- Professional News
- 10 September 2015
New Russian Act on storage of data on Russian citizens in Russia
Danish businesses with subsidiaries in Russia must be aware of more stringent requirements as to storage of personal data on Russian citizens in Russia. This is the result of a new Russian Act on data storage which came into force on 1 September 2015.
All data on Russian citizens that Danish businesses with subsidiaries in Russia registers, collects, receives, stores and processes, must be stored on servers in Russia. This is the result of a new Russian Act on data storage which came into force on 1 September 2015.
Several unclear points
Following adoption of the disputed and controversial Act, uncertainty arose as to the specific consequences of the Act. This was due to a number of unclear points in the Act, including whether the Act applies to both Russian and non-Russian businesses and whether personal data storage on more than one server is permitted to the effect that data on Russian citizens may also be stored on servers in other countries.
Although the Act came into force last week, ways of construction by the Russian data protection agency (Roskomnadzor) are few. The agency has, however, established that the Act applies to all (Russian and non-Russian) businesses established in Russia (such as subsidiaries). Furthermore, all data on Russian citizens must be stored on a primary server in Russia. The personal data may subsequently be mirrored to secondary servers located outside Russia.
Unofficial guidelines from the authorities
One month before the Act came into force, the Russian Communications Ministry (the superior authority of the Russian data protection agency) published some unofficial guidelines on its website.
From such guidelines, it appears, among other things, that the requirement of personal data storage in Russia applies to businesses established in Russia only and that the rules will not apply retrospectively.
In this way, personal data on Russian citizens collected prior to the Act coming into force may still be stored on servers in other countries as long as such data is not updated nor changed. If the data is updated or changed, it will become subject to the requirement of storage on Russian territory.
Effect on businesses
The practical consequence of the new Russian rules on personal data storage is that "Danish" groups with Russian subsidiaries, which, for example, store data on employees and customers on central servers or by way of cloud solutions, are obliged to separate personal data on Russian citizens residing in Russia. Such data must be stored on a primary server in Russia before being subsequently mirrored to the central server of the group or the group's cloud solution.
Generally, the Act does not, however, apply to businesses not established in Russia. However, some specific Internet activities will be subject to the Act, such as websites owned and managed by a non-Russian business but directed at Russian consumers (if, for example, the website language is Russian) or websites with a Russian top level domain (.ru, .su, .moscow, etc.).
In addition, the rules do not apply to the processing of personal data in the form of review, for example on a computer screen, or the transfer of personal data by email. The result of this exception is that data on Russian citizens residing in Russia must not be stored on primary servers in Russia but may be stored on, for example, a central email server of a group.
Consequences of non-compliance
The most serious consequence for businesses established in Russia not complying with the new Russian rules is that the Russian authorities may block access to the business's website in Russia.
The fine level is modest (up to approx. DKK 2,000). However, it is uncertain whether the amount covers a total fine for violating the rules or whether one fine per violation will be issued.
The Russian data protection agency has announced that it is planning more than 300 business inspections during 2015.