In July 2014 President Putin approved Federal Law No. 242-FZ ("On Amendments to Certain Laws of the Russian Federation in Order to Clarify the Procedure for Personal Data Processing in Information and Telecommunications Networks" (the "New Law")). This introduced two key changes to Russian Data Protection Law which, with its current interpretation, has possible ramifications for all foreign businesses doing business in Russia and dealing with the personal data of individuals.
Summary of the New Law
The New Law created a procedure which can restrict access by Russian citizens to websites ‘violating' Russian data protection law, and also imposes a requirement that the personal data of Russian citizens be stored on server(s) located in Russia.
Under the New Law, personal data of Russian citizens must be stored and processed within the Russian Federation. The Russian data protection authorities (the "DPA") intend to create a register/ database (the "Register") of websites which contain infringing information i.e. storing personal data of Russian citizens outside of Russia. The New Law gives Russian data subjects and/or the DPA the right to obtain a court order to have an "infringing" website added to the Register, the idea being that the DPA will then contact host and service providers and arrange for access to the relevant website to be blocked via a notice and takedown procedure
There are some exceptions to the New Law (which remain to be clarified) including:
However, these are of little to no assistance to the business community as they are predominantly non-commercial exceptions.
Potential Consequences of the New Law to businesses
The following have been cited as key possible consequences of this New Law:
Practical considerations for the business community
The important aspect of this law is the fact that it is so far reaching. Even where a business has Russian customers but no legal presence in Russia, it should note that Russian data protection law is considered as public order for all companies collecting and processing personal data of Russian citizens, with no exceptions for foreign companies. Therefore, if a business holds Russian personal data in the US and UK, the law is, applicable to that business.
Based on the current understanding of the New Law, international businesses with Russian customers are, strictly speaking, legally subject to the New Law
Therefore, Seagate will not be collecting personal information on Russian citizens as our systems store and process information outside of the Russian Federation. For further assistance, please contact your place of purchase.