According to the amendments to the federal law on personal data, which will enter into force on September 01, 2015, personal data operators will be required to keep personal data of Russian citizens in Russia. These amendments have given rise to many practical issues directly affecting IT companies, as well as their clients using cloud technology for data storage.
Below we answer the most common questions on this topic.
Personal data refer to any information which allows identifying a person, including:
= personal data
not personal data
It should be noted that even if data do not allow definite identification, such data could still be classified as personal data under certain circumstances.
Roskomnadzor (regulatory agency) is currently working on a definition of personal data by developing criteria for personal data1.
If a Russian national employed by a Russian representative office is able to view and post information about him/herself in the career opportunities internal system of a global company and the server in which his/her personal data are stored is abroad, this company will in such case be in breach of personal data localization requirements in Russia.
If a company uses personal data encryption methods allowing to transfer only encrypted personal data abroad (depersonalized personal data), which under no circumstances can be decrypted in the receiving server, then the requirement for personal data localization in Russia will not apply to this company, as, in this case, there is no cross-border transfer of personal data abroad.
The following steps should also be taken to initiate personal data protection.
To localize the personal data of Russian citizens in Russia, it will be necessary to:
An administrative fine from RUB 5,000 to RUB 10,000 will be imposed on legal entities and corporate officers (for example, Data Privacy Officer or General Director) if they fail to comply with the new requirements of the law. Please note that if general directors or Data Privacy Officers being a foreign national are brought to administrative liability repeatedly (2 or more times) under Russian law for committing any administrative offense in Russia over a period of 3 years from the date of entry into force of the last administrative liability decision, such foreign nationals will be prohibited from entering Russia.
The State Duma has already passed the first reading of a bill increasing this fine up to RUB 50,000 for failing to comply with personal data processing requirements. Moreover, according to this very same bill, a fine of up to RUB 300,000 could be imposed for unlawful personal data processing.
The law also allows Roskomnadzor to restrict access to information processed through the internet in breach of Russian laws on personal data, but it takes time and several stages to put in place such access restrictions. However, since the law does not restrict blocking the information of a certain category of personal data operators or personal data processing certain resources, it is possible from a legal standpoint to apply such procedure to internal system of a global company (Intranet) for employee personal data storage and processing.
Partner, Awara Group
Partner, Awara IT Solutions