Requirements governing personal data processing were formulated in Russian law as far back as 2006. Since then the legislation has undergone various changes, with the most well-known probably being the requirement to “localise” the personal data of Russian citizens.
On 21 July 2014 Federal Law No. 242-FZ “On Amending Certain Legislative Acts of the Russian Federation Regarding Clarifying the Personal Data Processing Procedure in Information and Telecommunication Networks’’ was approved. One of the changes related to Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, and added Part 5 to Article 18 “The Obligations of the Operator when Collecting Personal Data” of the Law.
In accordance with this part, “when collecting personal data (“PD”), including via an information and telecommunications network (the Internet), the operator (i.e. Company – KPMG note) is obliged to ensure the recording, systematisation, accumulation, storage, clarifications (updates / modifications) and extraction of the personal data of citizens of the Russian Federation using databases located in the Russian Federation (“Russia”)…”.
Informally called a requirement to “localise” the personal data of Russian citizens, this legal norm entered into force on 1 September 2015.
The Federal Law «On Personal Data» (Part 5, Article 18 – KPMG note) focuses on the Internet resources used by an individual to perform specific activities in Russia that can be blocked in a prescribed manner, should their owner fail to comply with the requirements of the Federal Law «On Personal Data».
“Personal data subject to localisation are personal data received by an operator in the course of activity aimed at collecting such data, and not as a result of accidental (not requested) access to personal data; for example, if received by email or other mail that contains personal data.”
“The personal data of a Russian citizen, initially enteredinto and updated in a database in Russia, may then betransferred to databases located outside Russia andadministered by other persons, subject to the provisionson cross-border data transfer. Granting remote access todatabases located in Russia from the territory of anothercountry is not prohibited under Federal Law 242-FZ.”
“If personal data were during their collection entered into a database located in Russia, such personal data may subsequently be entered by an employee (representative) of the operator into its own electronic database located outside Russia.”
“Certain types of processing of personal data, prescribed in Part 5 of Article 18 of Federal Law No.152-FZ, including the collection of personal data on paper media and their subsequent entry into an electronic database, should be performed as a single process within the legislative framework governing the obligation to keep personal data in Russia.”
A company must ensure the initial collection and subsequent recording, systematisation, accumulation, storage, clarifications (updates / modifications) and extraction of the personal data of Russian citizens using databases located in Russia.
Subsequent clarifications (updates / modifications) of personal data, as indicated above, should also be performed first in a database located in Russia.
Subsequently personal data can be transferred to a server (information system) located outside Russia, in accordance with the legislative requirements governing the cross-border transfer of personal data.
Since 1 July 2017, new penalties for non-compliance with the Russian legislation on the processing of personal data have been applied. For more details, see Article 13.11 of the Russian Code of Administrative Offences. Also, no separate penalty exists for failure to comply with therequirement to “localise” the personal data of Russian citizens; however, this does not mean that the requirementcan be ignored. The regulating authority (Roskomnadzor, the Federal Service for Supervising Communications, Information Technology, and the Media) may use such measures as restricting access to the company’s information system from Russia, and issuing orders to eliminate violations based on the results of inspections. The implementation of such orders will in most cases simply be impossible, due to the timeframe allowed by the regulating authority (usually three-to-four months).
"In our practice we have come across an incorrectinterpretation of the requirement to “localise” the personal data of Russian citizens, i.e. as a ban on the storage of their personal data abroad. It is important to ensure that the initial collection of the personal data of Russian citizens is performed using databases located in Russia; then, subsequently, in accordance with respective cross-border data transfer requirements, personal data can be transferred abroad, if necessary. The same requirement applies to making changes to personal data: first they should be made here in Russia, and then abroad."