One of the strictest personal data laws in recent years, Russia's is part of a wider global trend toward increased concern about privacy and cybersecurity. Businesses doing business with or in Russian nationals face a complex regulatory regime which severely dictates how personal data should be obtained, processed, kept and transferred. Knowledge of these requirements is crucial for any business operating in Russia, as failure to comply may mean potential fines, loss of revenue and damage to reputation.
The primary source of Russian data protection legislation is Federal Law No. 152-FZ "On Personal Data," which has undergone several major changes since first being passed in 2006. According to this law, personal data means any information concerning an identified or identifiable natural person. It affects both Russian and foreign companies if they process personal data of Russian citizens wherever the processing takes place.
The Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor) is the main regulator mandated to ensure that data protection laws are observed. The agency can inspect, issue warnings, levy fines and even shut down access to noncompliant websites or services. Other regulatory acts that regulate certain directions of ensuring the protection of personal data are developed, such as Government Decree No. 1119 ("It establishes requirements for protection of personal data in information systems"), some orders adopted by Roskomnadzor, which provide methodological support to their implementation.
One of the most distinctive and controversial aspects of Russian data protection law has been mandatory requirements around data localization, adopted in 2015. According to this clause, the operators that process personal data of Russian citizens should have first record, systematization, accumulation, storage, specification (updating or changing), retrieval of information from the databases placed in Russia. This obligation is imposed on all businesses, including foreign companies that offer goods or services to Russian users or track their online activity.
The law does not completely ban cross-border transfers of data, but companies must first place a copy on Russian servers before transferring it overseas. This means that to comply, companies are required to take technical and organizational measures - frequently this requires them to set up data centers within Russia, partner with local hosting providers in the country or use cloud services with infrastructure location in Russia. Non-compliance with localization requirements can lead to administrative liability and fines, as well as restriction on access to services in Russia.
Companies processing personal data will need to comply with several basic requirements if they are carrying out this activity in the territory of Russia. The first one is the need to establish an appropriate legal basis for the data processing: this may be consent of the data subject, necessity for a contract, compliance with certain specific legal obligations or vital interests protection, tasks carried out in the public interest and legitimate interests pursued by the controller. Consent ought to be explicit, informed, free and unequivocal and usually will involve an affirmative action on the part of the data subject.
For many data operators, there is another important duty - registration in Roskomnadzor. Organisations will need to notify the regulator whenever they begin processing personal data, specifying what data it will collect, the purposes of processing, types of subjects and security measures. Some categories of operators, such as government agencies and those processing personal data that is publicly available, can be relieved from the obligation to register.
| Compliance Requirement | Brief Description | When is it required to be completed? |
|---|---|---|
| Data Localization | Keep personal data on servers located in Russia | At the moment of gathering data and after that: time frames are not defined by law. |
| Roskomnadzor Notification | Process notification of processing operations | Not later than 30 days prior to start of the Processing Operations |
| Privacy Policy | Publish detailed privacy notice | At First point (from the moment data is being collected) |
| Security Measures | Technical and organizational measures | Currently implemented |
| Data Subject Rights | Put in place process to manage user requests | Ongoing obligation |
| Impact Assessment | Perform assessment for high risk processing | Prior to commencing with the high risk processing |
Operators of personal data are obliged to take the necessary legal, organizational and technical measures required to protect such data from unauthorized access, destruction, change, blocking, copying as well as other possible illegal activities. The security measures to be implemented are determined by the classification of personal data and by the information system employed for processing. Level 1 containing information requiring high security is the data subject to the measure for protecting access to personal information that could cause serious damage if leaked.
Security policies should cover multiple dimensions of data security including access management, encryption, audit log collection and monitoring, incident response planning and execution, backup and restore operations and employee training. Operators need to keep records of their safety measures, perform risk assessments on a regular basis and maintain processing records. Companies must also establish a system to alert Roskomnadzor (and the affected individuals) if there is a data breach, although there are currently no specific time frames under Russian law to report breaches as in Europe's GDPR.
Personal data can be transferred outside Russia subject to certain conditions, provided the local requirements have been complied with. Using an Authorised Jurisdiction Companies can transfer their data to countries where Roskomnadzor has determined that there is clear protection provided, which currently encompasses a short selection of locations. For transfers to third countries, the controller is also required to have appropriate safeguards, including giving effect subject's consent or contractual necessity or having standard contractual clauses in place.
