New personal data storage law to affect both foreign and domestic players

The operation of segregating Russian user data and storing it separately in Russia may be complex, depending on the architecture of the IT platform. Source: PhotoXPress

The operation of segregating Russian user data and storing it separately in Russia may be complex, depending on the architecture of the IT platform. Source: PhotoXPress

Some foreign players panicked last week when they learned about the new rules adopted by the Russian parliament regarding the collection and storage of personal data – which will be allowed only on Russian territory starting from Sept. 2016. Some observers have expressed fears that the law will prevent Russians from using certain services such as online booking sites, while others believe that companies will be able to adapt to the legislation.

Facebook representatives visited Moscow last week for talks with state regulator Roskomnadzor (the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications), the Izvestia newspaper has reported, citing three sources in government structures. Facebook was represented by Thomas Myrup Kristensen, the company's Public Policy Director for Nordics, Central and Eastern Europe and Russia.

Kristensen had a meeting with senior Roskomnadzor officials to discuss issues surrounding internet regulation in Russia. In particular, the company was concerned by the requirement to locate servers storing Russians' personal data on Russian territory, which will become law in Sept. 2016.

The Facebook delegation asked for its visit to remain secret, so the outcomes of the talks were not made public.

While storage of personal data on servers located abroad is allowed under the existing legislation – with some restrictions – the new rules demand that only servers located physically on Russian territory be used. Should an online resource fail to respect this obligation, access to it from Russia may be restricted or blocked by Roskomnadzor.

Many businesses will be affected – but with considerable differences depending on the sector and type of business. These rules will affect international players as well as some domestic companies that currently store users’ personal data on servers located outside Russia – or in cloud storage capacities that are distributed in several locations.

No online hotel bookings for Russians?

International companies which currently centralize data from all countries on their own or third-party servers will have to treat and store Russian personal data separately. This concerns countless international websites, mobile application publishers, airlines, brands, manufacturers and even local small businesses with Russian users or clients.

The operation of segregating Russian user data and storing it separately in Russia may be complex, depending on the architecture of the IT platform. The task could entail significant costs or, at worst, be simply unmanageable, say critics of the law.

“As a result, it will become impossible for Russian citizens to book an air ticket via the website of a foreign airline or to book a hotel room via international booking systems, since personal data will be collected and stored [outside Russia],” stated industry association RAEC.

However, some market players believe that the law may still be modified before it comes into force in 2016. This might be the case in the field of air ticket bookings, said Biletix CEO Alexander Sizintsev in an exchange with Russian business daily Vedomosti.

Domestic players will also be affected by the new rule if they store user data, fully or partly, on foreign servers. Vedomosti provides the example of MegaFon, a leading mobile operator that stores its customers’ data in the cloud.

The new legal requirements “create a strict framework for businesses and will entail significant additional costs at the database level,” the business daily quoted a company representative as saying.

Data repatriation for domestic players

In the vast majority of cases, however, compliance with the new requirements will not be out of reach for businesses.

For companies dealing only with Russian users or clients, data repatriation – if necessary – will obviously be a manageable task. Russian flash sales site did so last year. “We moved everything from Germany, where we initially had our servers,” said KupiVIP President Oskar Hartmann to East-West Digital News., a London-based online fashion retailer targeting Russian clients, will not be seriously affected by the new law, says its founder and CEO Martin Avetisyan. “No one is asking us to move to Russia, it’s just a matter of storing personal data on Russian servers.

No doubt by 2016 there will be lots of local hosting offers. Given the potential of Russian business, the implementation costs of storing data locally are absolutely minimum,” Avetisyan wrote in an email exchange with East-West Digital News.

Data segregation for international players

As for international databases, several examples show that segregating user data by country of origin is also a manageable – though a more complex and potentially costly – task.

At La Redoute Rus, Russian users’ personal data have been stored on Russian servers since the very beginning. “Our Paris headquarters didn’t really understand our decision at that time, but we knew that the Russian authorities may, sooner or later, forbid cross-border personal data transfers. In addition, we surveyed our clients who expressed their preference for storing their personal data in Russia,” La Redoute Rus General Manager José Metz told East-West Digital News.

Some personal data is still transferred via the group’s international data center in Portugal, “but only temporarily” according to Metz. “Should this process be proven incompatible with the new legal requirements, we’ll have enough time [two years until Sept. 2016] to bring the necessary changes.”

According to a Western developer of international mobile applications, data segregation by country of origin is not a rare case. “For example, for copyright reasons, video content owners want their content viewed exclusively by mobile users from certain countries. From declared data, to geolocation, to browsing data, users’ geographic origin can be defined rather precisely,” the company’s CEO told East-West Digital News.

“Complying with this Russian law will indeed be difficult for complex databases that mix international data – unless their design took into account such evolutions. However, the ‘data-without-borders’ trend died with the NSA scandal. This Russian rule is forewarning of what could be the next trend – the re-segmentation of the worldwide web on a national basis, and tech players need to learn managing data differently,” the CEO concludes.

To see the text of the law as adopted by the Russian parliament, please click here.

Editor’s note: The new legal requirements concern only personal data, which should not be confused with any user-related data. According to Russian law, the primary characteristic of “personal data” is the ability to identify among many persons a specific, unique individual.

If only parts of someone’s personal information are stored – e.g. a person’s name and paternal name (patronymic) but not his or her family name – this will not be considered personal data because it is insufficient to identify the person.

Neither will a post in Facebook, or a product review on Amazon, be considered as personal data. In these cases, the data will be considered impersonal and the rules on personal data will not apply.

First published in East-West Digital News.

Opinion: New search engine goes for simple>>>

All rights reserved by Rossiyskaya Gazeta.

This website uses cookies. Click here to find out more.

Accept cookies