New sanctions for failure to localize personal data in Russia

New sanctions for failure to localize personal data in Russia

11 December 2019

We would like to inform you that on the December 2nd, 2019, the President has signed the draft law introducing amendments to the Code of Administrative Offences of the Russian Federation (“Law”). In particular, the Law sets out new administrative fines for non-compliance with so-called localization requirement. The amount of related fines may be up to RUB 18,000,000 (approx. EUR 255,000, USD 282,000). This is extremely high, in comparison with other penalties, under Russian data protection laws.

Under the Law, it shall enter into force upon its official publication, which also took place on December 2nd, 2019.


On September 1st, 2015 the so-called data localization requirement entered into force. It implies that certain operations on Russian citizens’ personal data shall be performed in databases located in Russia. Companies operating in Russia made great efforts to fulfil this new requirement. At the same time, blockage of a website, or app, remained the only straightforward enforcement action against those who did not comply with the localization requirement. The best known example is LinkedIn, which is still not available for users in Russia.

Roskomnadzor (Russian data protection authority) found some workarounds allowing to bypass this regulatory gap and impose certain fines de facto for data localization reasons. In particular, it requested information on the location of the database, or prescribed rectification of revealed violation of the localization requirement (e.g., Facebook and Twitter cases). Failure to fulfil such orders is a ground for imposing administrative fines on the respective data controllers. However, their amount was too low for ensuring effective enforcement.

Roskomnadzor was not satisfied with such state of affairs and insisted on introducing new enforcement mechanisms.

New fines

According to the Law, the fine imposed on the companies may be up to RUB 6,000,000 (approx. EUR 85,000, USD 94,200) for the first localization offence and up to RUB 18,000,000 (approx. EUR 255,000, USD 282,000) for the subsequent offence.

Such high fines can significantly affect the privacy landscape in Russia. If, previously, risks for the companies processing personal data of Russian citizens, in cases of non-compliance with the localization requirement were rather remote, now they may become the most important issue in terms of data protection. Localizing data according to Russian laws still remains a great challenge requiring high costs (especially for data-driven companies), but now it may become a “must-have” measure for those companies which are planning to develop their business in the Russian market.

We hope that the information provided herein will be useful for you. If you or any of your colleagues would like to receive our newsletters via e-mail, please fill in the 'Subscribe' form at the bottom of the page.

Practices: Data Protection and Cybersecurity

Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter bear any liability for consequences of any decisions made in reliance upon this information.

We use cookies to offer better performance of the website and fulfill some other purposes specified in the Privacy Policy. By way of ticking the box you provide your consent to use of cookies. Otherwise, we will only use technical cookies, which are necessary for proper functioning of the website.