Both the legal protection of the destination country and specific measures adopted by the recipient should be considered in mutual agreement for any cross-border transfer system. Operators must complete transfer impact assessments – especially when transferring data to countries with government surveillance programs or poor privacy protection. Record the transfer modes and legal bases in order to demonstrate compliance with inspection by relevant regulatory authorities.
According to Russian data protection legislation, individuals have a number of rights to their personal information and companies need to set up processes that allow those rights to be exercised. Data subjects have a right to obtain access to their personal data which is filed by operators, request correction of inaccurate information or deletion of data if it has been processed without proper legal grounds and reasons or outside the agreed purpose. They also have the right to withdraw consent to data processing, to object to certain processing and to limit or restrict processing in certain instances.
Data controllers are expected to complete all data subject requests in a timely manner, and provide clear information about their processing activities via privacy policies and notifications. The law mandates notice and describes the purposes for which information is gathered, categories of information collected, proposed retention periods, and individuals' rights at the time or before data are collected. Transparency duties incorporate informing the data subject about any automated decision-making, including the logic thereof.
The sanctions for breach of Russian localisation requirements have been ratcheted up in recent years with the possibility of administrative and criminal penalties depending on the nature and seriousness of the infringement. Administrative sanctions for legal entities can go up to 300,000 roubles for non-compliance with data localization, and be as high as 75,000 to process personal data without valid justification. It is punishable by higher fines and other sanctions for repeated offences or ongoing violations.
Aside from the fine penalties, Roskomnadzor is empowered to send warnings, restrict processing and block access to non-compliant websites and online platforms. The authority has shown a desire to ensure the measures are enforced -especially when it comes to giant international tech firms which do not follow localization obligations. Criminal responsibility could be in place when personal data is collected, distributed or sold illegally, leading to imprisonment for the person liable.
Specific sectors have further obligations of data protection, in addition to the general obligations for all operators. Banks, hospitals, phone companies and schools are subject to regulations that impose special security precautions, consent requirements or documentation. For instance, if you're in the medical industry, then consent to process health data and a tighter lid on confidential patient information is an absolute must.
Any business operating in those regulated industries will need to familiarize their data protection teams with the wider framework as well as any specific sector requirements that pertain to them. As always, it is recommended to consult with lawyers experienced in Russian data protection law and industry regulations to ensure full compliance.
Compliance with Russian rules of personal data protection should be based on integrated approaches that include legal (regulatory) as well as technical and organizational measures. Enterprises need to start with a thorough data mapping exercise that will highlight all the personal data processing activities, sources of data, processing purpose, storage location and transfer destination. This inventory is used as the basis for determining compliance shortfalls and preparing remediation schedules.
Adopting privacy by design measures can help make data protection part of business processes and technology systems in the early stages. Clear governance structures mean having clear lines of responsibility, responsible persons defined and accountable, data protection policies and procedures in place as well as ongoing employees' training sessions. This can lead to internal compliance audits and using outside experts for independent reviews, which may uncover issues before they become the subject of regulatory interest.
Here are a few key compliance actions to consider:
- Take a detailed inventory of mapping and processing data
- Data about Russian citizens should be kept on servers located in Russia
- Carry out necessary notifications to Roskomnadzor and extend the registration date
- Enforce access to each type of data('('Confidential','Restricted' or 'Highly Confidential'))
- Develop and publish accessible privacy policies in Russian language / - Prepare accessibile privacy policies in Russian language vs. overall 64 ADHDs Privacy • accessibile definition for BPs incl.
- Set up process for handling of data subject access requests and complaints
- Record your processing activities, consent records and transfer mechanisms
- Process audits and security controls testing are performed routinely
- Regularly train employees who access personal information
- Build out incident response plans in case of data breaches
Corporations, in particular multinationals, face numerous difficulties in complying with Russian data protection rules. The data localization requirement can mean huge infrastructure and operational overhauls, especially for those companies whose current setup is centered around a centralized global data center architecture. Partnering with quality Russian hosting providers that can accommodate localization quotas and international security standards demands thorough vendor management.
