Confusion and concern have surrounded Russia's personal data localization law since it went into effect on September 1, 2015. The law mandates that data operators that collect personal data about Russian citizens "record, systematize, accumulate, store, amend, update and retrieve" data using databases physically located in Russia. Prior Duane Morris Alerts ( October 16, 2015, September 2, 2015, and June 15, 2015) have addressed a number of the most salient requirements of the new law. The October 16, 2015, Alert summarized the progress on implementation of the law to date and discussed the predictions by Roskomnadzor (the Russian agency responsible for enforcing the law) and various commentators about future enforcement.

With more than six months of history now in the books, a review of how the law has been implemented and enforced is worthwhile; and consideration of future implementation, including expanded enforcement, is prudent.

2015 in Review

Initial indicators signal that Roskomnadzor is wholeheartedly committed to enforcement of the new law. In the remaining months of 2015 following enactment, Roskomnadzor conducted 302 inspections for compliance with the new localization rule. Roskomnadzor Head Alexander Zharov reported that the 2015 inspections revealed few and minor infractions and indicated that he anticipated violations would be corrected promptly and that no fines would be imposed on the violator companies. Nevertheless, despite the seemingly mild outcomes from the 2015 inspections, companies may be hasty to assume that future violators will be immune from harsher consequences. Rather, it may be useful to consider the enforcement of the data localization law in the larger context of Roskomnadzor's goals and actions.

In 2015, Roskomnadzor restricted access to roughly 7,300 websites found by Russian courts to host sundry and/or impermissible content. Among the more notable blocked sites were several Wikipedia articles (unblocked after articles about narcotics were revised) and Yahoo's sports site (sports.yahoo.com). More on point for the protection of personal data, in 2015, Roskomnadzor listed more than 100 websites on the Register of Personal Data Infringers and restricted access to over 30 websites for violating the Law on Personal Data,1 of which the data localization law is a subsection.2 As just one example, Roskomnadzor reported that it blocked access to an Internet database containing personal data on more than 1.5 million Russian citizens and that, on September 9, 2015—mere days after the law went into effect—it listed the database on the Register of Personal Data Infringers. At the time of this writing, the site, abonenty-chast2.pw, remains blocked. It may not be unreasonable to conclude, therefore, that the enforcement of the data localization law may follow Roskomnadzor's wider protocol of blocking violating websites.

Plans for 2016

Roskomnadzor has pledged, and has already initiated, an expanded effort to enforce data localization in 2016. Mr. Zharov declared that Roskomnadzor plans to inspect and evaluate more than 1,000 organizations for their compliance with the law in 2016. And the expanded scope of scrutiny is no mystery. Roskomnadzor has published a roster of audits planned for 2016, including the specific dates for the planned inspections. There seems to be little doubt that the list may be updated as the year progresses, and prudence suggests that companies should review the list at a minimum, and Roskomnadzor's website in general, for updates. The list already contains the names of many high-profile foreign entities; and it also confirms Zharov's earlier prognosis that 2016 audits will focus heavily on organizations with a large electronic commercial footprint.

Large Companies Impacted

Although Roskomnadzor suggested that the focus of its initial inspections would be on small and medium-sized companies, it appears that the initial strategy morphed quickly. In September 2015 (the same month the law was enacted), Roskomnadzor notified Facebook and Twitter, among others, of the requirements of the law, underscoring that both companies are subject to the law and would face audits "sooner or later."3 The change was particularly significant with regard to Twitter as Roskomnadzor previously stated that Twitter would not be required initially to comply with the law because it does not collect the type of data targeted by the law.4 The Russian branch of a global auto manufacturer was also audited in 2015. The published schedule confirms that numerous additional large companies are targeted for inspection in 2016.

Potential Ramifications

In light of the expanding enforcement of the data localization law, a number of foreign companies have publicly expressed, by words and/or actions, their commitment for compliance. For example, Roskomnadzor has reported that companies like Samsung, Lenovo, EBay, Uber, PayPal, AliExpress and Booking.com—none of which have historically hosted their data in Russia—have indicated that they will move applicable data to Russian servers. Samsung has already opened a large data center in Russia. And "data hosts" have been quick to capitalize on the intended increased enforcement. Orange and IXCellerate have expanded their sphere of influence to host the data of companies with no Russian data servers.5

Companies that do not comply with the data localization law may face a number of potential consequences. Initially, per Zharov's aforementioned statement, Roskomnadzor has instructed violators to remedy their defaults prior to facing harsher penalties. The Russian Code of Administrative Offences allows for the imposition of fines in the event of a failure to cure a violation.6 Continued and/or uncorrected violations may result in the blockage of a company's website. Though Roskomnadzor has historically blocked websites only pursuant to a court order, Zharov has indicated that Roskomnadzor may be given the autonomy to block websites without such an order.7 Though it is not currently known what circumstances would prompt Roskomnadzor to pursue this stiffer sanction, companies should be aware of all potential consequences in the event of a violation, or worse, continued noncompliance. The far-reaching detrimental consequences of being included on the Register of Personal Data Infringers or, worse, of having Russian online presence completely blocked are apparent—though likely avoidable.

Footnotes

[1] The data localization law, Federal Law No. 242-FZ, is an amendment to several Russian laws, including its core privacy law, Federal Law No. 152-FZ, dated July 27, 2006, "On Personal Data."

[2] See the March 2016 article by Pavel Sadovsky and Elena Agaeva, "Control over the Processing of Russia's Citizens' Personal Data Is Tightened," available at: http://epam.ru/eng/law-news/view/control-over-the-processing-of-russian-citizens-personal-data-is-tightened.

[3] See November 12, 2015, article by Sergei Blagov, "Russia Pledges More Data Localization Audits," for Bloomberg BNA, available at: http://bna.com/russia-pledges-data-n57982063580/; see also a September 2015 interview with Alexander Zharov, available at: http://rkn.gov.ru/news/rsoc/news34448.htm (in Russian).

[4] See the official statement released by Roskomnadzor on this topic on November 11, 2015, available at: http://rkn.gov.ru/press/publications/news35927.htm (in Russian); Roskomnadzor's official publication on January 20, 2016, available at: http://rkn.gov.ru/press/publications/news37225.htm (in Russian).

[5] See the September 2015 interview with Alexander Zharov, available at: http://rkn.gov.ru/news/rsoc/news34448.htm (in Russian).

[6] Sadovsky and Agaeva, "Control over the Processing of Russia's Citizens' Personal Data Is Tightened," available at: http://epam.ru/eng/law-news/view/control-over-the-processing-of-russian-citizens-personal-data-is-tightened.

[7] Blagov, "Russia Pledges More Data Localization Audits," for Bloomberg BNA, available at: http://bna.com/russia-pledges-data-n57982063580/.

If you have any questions about the topics discussed in this Alert, please contact Anthony L. Gallia, Maxim A. Voltchenko or Luke P. McLoughlin in our Philadelphia office, Allison Khaskelis in our New York office, any of the attorneys in our Information Technologies and Telecom Practice Group, any of the attorneys in our Privacy and Data Protection Practice Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.