By Drew Stevens
Russian law requires businesses operating in Russia, including e-commerce sites selling to Russian citizens, to store collected personal data within Russia. Federal Law 526-FZ includes a data localization requirement (the “Data Regulation”). Federal Law 526-FZ was written very broadly, and a large amount of uncertainty regarding the interpretation and enforcement of the Data Regulation still exists.
The Data Regulation requires that all collected personal data of Russian citizens must be stored on systems within Russian borders. Business practices that are subject to the Data Regulation include recording, systemizing, accumulating, storing, amending, updating, changing, and retrieving personal data. Personal data subject to the Data Regulation includes any data or information that identifies a Russian citizen, including data collected from Russian citizens registering on websites, completing online purchases, and sending electronic messages. The Data Regulation applies to all businesses conducting any operations, including online sales, within Russia. Anonymous data is outside the scope of the Data Regulation.
The Data Regulation is interpreted by Russia’s Ministry of Communications. The Federal Service for Supervision of Communications, Information Technology, and Mass Media (the “Enforcement Agency”), an agency operating under the Ministry of Communications, is the primary body responsible for enforcement of the Data Regulation. The Enforcement Agency has provided few details regarding the interpretation and enforcement of the Data Regulation to this point. However, representatives from the Enforcement Agency have indicated that businesses may be permitted to transfer data outside of Russia, as long as the initial collection and processing is handled on data systems located within Russian borders. It is likely that, in order to be able to transfer the data in this manner, businesses will have to ensure the usage of the data abroad aligns with the purpose for which the data was collected in Russia, and in some situations, the business may be required to obtain consent from the individuals before their data is transferred. Penalties for violating the Data Regulation include administrative and civil liabilities, including fines and access to business’s websites being blocked.
Ultimately, many unknowns still remain regarding Russia’s relatively new data localization requirements. It is recommended companies conducting business in Russia, or that have e-commerce platforms available to Russian citizens, stay up-to-date on developments of the Data Regulation, including interpretations and statements coming from the Enforcement Agency.