Earlier this month, Booking.com announced that it will comply with Russia’s new law on personal data storage. The global online travel operator will soon transfer all data from the country’s users to a local data center, Russian business daily Kommersant reported.
The announcement came after a meeting between Steffen Mueller, Booking.com’s senior manager of infrastructure and technologies, and representatives of Roskomnadzor, Russia’s telecom regulator.
“We discussed the issue of implementing [the law],” Vadim Ampelonsky, a spokesperson for Roskomnadzor, stated. “The company assured us they will comply with the requirements of the new legislation.”
“Russia is an important market for us,” the Booking.com press service told Kommersant. “We continue to watch developments related to the law. We understand this law will not affect our relations with business partners and customers in Russia. When the law comes into force, we will be ready to comply. We are now working on a solution that will allow us to operate accordingly.”
From business challenges to legal complexities
Adopted last year in a bid to affirm Russia’ digital sovereignty, the law requires companies operating in Russia to store Russian users’ or clients’ personal data on servers located physically in the country, starting from September 1, 2015. Many foreign and domestic players, who store their users’ data in borderless clouds, are concerned.
This legislation initially triggered a wave of criticism in and outside Russia, with some foreign players seeing in the new rules the beginning of the end to their digital business in Russia.
There are considerable differences, however, depending on the type of business and database architecture. In most cases, businesses can continue operating with Russian users or consumers provided that they implement a series of identified organizational, technical and legal steps.
Meanwhile, things have been made difficult by the lack of clarity and precision of some provisions of the law. “There are still no specifications in the regulations about the possibility of storing copies of personal data outside of the Russian territory. No clarity either about the way to identify Russian citizens – for the protection of whom the law was intended,” notes Anastasia Kuznetsova, lawyer at EY’s Intellectual Property Center of Excellence (CIS).
“Information about the possible interpretations of the law is available only in the form of announcements from state authorities which have no formal legal value,” she adds.
Change your database architecture – or leave the country
Over the past few months several key international players met the regulator in an attempt to clarify these points. Preceding Booking.com, eBay, Google, PayPal, Alibaba’s subsidiary AliExpress, as well as international PSP PayU, were reported to be implementing the necessary steps to comply with the law.
But not all international businesses are fully aware of their obligations, and many of them are unlikely to meet the September deadline, according to experts interviewed by East-West Digital News.
Some players, including some important international companies, are even considering leaving the Russian market due to the complexities of the new rules and to the current unfavorable economic context.
- A white paper released recently by East-West Digital News, in partnership with EY and leading data centres, offers an in-depth analysis of the Russian legislation on personal data. It also provides practical advice to organize data transfer in optimal conditions.