Russian Data Protection Law

In July 2014 President Putin approved Federal Law No. 242-FZ ("On Amendments to Certain Laws of the Russian Federation in Order to Clarify the Procedure for Personal Data Processing in Information and Telecommunications Networks" (the "New Law")). This introduced two key changes to Russian Data Protection Law which, with its current interpretation, has possible ramifications for all foreign businesses doing business in Russia and dealing with the personal data of individuals.

Summary of the New Law

The New Law created a procedure which can restrict access by Russian citizens to websites ‘violating' Russian data protection law, and also imposes a requirement that the personal data of Russian citizens be stored on server(s) located in Russia.

Under the New Law, personal data of Russian citizens must be stored and processed within the Russian Federation. The Russian data protection authorities (the "DPA") intend to create a register/ database (the "Register") of websites which contain infringing information i.e. storing personal data of Russian citizens outside of Russia. The New Law gives Russian data subjects and/or the DPA the right to obtain a court order to have an "infringing" website added to the Register, the idea being that the DPA will then contact host and service providers and arrange for access to the relevant website to be blocked via a notice and takedown procedure

There are some exceptions to the New Law (which remain to be clarified) including:

  • Processing for purposes required by law of an international treaty;
  • Judicial purposes;
  • Processing by state authorities; and
  • Mass media purposes.

However, these are of little to no assistance to the business community as they are predominantly non-commercial exceptions.

Potential Consequences of the New Law to businesses

The following have been cited as key possible consequences of this New Law:

  • Companies conducting business in Russia could be forced to open data centers with data storage capacities in Russia by 1 September 2015, or face the risk of being blocked and/or added to the Register.
  • Any foreign companies collecting the personal data of Russian individuals will be required to install servers in Russia and only use these servers to process information about Russian citizens.
  • The cross-border transfer of personal data of Russian citizens is also at issue, particularly as the New Law now conflicts with Russia's existing laws on international data transfers.

Practical considerations for the business community

The important aspect of this law is the fact that it is so far reaching. Even where a business has Russian customers but no legal presence in Russia, it should note that Russian data protection law is considered as public order for all companies collecting and processing personal data of Russian citizens, with no exceptions for foreign companies. Therefore, if a business holds Russian personal data in the US and UK, the law is, applicable to that business.

Conclusion

Based on the current understanding of the New Law, international businesses with Russian customers are, strictly speaking, legally subject to the New Law

Therefore, Seagate will not be collecting personal information on Russian citizens as our systems store and process information outside of the Russian Federation. For further assistance, please contact your place of purchase.