Starting from October 31, 2021, the personal data of Russian citizens who book domestic flight tickets will have to be stored on servers located physically on Russian soil. This new requirement stems from a decree signed in late July by Prime Minister Dmitry Medvedev in application of a 2014 law on personal data storage in Russia, as reported by business daily RBC.
Inventory systems and global distribution systems (GDS) are equally concerned. International air ticket booking systems – such as Sabre, Navitair, Amadeus and SITA – will be affected if used by Russian airlines, as is the case with Aeroflot.
The new requirement will also affect Russian OTAs such as Biletix and OneTwoTrip. These will be allowed to work only with international systems that will have Russian personal data stored in Russia.
A source close to government circles explained to RBC that the measure aims to protect some sensitive information. Typically, travel information related to Russian military and officials need to be protected from any potential external intrusion, “including those of foreign secret services.” The decree also aims to “strengthen transportation security” as well as “the confidentiality of Russian citizens’ personal data.”
The segmentation of international booking systems on a country basis and the partial transfer of data to Russian servers are big technical challenges, said Biletix co-founder Alexander Sizintsev in an exchange with RBC. Such operations could cost international companies hundreds of millions of US dollars and take several years, he believes.
Sabre, jointly with Aeroflot, already has plans to transfer Russian personal data to Russian servers, reports RBC. Amadeus and SITA did not answer the Russian publication’s questions on the matter.
Online sales of air tickets (including both domestic and international flights) exceeded $7 billion in 2018, according to a Data Insight report cited in EWDN’s latest Russian e-commerce study.
Facebook and Twitter urged to comply
Adopted in 2014 and applicable since September 2015, the Russian legislation on personal data storage requires companies operating in Russia to store Russian users’ or clients’ personal data on servers physically located in the country. Numerous foreign and domestic players were concerned, including global players who tended to store their users’ data in borderless clouds (see white paper by EWDN and EY).
While many businesses — including Alibaba, AliExpress, Apple, and Google — have managed to transfer user data from foreign data centers to Russia, others refused or failed to comply. Thus, the authorities have blocked access to LinkedIn since 2016. More recently, they urged Facebook and Twitter to comply with the law.