Personal data storage in Russia: Challenges of compliance with new laws

Russian laws will need at least several more years to catch up to the level of personal data protection cases found in European Union countries. Source:  Shutterstock

Russian laws will need at least several more years to catch up to the level of personal data protection cases found in European Union countries. Source: Shutterstock

A new report prepared by Ernst & Young, East-West Digital News and a number of top market experts offers companies advice on how to comply with changing Russian legislation on personal data.

RBTH is a media partner of the "Personal Data Storage in Russia" report

At the end of March 2015 Ernst & Young and East-West Digital News, the international information source on digital industries, released a report on the challenges of data transfer in Russia. Starting in September 2015, companies operating in the country will be required to store users’ personal data on servers located on Russian territory, according to Information Law No. 242- FZ.

 

The deadline is tough, but not impossible

The legislation will pose new challenges for many market players that store their users’ data in borderless clouds or abroad. However, “businesses can in most cases continue operating with Russian users or consumers provided that they implement a series of stated organizational, technical and legal steps,” the report says.

David Hamner, chairman of the information storage company DataSpace, thinks that many companies won't be ready by the September deadline. “However many believe that if they can demonstrate activities to become compliant they may be granted some extensions or be subject to some manageable level of financial penalty,” Hamner adds. 

International companies are also concerned that personal data can be accessible by the Russian government and that the servers might be confiscated. “But the truth is it doesn't matter if you're in Phoenix, Arizona or London or Moscow, if the authorities arrive with proper search and seizure warrants, they will get what they came for,” Hamner says.

 

The mechanism is still unclear

Until recently many enterprises had little idea of what exactly was needed to comply with the new legislation. Guy Willner, CEO of data storage company IXcellerate said some international players were not even aware of the new law. According to the report, the new rule regulating the obligations of personal data operators is brief and concise: all personal data of Russian citizens must be processed inside Russia only. Access from Russia to online resources that fail to meet this requirement may be restricted or blocked by the state regulator known by its Russian acronym Roskomnadzor.

New provisions refer not only to storage of personal data on Russian territory, but also to its collection, accumulation and documentation. “It can be concluded that all activities connected with personal data should be collected in real time and through information databases physically located in Russia,” the report says.

However, the mechanism of implementing the new provisions is still unclear. “The new data processing requirements need to be detailed in subordinate legislation that is expected to be adopted in 2015 before the new rule comes into force,” the report also says.  

 

Controlling the data

At the moment, Roskomnadzor is holding a series of conferences with IT businesses and organizations to discuss the crucial issues of applying the amendments, including the specifics of personal data storage in Russia and ways and mechanisms for controlling the physical location of data. However, it is likely that Russian laws will need at least several more years to catch up to the level of personal data protection cases found in European Union countries.

“In comparison with foreign case law, neither Russian state arbitration courts nor Russian courts of common jurisdiction can yet count a sizable number of cases based on the claims of personal data owners against third parties unauthorized to process such information,” the report says. The few claims that have been filed by personal data holders have usually been unsuccessful in court. The report suggests that the main reasons this has occurred are presumably a low level of judicial initiative and judges’ bias against claimants.

The authors of the report also think that the changes to the legislation can be a driver for the data center services market. According to the report, “both commercial and corporate data centers will experience a fundamental economic and technological transformation” as a result of these changes.

 

Read more: Networking without borders

All rights reserved by Rossiyskaya Gazeta.