In July 2014 the Russian legislative authorities have adopted a set of amendments to the Federal Law "On Information, Information Technologies, and Information Protection" and to the Federal Law "On Personal Data" ("Amendments to Personal Data Law"). The new legislation when effective on September 1, 2016 will have a significant business impact on companies operating in and outside of Russia and keeping records of any personal data whether such data relates to consumers, employees, or third-party partner personal data. There is a debate that the new legislation shall be effective even earlier than September 1, 2016 – the new effective date is contemplated as January 1, 2015. Below are the most significant developments in the Amendments to Personal Data Law and its anticipated effect on the activity of corporations operating in Russia.
1. Centers of Personal Data Shall be Located in Russia
The most significant change, which appears likely to have a significant business impact on companies operating in and outside of Russia, is a new requirement that "databases which are used for gathering, recording, systemizing, accumulation, storage, updating and uploading of personal data of the Russian citizens" shall be located in Russia. Under the amendments, "an operator gathering personal data, including by Internet, must ensure recording, systemizing, accumulation, storage, updating and uploading of personal data of the Russian citizens with the databases located on the territory of the Russian Federation." Hence, operators collecting data from Russian citizens will need to move their information technology infrastructure to a data center located in Russia, whether such data relates to consumers, employees, or third-party partner personal data. The amendments do not introduce additional specific liability or penalties for failure to "ensure" allocation of data centers and other physical resources for personal data processing in Russia.
In light of the Amendments to the Personal Data Law a sophisticated company shall take into account the requirement to comply with protection levels of the personal data. This is the requirement of the Russian authorities that mandates operators of the personal data to introduce technical and operative mechanisms to protect personal data in accordance with protection levels. From the technical standpoint an operator of the personal data may use both cryptographic and non-cryptographic devices. Import of cryptographic devices in Russia, unless their symmetrical algorithm exceeds 56 bits or asymmetrical algorithm exceeds 512 bits, is subject to notification procedure which rather strict forward and takes approximately 7-10 business days. Import of other cryptographic devices requires special license. In addition, an operator shall note that the use of cryptographic devise may require certification1 with the Russian Federal Security Agency and the use of non-cryptographic shall require prior certification with the Russian Federal Service of Technical and Export Control. Unless certification is obtained neither device shall be used in Russia.
2. Introduction of the "Register of Infringers of Rights of the Personal Data Subjects"
Another significant and separate change under the amendments is the introduction of the "Register of Infringers of Rights of the Personal Data Subjects" ("Register"). The Register will list "domain names and/or webpages and weblinks on the Internet" as well as "web addresses which identify internet sites" of internet services and social networks that are deemed "infringers." No reference is made to the operators that process personal data of their employees and/or customers keeping such data in their data centers (i.e., not with a direct web access for third parties).
Any domain names and/or webpages and weblinks on the Internet may be included in the Register based on the enforceable court decision. Any physical personal who deems it personal data rights are violated may initiate relevant court proceedings. The claim may be brought against the Russian regulator (currently Roskomnadzor) and the holder of the domain names and/or webpages and weblinks on the Internet shall not be notified of the anticipated proceedings. Once the court decision comes into effect, the "personal data subject" whose rights are infringed may apply to Roskomnadzor with a complaint seeking to "restrict access to infringing information." Roskomnadzor, in turn, has three days to react to the complaint and then order the relevant internet service provider ("ISP") to block access to the domain name and/or internet site address in question. The ISP has one day to apply to the relevant domain name/website owner asking for a "voluntary compliance" with the regulator's order. After that, if no "voluntary compliance" is provided, access to the relevant domain name/website will be blocked.
1. Certification with the Russian Federal Security Agency usually requires the following set of documents: (1) the model of security threats with respect to personal data and model of the intruder; (2) technical documentation with respect to the devices; (3) opinion confirming the devices could be used; (4) register of the used devices; (5) register of the technical documentation with respect to the devices; (6) register of drivers with personal data; (7) local act specifying persons with access to the personal data; (8) personal data security policy; (9) use of devices policy and (10) storage of personal data drivers policy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.