Changes Impacting Businesses that Process Personal Data in Russia
On July 21, 2014, a new law Federal Law № 242-FZ was adopted in Russia (Database Law) introducing amendments to the existing Federal Law “On personal data” and to the existing Federal Law “On information, information technologies and protection of information.” The new Database Law requires companies to store and process personal data of Russian nationals in databases located in Russia. At a minimum, the practical effect of this new Database Law is that companies operating in Russia that collect, receive, store or transmit (“process”) personal data of natural persons in Russia will be required to place servers in Russia if they plan to continue doing business in that market. This would include, for example, retailers, restaurants, cloud service providers, social networks and those companies operating in the transportation, banking and health care spheres. Importantly, while Database Law is not scheduled to come into force until September 1, 2016, a new bill was just introduced on September 1, 2014 to move up that date to January 1, 2015. The transition period is designed to give companies time to adjust to the new Database Law and decide whether to build up local infrastructure in Russia, find a partner having such infrastructure in Russia, or cease processing information of Russian nationals. If the bill filed on September 1 becomes law, however, that transition period will be substantially shortened and businesses operating in Russia will need to act fast to comply by January 1.
Some mass media in Russia have interpreted provisions of the Database Law as banning the processing of Russian nationals’ personal data abroad. However, this is not written explicitly into the law and until such opinion is confirmed by the competent Russian authorities, this will continue to be an open question. There is hope that the lawmakers’ intent was to give a much needed boost to the Russian IT and telecom industry, rather than to prohibit the processing of personal data abroad. If this hope is confirmed, then so long as companies operating in Russia ensure that they process personal data of Russian nationals in databases physically located in Russia, they also should be able to process this information abroad, subject to compliance with cross-border transfer requirements.
The other novelty of this new Database Law is that it grants the Russian data protection authority (DPA) the power to block access to information resources that are processing information in breach of Russian laws. Importantly, the Database Law provides that the blocking authority applies irrespective of the location of the offending company or whether they are registered in Russia. However, the DPA can initiate the procedure to block access only if there is a respective court judgment. Based on the court judgment the DPA then will be able to require a hosting provider to undertake steps to eliminate the infringements. For example, the hosting provider must inform the owner of the information resource that it must eliminate the infringement, or the hosting [...]