From poultry and cheese to data, Russia appears to have set the course on “localization.” This effort is taking place in response to the West’s pressure on Russia over its involvement in Ukraine. Lacking legislative gridlock, Russia is quick to pass laws requested by the government, and thus we are seeing the localization effort take hold at breakneck speed.
In the latest round, President Putin signed into law an amendment—to go into effect September, 2016—to two Russian laws that address data protection: the federal law regarding information, information technology and protection of information of 2006, and the law on personal data of 2006. Broadly, the laws require local data processing and establish a mechanism for the government to prevent access to non-compliant websites, web pages or Internet services.
Russia’s new personal data legislation cannot, however, in fairness be referred to as “privacy” legislation. The localization requirement could, arguably, hamper the U.S. National Security Agency's ability to reach data about Russian citizens, but it does not enhance the citizen’s privacy vis-à-vis the Russian government. In fact, the amendments are “anti-privacy” statutes designed to make it easier for Russian law enforcement to access key data about Russian citizens; e.g., financial transactions and social media, and to prevent non-compliant websites from reaching Russian citizens, further cutting off the flow of information to the population.
Russian government has already issued orders requiring companies to cooperate with the Federal Security Service (FSB) to install equipment that would allow FSB to collect user information by automated means. In addition, amendments to media laws that came into effect on August 1, 2013 require Internet providers to disclose to FSB information about the identities and browsing histories of visitors to media sites (including blogs) and to store this information in Russia for at least six months.
The latest amendments mandate data localization by requiring “operators” – entities that organize or perform data processing of personal data and determine the purposes and the nature of the processing – that collect personal data online or offline to use databases located in Russian to record, organize, accumulate, store, verify, update, revise and extract the personal data of Russian citizens.
The law also updates the database registration provision to require the registration documents to include information about the location of the databases containing the personal data of Russian citizens. It is important to note that the law does not require universal registration of personal data databases. For example, registration is not required for databases containing employee data, data processed in connection with an agreement between the operator and the data subject, business contact information or publicly available personal data.
The amendments further implement severe punitive measures on organizations that fail to comply with Russian data protection laws. Specifically, the law requires the country’s data protection regulator—the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (ROSKOMNADZOR)—to preclude access to information processed in violation of Russian data protection laws.
The amendments set out in detail the steps the regulator will take to prevent access to non-compliant services or data. First, the law requires the establishment of a list of violators. The list will contain the domain names or links to non-compliant sites and pages; the IP addresses that allow the identification of sites containing information processed in violation of Russia’s data protection law, and information about the nature of violation and the enforcement action. Notably, a court order is required to include an organization in the list. Within the Russian legal system, however, a court order should be viewed as a low threshold because courts are not independent and generally abide by government requests.
Once a court order is issued, the regulator within three business days must identify the host or provider services the websites or webpages that process personal data in violation of Russian data protection laws and require the host or provider to ensure the rectification of the violation. Notably—and this should give some clarity on the law’s purpose—the notification has to be provided in both Russian and English. The host or provider then has only one business day to notify the owner of the information resource (website or webpage) that is deemed to be in violation of the law. The owner of the offending site or webpage then has only one business day to rectify the violation.
One could view these requirement as draconian, but instead these unreasonable deadlines simply provide additional insight into the purposes of the law. Finally, if the owner does not rectify the violation, the provider or host must preclude access to the website or page within three business days after receiving notice from the regulator. If the provider or hosts or the owner fail to rectify the non-compliance or the provider-host fails to preclude access to the offending website or web page, the law provides for communications providers to be automatically notified of the offending provider or host and for the communications providers to take immediate action to preclude access.
The enforcement prospects for the law are quite difficult to assess, owing to Russia’s lack of an independent regulatory or court system. The law should be viewed as a tool the Russian government can exercise to pursue companies that it views as non-compliant and that fail to disclose data to Russian regulators or security agencies. The law also gives the government a path to terminate access to social media platforms. There is no reason to believe that Russia would terminate access to Facebook or Twitter spontaneously, but the government hasn’t made a secret of its disdain for social media driven “springs” and “color revolutions.” This law’s localization provisions would allow Russian government to access information about any social media revolutionaries, while the punitive provisions would allow the government to curtail access to such sites.
What is important no note, however, is that the Russian government could take any of these actions whether or not there is a law on the books that permits them. And thus, this law should be viewed as putting Western companies on notice that they can no longer reach into Russia without being exposed to its enforcement mechanisms. The Russian DPA has taken some enforcement action in enforcing Russia’s pre-amendment data protection law, which is European in its flavor. But the actions appear to be low-key, not focused on major players. In fact, it is probably unfathomable to envision the DPA taking on a “connected” company unless the action is initiated “from the top,” as a favorite Russian expression goes.
Being that the law does not go into effect until September 1, 2016, the delay both gives companies some time to decide whether they will abide by the rules or leave Russia and leaves open the possibility that the crisis will subside, and there will be no need for Russia to pursue localization in this area. Whether your business is chicken, cheese or data, the advice for doing business in Russia never changes—tread lightly and be ready for anything. To the extent the government takes an enforcement action for non-compliance with the country’s data protection laws, the expectation should be that the action would not be solvable within the confines of Russia’s legal system. Thus any company that is serious about doing business in the country should develop a close relationship with a well-connected local law firm and be proactive in ensuring that it’s compliance posture satisfies the expectations of relevant government agencies. In Russia, this should not be a passive exercise, but a focused outreach effort.