On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to privacy in Russia.

Featured News and Resources

Russia amends data protection law

Russia enhanced personal data subjects’ rights by changing fines and extending the limitation period for data-related breaches. Nikita Maltsev breaks down the revamped slate of fines and new limitation period under the federal law.
Read More

Russia restricting public data processing

Gorodissky & Partners Senior Lawyer Stanislav Rumyantsev, CIPP/E, has the details on the new rules and how data controllers should prepare for them.
Read More

Make GDPR and Russian Localization Law compatible

Oleg Blinov suggests encryption could be “a strategy that would be in formal compliance with Russian personal data law while maintaining a high level of protection of data subject’s rights and interests.”
Read More

Latest News and Resources

Russian data protection law updates take effect Sept. 1

Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media, the Roskomnadzor, summarized recent changes adopted for the Federal Law on Personal Data will take effect Sept. 1. The updates include required data breach notification and language to prohibit contractual data processing that includes conditions to restrict data subject rights. The Roskomnadzor also proposed future amendments to create a stiffer penalty and liability scheme around data breaches.Fu... Read More

Russian ransomware group claims to publish Costa Rican government data on dark web

A Russian-linked ransomware group stole more than a terabyte of Costa Rican government data, Tech Monitor reports. Conti took credit for the attack, which targeted six Costa Rican governmental departments, including tax and customs administration and finance ministry. Conti demanded a $10 million payment by April 23. Following Costa Rica’s refusal to pay, the group claimed to release 80% of the stolen data on the dark web. The Costa Rican government website has been down since the attack took pl... Read More

Moscow metro launches facial recognition payment system

The city of Moscow launched "Face Pay," a facial recognition fare system for their network of more than 240 metro stations in the city, Reuters reports. "Moscow is the first city in the world where this system is operating on such a scale," Maxim Liksutov, head of the the city's transport department, said. The Moscow metro system serves a population of 12.7 million people in Moscow. Using "Face Pay" as a way to pay your fare is not required, Liksutov added, and the previous payment methods will ... Read More

UK, US say Russian hackers carried out SolarWinds attack

ZDNet reports U.K. and U.S. intelligence agencies accused hackers from a Russian foreign intelligence service of executing various cyberattacks, including the SolarWinds data breach. In the U.S., the accusation was included in a joint advisory from the National Security Agency, Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation, also noting five ongoing system vulnerabilities that need patching. The U.K. National Cyber Security Centre issued its own claim placi... Read More

Russia’s Data Localization Law

Russia amends data protection law to increase personal data subjects’ rights

According to the Country Commercial Guide of the U.S. International Trade Administration, Russia is the sixth-largest economy globally, and its gross domestic product purchasing power parity is USD 4.016 trillion. The country has more than 140 million people with growing purchasing power that demand well-known global brands and quality service. All these factors make Russia a strategic market for different international companies.  Russian legislation evolves rapidly, and the personal data laws... Read More

Encrypt your data to make GDPR and Russian Data Localization Law compatible

Russian law mandates data controllers store and update data collected from Russian citizens using Russian servers. Not only is this obligation technically complicated and often costly from the business perspective, but it is also a headache for the data protection officer. After all, keeping a portion of your user database located outside of the EU in a country that is not deemed adequate under Article 45 of the EU General Data Protection Regulation may conflict with data minimization and may ne... Read More

Overview of the Russian Ministry of Telecom and Mass Communications Clarification on the Data Localization Law

In August 2015, the Russian Ministry of Communications and Mass Media (Minsviaz) issued clarifications regarding the scope of Russia’s jurisdiction for enforcing the data localization law. While not binding upon the agency, they currently are the only regulatory guidance available on the law.This client alert from International law firm Grata offers an English language overview of the clarifications. Click To View (PDF) ... Read More