About the Author
Tatyana Bushueva received a degree in economics from Vyatka State Agricultural Academy, majoring in Accounting, Analysis and Audit. She also holds a law degree received from the Kirov branch of Moscow State Law Academy. Tatyana is a certified auditor. Prior to joining Alinga’s team Tatyana worked in several other auditing companies.
Alinga Consulting Group
+7 (495) 988-21-91
Federal Law № 242-FZ dated 21.07.2014
“On Changes to Russian Legislation Regarding Adjusting the Procedure for Processing Personal Data in Information and Telecommunications Networks”
1. Introduction. Legislative requirements.
Personal data – any information pertaining directly or indirectly to a specified or unspecified individual (personal data owner).
Federal Law № 242-FZ dated 21.07.2014 introduces changes to the Federal Law “On Information, Information Technology and Information Security” which obligate the owner of the information and operator of the information system to ensure “that an information database is located in the Russian Federation which collects, records, systematizes, accumulates, stores, adjusts (updates, changes) and extracts the personal data of Russian citizens.” These changes will come into effect starting 1 September 2016.
Prior to processing personal data, the operator must inform the proper authority. As of 1 September 2016, these notifications must contain information on where the database is located.
However, the legislation does not explicitly prohibit duplicating information. Therefore, the internet service can theoretically store data simultaneously in both Russia and overseas.
The law in question has also taken monitoring and oversight of compliance with requirements on distribution of information on the Internet away from the law on the rights of legal entities. This means that if the Russian Federal Oversight Agency for Information Technology and Communications (Roskomnadzor) can only audit a company once every three years (this is regulated by Federal Law 294-FZ), then when this law comes into effect on 1 September 2016, the agency will be able to perform an audit at any time. However, Roskomnadzor will not be obligated to publish an audit schedule for the following year and, consequently, companies will not know when they may face an audit.
2. Consequences of violating personal data storage procedures:
According to the law, Roskomnadzor should limit access to information which is “processed in violation of the law,” or rather, not in Russia. This will be possible on the basis of an enforceable court ruling. The authorities will send a letter to the hosting service or its owner reporting the legal violation. If the latter does not take “immediate measures” to remedy the violation, then the authorities will send a second letter to the responsible providers with an order to block the site. A register of violators of personal data rights will be created to limit their access.
In addition, existing legislation provides liability for violating the established procedure for collecting, storing, using and disseminating information about citizens (Article 13.11 of the Code of Administrative Offenses). Such a violation results in a warning or a fine, which for legal entities is between 5,000 and 10,000 rubles.
3. Problems (discussed on the Internet):
- Resources such as Facebook, Twitter and Booking.com, among others, fall under these amendments, along with thousands of online stores, hundreds of airline companies and visa services.
Even if individual companies (for example, Google and Microsoft) agree to establish their data centers in Russia, many services will not be able to meet the requirements of Russian law. Foreign online stores will not be able to provide their services in Russia since they must process data in the country in which they operate. A similar situation may occur with foreign airline ticket or hotel booking services (Booking.com), accommodation services (Airbnb), as well as payment services (PayPal). They must store their data on international servers so that other companies may access them from any country. The adopted law does not specify if access to information in Russian data centers will be permitted from other countries.
- Imposing similar requirements on IT companies causes a problem with guaranteeing the identification of Russian citizens. The issue of whether someone is a citizen of one country or another according to current Russian law is determined, for example, based on a Russian citizen’s passport. Thus, internet resources must choose:
- to include identification of all users according to their passport information;
- to reject Russian users;
- to place all of its servers in the Russian Federation;
- to disregard Roskomnadzor’s instructions and be blocked in the Russian Federation.
- Lawyers have issued the following opinion based on an analysis of the legal conditions:
The obligation to ensure that all Russians’ personal data is processed within Russia will be assigned to so-called “personal data operators” under which the federal law “On Personal Data” and Roskomnadzor itself understand Russian companies and representative offices/branches of foreign companies that perform any activity with personal data in Russia (this response is on the agency’s website). An important conclusion can be drawn from this: foreign companies (including Facebook and Booking.com) that do not have representative offices in the Russian Federation are not formally subject to this law.
- The new version of the law stipulates that companies should ensure that any operation performed with Russian citizens’ personal data is done using only databases located within Russia. This requirement explicitly prohibits any transfer of personal data overseas (seeing as how data transferred overseas will already be being processed in databases located outside of the Russian Federation). However, a multitude of questions arise in this situation that no one is able to answer yet (neither the law, nor the authorities):
- How can data be transferred outside of Russia without violating the requirement that this data can only be on servers located in Russia?
- What should companies do if they have branches in different companies and use a shared CRM (customer relationship management) system among all of their offices? In this situation, the data may be downloaded to a server located outside of Russia.
- How will travel agencies in Russia book hotels in other countries? How will airlines sell tickets for multi-stop flights that are serviced in part by foreign airlines?
About Alinga Consulting Group
Audit and Taxation Legal Accounting and Payroll
Questions? Ask Alinga's Experts!