data centres in Russia, can we access that data from outside Russia?
Yes. The new law does not prohibit accessing the Russian databases from abroad. The existing Data Protection Law already imposes requirements on cross-border transfers and these have not been amended or repealed.
What about the information we extract and send in e-mails to places outside Russia? Could we be breaking the law because this information is effectively being processed outside Russia?
The new law does not expressly prevent you from keeping a duplicate database outside Russia or from having extracts of the data in e-mail etc. However, if any update is required to the personal data in such database, it can be updated only by way of receiving updated information from the database located in Russia, i.e. the primary Russian data base should be updated first, then database located outside Russia.
How do I find out more?
There has been no official guidance published in relation to the law and there are still areas of uncertainty; this FAQ has been prepared on the basis of informal discussions with Roskomnadzor. Generally formal statements of Roskomnadzor’s position are published on its website: http://eng.rkn.gov.ru/