In July 2014 the Lower Chamber of the Russian Parliament
("Duma") passed Federal Law No. 242-FZ of 21 July 2014,
sub-titled: "On introduction of amendments into certain
legislative acts of the Russian Federation relative to
clarification of procedure of processing of personal data in
information and communication networks".
The law states that all operators of personal data who deal with
the personal data of
Russian nationals are obliged to use databases and servers
physically located in the Russian Federation. An operator of
personal data in the context of this law is, generally speaking,
any company which collects and processes personal data.
Initially it was planned that these requirements would come into
force from 1 September 2016, but the effective date was changed at
the end of last year with Federal Law No. 526-FZ; it now
comes into effect on 1 September 2015.
The amendments to the law on personal data mean that where a
company collects and processes personal data of Russian nationals
(particularly, but not exclusively, via the internet), it must make
sure that the servers storing the personal data are physically
located in the Russian Federation.
What does this mean for international companies in Russia?
Nowadays many large companies that work in Russia, especially
international ones, maintain their databases on servers abroad and
on cloud drives. Sometimes companies also keep their main database
on a server in Russia, while a back-up database is stored on
server(s) in other countries.
Unfortunately this approach will have to change from 1 September
2015. The problem here is that the provisions of the law are rather
general and can be construed in different ways. For example,
keeping the single copy of a database of personal data on server(s)
located abroad shall be fully prohibited, while the possibility of
keeping a back-up copy abroad provided that the main database is
kept in Russia is not directly regulated by the law. It should be
noted that certain clarifications in this respect (in the form of
letters) were issued by the regulator, however according to Russian
laws such documents may not be regarded as mandatory normative
The requirements have to be further clarified by more specific
sub-legal acts (by-laws) adopted by different state authorities in
the area of electronic communication. Regrettably such by-laws are
not available as of now, so at this particular moment nobody in
Russia knows for sure which options with regard to personal data
storage are prohibited and which are not after 1 September
We will constitute monitoring this issue and keep you
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Brexit will have fundamental implications for the UK data protection regime. Until Brexit takes place, there will be a period during which its precise form and implications for UK data protection laws are not clear.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
The EU Commission has now formally adopted the EU-US Privacy Shield arrangement for the legal transfer of personal data from the EU/EEA to the US.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).