Last week, the lower house of the Russian parliament adopted amendments making personal data storage on domestic servers mandatory as early as September 2015 – instead of September 2016 as previously foreseen by legislation adopted this past summer.
In October, Russian lawmakers had considered an even earlier deadline (January 1, 2015). However, the period allowed for compliance was so obviously unrealistic for the companies concerned that this early deadline was not confirmed.
While storage of personal data on servers located abroad is allowed under the existing legislation – with some restrictions – the new rules demand that only servers located physically on the Russian territory be used. Should an online resource fail to respect this obligation, access to it from Russia may be restricted or blocked by state regulator Roskomnadzor.
As analyzed recently by East-West Digital news, many businesses will be impacted – but with considerable differences depending on the sector and type of business.
Complying with this law will be particularly difficult for complex databases that mix international data – unless their design took into account such evolutions.
The new rules have triggered negative reactions in business circles. However, some market players believe that the law may still be modified before it comes into force. This might be the case in the field of air ticket bookings, where the new rule could be practically impossible to implement.
Others have argued that such new legal restrictions were bound to appear as a result of the NSA scandal and the current international tensions.
Moreover, the re-segmentation of the worldwide web on a national basis could become a global trend, forcing tech players to manage data differently.
Russia’s new legal requirements concern only personal data, which should not be confused with any user-related data. According to Russian law, the primary characteristic of “personal data” is the ability to identify among many persons a specific, unique individual. If only parts of someone’s personal information are stored – e.g. a person’s name and paternal name (patronymic) but not his or her family name – this will not be considered personal data because it is insufficient to identify the person. Neither will a post in Facebook, or a product review on Amazon, be considered as personal data. In these cases, the data will be considered impersonal and the rules on personal data will not apply.
- Additional analysis of this topic can be found in EWDN’s research study on Russian e-commerce, which contains a large section on legal aspects.