About the Author
|Denis Vasiliev, Partner,
Podolsky and Klein
Denis Vasiliev is a seasoned attorney with an educational background from the International Independent University of Environmental and Political Sciences (IIUEPS) as well as the Law Faculty and the Academic Law Institute under the auspicies of the Institute of State Law of the Russian Academy of Sciences.
Before Denis joined Podolsky and Klein he worked for more than 10 years as a Head of legal department of Femida Audit which was a part of DFK International. Denis worked closely with large Russian and international clients, on projects related to tax, corporate, corporate structuring, corporate re-organizations, real estate, financial and contract law issues.
Alinga Consulting Group
+7 (495) 988-21-91
As this publication is going to print, a new law, which comes into force on the first of September, 2015, will mandate that the personal data (PD) of Russian citizens be stored only in Russia. Or maybe it doesn't. Or maybe it does, but not only in Russia. Or maybe not stored. Let's try to understand.
The law was passed unexpectedly. Further, it was approved not in a version that matches the opinion of Russia's relevant agencies and its business community. According to some unofficial comments, the Act targeted major Internet companies, such as large social networks and search engines, who hold and own a vast array of information about Russia's citizens. Initially the law's purpose, as announced, sounded quite noble and necessary - to ensure that every citizen of Russia, in providing their personal data, would be able to demand the data's deletion. To do this, every citizen must be able to call upon the controller of the personal data, and so this data should be in Russia and there should be a Russian address to which a request for deletion can be made.
No sooner said than done, but due to the lawmaker's rush to pass this law, and perhaps intentionally, the new bill which amended the law does not reflect exactly the ideal.
First of all, the law has now affects all companies, not just those who work on the Internet. But the most important aspect of the non-idea nature of the law is that it was not elaborated well enough. It has already been delayed once and the business community had high hopes that it's implementation would be postponed again, but this is unlikely.
At the time of this writing, the more common view, supported by the informal comments of officials at Roskomnadzor (RKN) and Russia's Ministry of Communications, is to ensure that from September 1, all organizations working with personal data have to store and use this data exclusively in Russia. If previously the data was transmitted or stored abroad, it is necessary to relocate the data to Russia, delete copies abroad, and then, taking advantage the right of cross-border data transfers, you can copy them back to overseas resources from Russia. This, again, is the most wide-spread and completely unofficial point of view. Of course, no one can say exactly how this will be verified pursuant to the law and the implementation of these actions. Many companies with foreign participation immediately began to indicate that compliance with the requirements of the Act would require too much effort, including their restructuring entire business models. Thus, the new law is a good potential reason to leave the Russian market.
In my view, all this is just a mere attempt to do nothing, hiding behind the scary predictions of falling investment attractiveness and the collapse of the Russian economy.
In fact, today there are very few instruments to control the execution of the law.
The first way refers to law-abiding organizations which, observing the requirements of the law, will report to RKN that they do work with personal data, store the data in Russia and give the address of the server where the data is stored. Then the RKN can visit and try to find non-compliance. Currently, there are no regulations to determine how they will do that.
Organizations that previously reported working with personal data could also be checked if, for some reason, they have not sent new information, updated with an address of where they store the personal data of Russian citizens with which they work.
Another way is to work with complaints filed by people who feel that their data is being used or stored in violation of the law. Since the list of organizations working with PD and reporting the location of the database will be (as promised) freely available, checking this will be simple enough, and then, upon confirmation of a violation, the standard legal procedure will take place – a warning, a court case, then blocking the website. Administrative fines will also be used.
Still another option is that RKN itself can verify compliance with the law, but this is doubtful as too many employees will be needed to do this.
So what is it that the new law requires? It is worded like this:
When collecting personal data, including through the information and telecommunications network "Internet", the operator is obliged to provide a record, systematization, accumulation, storage, clarification (update, change), the extraction of personal data of citizens of the Russian Federation with the use of databases on the territory of the Russian Federation.
Unfortunately, the limitations of this article do not allow us to dwell on all the gaps and shortcomings of the rule, so I shall note briefly the reasons for which this law, in my opinion, would be more or less clear, only after amendments are passed or the courts have clarified its application.
The first point is that the law applies to the collection of PD of Russian citizens. Not in all cases are individuals asked to provide citizenship as part of their PD given. Especially when working with PD online, some forms of information are communicated by the subject of personal data on their own. RKN advises that all persons providing PD should be by default considered citizens of Russia, until proven otherwise. The suggestions looks logical, but you can also enter a separate checkbox to confirm citizenship of Russia or any other nationality.
The second point - the legislation lacks a definition for the term "database" that is suitable for this instance. The only definition available in Part 4 of the Civil Code of Russia, speaks of the collections of intellectual works (scientific research, articles, etc.), which in this case is not applicable. Otherwise, we are left to rely on the common understanding of the word "database", a situation which is incorrect for such an important law.
Third, and most important - this provision of the law suggests that these actions must be carried out "with use of databases on the territory of Russia." That is, the law does not set a mandatory condition that the action must be carried out on the territory of Russia, there are no words that database must be exclusively on the territory of Russia. The norms related to the law on personal data are still allow for cross-border data transfer. So, the question boils down to the fact that in one form or another in Russia should be the base that is used in the processing of personal data. And the location of the database and the obligation to inform the RKN to the roster that RKN will maintain and publish, as promised, in the public domain.
At the same time, it must be remembered that, in principle, in some cases, if a notice to the RKN about dealing with personal data should was sent before, now a line should be added to that notice including the location of the PD database. If you have not submitted the relevant information to the RKN before, due to the fact that your situation does not fall under this law, then and now, nothing will change.
Summarizing, we can say that from our point of view, the requirements of the law are fully enforceable and, in many cases, with minimal cost, although the situation with cloud storage service requires a separate discussion.
If you are interested to discuss the subject “Storing Personal Data in Russia”, please register for a webinar by Denis Vasiliev.
About Alinga Consulting Group
Audit and Taxation Legal Accounting and Payroll
Questions? Ask Alinga's Experts!