We would like to inform you that on the 21st of November 2019, the State Duma of the Russian Federation (lower chamber of Russian Parliament) adopted amendments to the Code of Administrative Offences of the Russian Federation which introduce new administrative fines for non-compliance with so-called localization requirement (“Law”). The amount of related fines may be up to RUB 18,000,000 (approx. EUR 255,000, USD 282,000). This is extremely high, in comparison with other penalties, under Russian data protection laws.
The Law shall also be approved by the Federation Council of Russia (upper chamber of Russian Parliament), signed by the President and published. It will enter into force immediately upon its official publication.
On September 1st, 2015 the so-called data localization requirement entered into force. It implies that certain operations on Russian citizens’ personal data shall be performed in databases located in Russia. Companies operating in Russia made great efforts to fulfil this new requirement. At the same time, blockage of a website, or app, remained the only straightforward enforcement action against those who did not comply with the localization requirement. The best known example is LinkedIn, which is still not available for users in Russia.
Roskomnadzor (Russian data protection authority) found some workarounds allowing to bypass this regulatory gap and impose certain fines de facto for data localization reasons. In particular, it requested information on the location of the database, or prescribed rectification of revealed violation of the localization requirement (e.g., Facebook and Twitter cases). Failure to fulfil such orders is a ground for imposing administrative fines on the respective data controllers. However, their amount was too low for ensuring effective enforcement.
Roskomnadzor was not satisfied with such state of affairs and insisted on introducing new enforcement mechanisms.
According to the Law, the fine imposed on the companies may be up to RUB 6,000,000 (approx. EUR 85,000, USD 94,200) for the first localization offence and up to RUB 18,000,000 (approx. EUR 255,000, USD 282,000) for the subsequent offence.
Such high fines can significantly affect the privacy landscape in Russia. If, previously, risks for the companies processing personal data of Russian citizens, in cases of non-compliance with the localization requirement were rather remote, now they may become the most important issue in terms of data protection. Localizing data according to Russian laws still remains a great challenge requiring high costs (especially for data-driven companies), but now it may become a “must-have” measure for those companies which are planning to develop their business in the Russian market.
We hope that the information provided herein will be useful for you. If you or any of your colleagues would like to receive our newsletters via e-mail, please fill in the 'Subscribe' form at the bottom of the page.
Practices: Data Protection and Cybersecurity
Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter bear any liability for consequences of any decisions made in reliance upon this information.