Earlier this month the Russian telecom regulator Roskomnadzor blocked access to LinkedIn for non-compliance with recent legislation on personal data storage. EWDN chief editor Adrien Henni analyzes the significance of this move far beyond Russia’s borders.
Adopted in 2014 and applicable since September 2015, the law requires companies operating in Russia to store Russian users’ or clients’ personal data on servers physically located in the country. Many foreign and domestic players are concerned, including global players who store their users’ data in borderless clouds (see white paper by EWDN and EY).
This legislation has triggered considerable criticism inside and outside Russia, with some foreign players seeing in the new rules the beginning of the end of their digital business in Russia.
Western media, on their side, have generally highlighted the move against LinkedIn in the political or even geopolitical context – as part of a series of attempts to control Internet communications in Russia.
It is undeniable that the Russian government has taken an increasingly authoritarian view of digital media over the past several years. However, the recent decision to block LinkedIn has little to do with politics or ideology; and Russia’s new legislation may be perceived not only as a costly embarrassment to global businesses, but also as a chance to prepare themselves for the new realities of tomorrow.
What the law says
The main requirements for dealing with personal data in Russia may be summarized as follows:
- Personal data may be collected, stored and used only with user consent, preferably in written form.
- Personal data (or at least an electronic copy of it) must be stored in databases that are physically located on Russian territory.
- Data operators storing personal data are liable for keeping such data confidential and are not permitted to transfer, share or disclose such data without user consent. Full protection of data is provided through a range of sometimes demanding organizational and technical measures.
These rules apply specifically to personal data – which should not be confused with any other user-related data. According to Russian law, the primary characteristic of “personal data” is the ability to identify among many persons a specific, unique individual. Thus most social network content, for example, does not fall within the purview of the law.
At the same time several issues concerning the law are still ambiguous. In particular, it is not entirely clear whether or not it is possible to transfer the personal data of Russian citizens abroad – and if so where.
Inside the DataSpace data center in Moscow (photo credit: DataSpace)
How the law has been applied so far
The law does indeed require international as well as Russian companies to store the data on Russian territory. However, the implicatios of this rule may vary considerably, depending on the type of business and database architecture.
Notwithstanding several other cases of site blocking for non-compliance (such as the phone number database Abonenty-chast2.pw and the car-driver database Autonum.info), Roskomnadzor has generally displayed a rather mild attitude towards international players, offering them extra time to comply with the law.
Thus many businesses — including Alibaba, Apple, Booking.com, eBay, Google and Uber — have managed to transfer user data from foreign data centers to Russia or announced ongoing projects to do so. In some cases, the process was helped by numerous consultations with the regulator’s representatives.
Facebook and Twitter have not fully complied to date, as reported, but they meet regularly with Roskomnadzor, and the measures they have undertaken are regarded as satisfactory.
It appears that LinkedIn was blocked only after failing to provide satisfactory answers to repeated Roskomnadzor inquiries. Access to the site was denied, moreover, only after two court rulings – an initial hearing and an appeal – earlier this year.
Also worth noting is the fact that the US company, while not complying with Russian law, reportedly did accede to local legislation when it entered the Chinese market two years ago, storing personal data stored in local servers.
A useful warning
Russia is far from being the only state to have introduced restrictions on the storage and international use of personal data. Other countries – including Australia, Hungary, Indonesia, Panama and others – have also adopted specific measures against the illegal storage of personal data. Russia’s legislation, however, is arguably the most radical of all, in that non-complying websites can simply be blocked.
Such moves may well illustrate the resurgence of national sovereignties in the digital sphere. It should come as no surprise that many governments, both authoritarian and democratic ones, are aiming to put an end to the current borderless forms of the world wide web. This is especially true after Edward Snowden and others revealed that this absence of borders means tight control by a handful of powerful states and corporations.
Tomorrow’s Internet is likely to be far more fragmented than yesterday’s. For all the complexities implied by this evolution, Russia’s moves to control personal data flows should be regarded as a useful warning for global businesses to adapt to these new realities.
The author is grateful to Igor Nevzorov, director of EY’s Intellectual Property Center of Excellence CIS in St. Petersburg, for his input on the legislation aspects of this article. For more detailed information on this subject, please refer to “Personal Data Storage in Russia,” a white paper published recently by EWDN and EY.