Most Companies Will Comply With Russia’s New Personal Data Storage Law

This article originally appeared at East-West Digital News

Starting from today, the personal data of Russian citizens must be stored on servers located physically on the Russian territory. Adopted last year in a bid to affirm Russia’s digital sovereignty, this new law has provided many players with challenges due both to its demanding requirements and the ambiguity of some of its key provisions (see details in EWDN’s free white paper).

Many foreign and domestic players, who either store or used to store their users’ data in borderless clouds, are concerned – in considerably different ways, however, depending on the type of business and database architecture of each. Those failing to meet the new requirements will face fines. Ultimately, access to their site may be blocked by the Russian telecom regulator Roskomnadzor.

Many companies have worked hard to meet the law’s requirements in time, as illustrated by the public announcements made by Booking.comeBayPayPal, Alibaba’s subsidiary AliExpress, as well as international PSP PayU in the past few months. Some e-commerce players, such as KupiVip and La Redoute, had even anticipated the law by transferring their data away from foreign servers several years ago.

In July, 53% of the French, Russian and international companies surveyed by the French Russian chamber of commerce (CCIFR) stated that they will meet the deadline to comply with the law on September 1, while 39% said that they will comply but with some delay. Another 8% stated that they were not ready to comply at all.

What have been the difficulties in complying with the law?

CCIFR personal data survey_Difficulties

Survey of 50 French, Russian and international companies in a variety of sectors, from late July 2015. Source: CCIFR

But not all international businesses are fully aware of their obligations, and many of them have not been able to meet the Sept. 1 deadline. This seems to be true in the cases of Apple, Facebook, Google and Twitter, if judging by media reports and the “no comment” or otherwise vague statements of their press services.

Some players, including some important international companies, are even considering leaving the Russian market due to the complexities of the new rules and the unfavorable economic context of the present time.

Much-needed clarifications

Until just weeks before the Sept. 1 deadline, implementing the new rules was difficult due to the lack of clarity and precision of the law in several important respects. Ambiguities remained regarding the scope of the law, whether it was permitted to store copies of personal data outside of Russia, how to identify Russian citizens, and many other issues brought before the Russian authorities by the business community. Some statements from the authorities did concern some of these points, but they had no formal value.

Over the past few months, meetings with the regulator helped businesses clarify the situation. In August 2015, as a result of these meetings and of numerous requests from personal data operators, the Ministry of Telecom and Mass Communications expressed its interpretation of the law on its official website. These statements are not legally binding, but may be regarded as guidelines provided to businesses to comply with the law in good faith.

According to these official interpretations, personal data initially collected and stored in Russia can be transferred to or processed in databases located abroad. Key here, in order to protect the subject of personal data, is the initial location.

The questions of whether or not the law would apply to data collected before Sept. 1, 2015, has also been clarified. The rules are not retroactive; only personal data collected from Sept. 1, 2015, must be stored in Russia.

The Ministry also confirmed that certain businesses, whose activity is regulated by an international agreement or specific legislation, would not be affected by the law. This is the case of airlines and air ticket booking systems.

Five fundamental legal requirements for dealing with personal data in Russia

  • Personal data may be collected, stored and used only with the consent of the data subject (the person to whom the data refers), preferably in written form
  • Starting from September 2015, personal data should be processed by means of information databases that are physically located on Russian territory.
  • Data operators storing personal data are liable for keeping such data confidential and are not permitted to transfer, share or disclose such data without the consent of the data subject, with special attention paid to internal control mechanisms.
  • Full protection of personal data should be provided through a range of organizational and technical measures defined by the law.
  • The operator should draft and make publicly available an internal policy for processing personal data.

These rules apply specifically to personal data – which should not be confused with any user-related data. According to Russian law, the primary characteristic of “personal data” is the ability to identify among many persons a specific, unique individual.

Top 5 data migration tips

  1. Give yourself a long timespan to fully implement the migration process. Just the delivery of servers itself can take up to two months alone, while testing after installation can also take several months. This adds up to a process that can easily stretch up to eight months.
  2. Find a reliable local partner to assist you with the process. Involve head office team into the selection process.
  3. Use existing import channels to move equipment (unless you opt for an IaaS solution). Usually your Russia-based data center will have a number of reliable and previously tested partners to recommend. These should be large local business integrators, or international suppliers who have a dealer network in the country.
  4. Manage complexity by transparent communication: make sure there is full understanding of the installation design by all parties involved. Language barriers and complex terminology can create major problems between client and contractor in this regard.
  5. Don’t forget about after-migration support: the data-center team and other participating parties should be on stand-by after launch. A properly run data center will have client service thoroughly specified, with procedures, documentation, a 24-hour bi-lingual emergency phone line in place and an online ticketing system to track status.

Leave a comment