Language differences and legal terms are barrier to compliance, as only in Russia we find a number of regulatory materials, instructions from Roskomnadzor that could help us understand how to respond correctly." The companies should also consider retaining local legal and data protection experts who have experience with the regulations and some of the nuances associated with compliance. Further, companies need to weigh up the Russian compliance requirements with those of other relevant data protection laws, such as GDPR, which may contain different or conflicting criteria.
Personal data is any information that relates to an identified or identifiable individual. This includes names, addresses, phone numbers, emails and passport numbers as well as employment details and financial data – like your bank account or credit card information – location history, IP addresses and any other data that can be used on its own or with other information to identify a specific individual. Special types of personal data: The following types of personal data are subject to an increased level of protection under Russian law, identity documents (passport details), biometric and other special categories of personal data (e.g. health, racial or ethnic origin, political opinion, religious beliefs and data on sex life).
Yes, the requirements of Russian data protection law do apply to foreign companies (foreign legal entities) if they process (collect, store or use), personal data in relation to citizens of Russia regardless of their location within or outside Russia. The reach of the law is territorial, applying to any enterprise providing goods or services to individuals in Russia or processing information related to Russian data subjects. That's a requirement that has international e-commerce sites, social media services, cloud providers and other online business serving Russians on the hook for data localization, registration and all sorts of other measures even if they have no physical assets in Russia itself.
Corporations can prove their compliance with the localization requirement by: providing technical documentation evidencing databases containing personal data of Russian citizens at fixed facilities are physically located within Russian territory maintaining contracts with hosting providers or data centers in Russia, with performance where critical elements of network architecture diagrams included within themselves flows of personal data and virtual storage locations, as well as third-party audit reports confirming compliance to localization. Roskomnadzor will have the right to demand such documentation during company visits and investigations, so operators would be wise to keep good records on infrastructure and data storage practices.
Non filing mandatory notifications to Roskomnadzor may lead to administrative penalties from 300 rubles for individuals, and 500 rubles for legal entities up to 3,000–6,000 rubles. Although these fines may appear inconsequential among other violations, a failure to register can lead to closer inspection under regulations and becomes an aggravating factor in if further violations are discovered. Furthermore, the Roskomnadzor could order a discontinuance of the processing until registration is in effect which would have an immediate and substantial impact to the business.
Yes, cross-border transfers are allowed as long the data is stored on servers in Russia first and you have appropriate a transfer mechanism. If a company leverages countries approved by Roskomnadzor to ensure adequate safeguards, then companies may have the data transferred with the consent of the individuals whose personal data is being transferred where there are appropriate safeguards in place or ambiguates transfers pursuant to contract performance, protection of vital interests, or other legal grounds. Organizations should put in place necessary safeguards such as standard contractual clauses, binding corporate rules or other mechanisms approved by the Russian law and keep records of reasons for transferring data.
Companies should perform at least an annual full reviews of their compliance, and even more frequent assessments for entities that process large amounts of personal data or operate in heavily regulated sectors. Compliance checks should be prompted by relevant developments such as amendments to Russian data protection laws, entering new lines of business or markets, deploying new technologies or systems that handle personal data, corporate re-organizations andM&As and breaches/incidents. Ongoing processing monitoring and periodic security reviews help ensure compliance is maintained, and timely detection of symptoms and correction of concerns are made.
Compliance with Russian data protection requirements requires in-depth analysis of a complex and evolving regulatory regime, which imposes distinctly different obligations compared to those found in most other jurisdictions. The interplay between data localization, registration, heavy security requirements and strong enforcement regimes makes it a difficult compliance landscape for domestic and foreign organisations alike. businesses will have to spend time and effort learning about these demands, putting in proper technical and organizational measures, and keeping compliance programs up-to-date to keep from facing fines or operational hiccups.
It takes more than going through the compliance motions to succeed in this regulatory environment. Enterprises need to take a proactive approach which incorporates data protection principles into their operations, corporate culture and technology. By noting compliance as an ongoing process and not a special stand-alone project, companies will be able to build trust with Russian consumers, avoid regulatory risks and set the ground for longer-term business on the Russian market. While enforcement continues to grow increasingly stringent and the requirements develop, tracking regulatory developments and leading practices remains important for all organisations processing the personal data of Russian citizens.