^{Best Practices}

The Russian Data Localization Law: What You Need to Know to Be Compliant

_{Jacob Hansen

July 31, 2015 • 3 min read}

PLEASE NOTE: THIS DOCUMENT IS PROVIDING GENERAL INFORMATION ON THIS LAW AND NEITHER THE AUTHOR NOR SENDGRID IS PROVIDING LEGAL ADVICE OR COUNSEL.

Following is a snapshot of the Russian Data Localization Law (Russian Federal Law No. 242-FZ) that goes into effect September 1, 2015. It includes direct portions of the law, but is not the law in its entirety. Please reference the bottom of this post for additional resources and sources.

What it is:

This is a Russian Federal Law that requires any business that collects and/or stores personal information of Russian citizens to first process that data in Russia. It also requires that those businesses use databases physically situated in Russia to store the data. The exact wording from the law is to “ensure recording, systematisation, accumulation, storage, change and extraction of personal data of Russian citizens with the use of data centres located in the territory of the Russian Federation in the course of collection of relevant personal data of individuals, including via the Internet”.

Personal Data is defined as name, email address, physical address, phone number, IP address, or national identification number

Who it applies to: It is written to apply to any business with websites or mobile apps that collect and/or store personal information of Russian citizens.

Exemptions:

Individuals processing personal data solely for personal and family needs (provided the rights of data subjects are not infringed).
Organization of storage, collection, recordation and use of archived documents containing personal data in accordance with the national laws on archive funds and matters.
Processing of personal data that can be referred to as state secrecy data.
Submission by the competent authorities of data related to the activities of courts in Russia in accordance with the relevant court legislation.

Who enforces the law:

Roskomnadzor | Russian Legal Information Agency (RAPSI)

What the law does NOT prohibit:

The law does not prohibit the cross-border transfer of personal data. This means that although the initial collection and processing of data must first occur in Russia, the data may then be processed and stored in a duplicate database outside of the Russian Federation.

Conforming your existing data:

There are certain steps and stages of data adjustment you can review and complete that can ensure that your already-existing data collection and storage adheres to this new standard (if applicable to your business).

Businesses without Russian offices/servers:

Not all businesses have a physical branch or satellite location within the Russian Federation. And, if they do, they may not have servers in place to process and store the personal information of Russian citizens. Some businesses may end up setting up servers in Russia for this purpose and some may contract a third-party to do so. If any businesses do consider this option, they should consider the risks of data breaches associated with using third-party vendors.

Possible future complications for the Russian economy:

Some say that the law may lead to a decrease in GDP due to the law potentially inhibiting growth of e-commerce or innovation-intensive companies.

Additional resources:

The following organizations can provide additional information and further actual advice on the general items listed above: