In the latest move of a long saga, a Moscow court fined yesterday three US digital companies for violating the country’s personal data storage legislation. Facebook and Twitter were fined 15 million rubles (some $200,000 at the current exchange rate) and 17 million rubles ($230,000), respectively, for repeat infractions, while WhatsApp will have to pay 4 million rubles ($54,000) for a first-time offense.
Just weeks ago Google was imposed a first-time fine of 3 million rubles for failing to move Russian users’ data to domestic servers. The US search giant has also been fined for refusing to remove censored information and for abusing dominant position.
According to Roskomnadzor, the Russian telecom and Internet regulator, Booking.com has complied with the personal data storage law. The online hospitality platform, nevertheless, did not escape Thursday a $17.5 million fine for “abusing its dominant position in the Russian market for the provision of services by aggregators of information about accommodation facilities.”
Booking.com is being accused of forcing hotels and hostels “the obligation to provide and comply with price parity” — which means that hotels “could not price their services in other sales channels lower than on the Booking.com aggregator,” according to Roskomnadzor. In addition, the company’s actions have “restricted competition in the market” and “led to infringement of the interests of hotels.”
Booking.com said it was “disappointed” with the decision, which it intends to appeal.
In April, Apple was also imposed a large fine ($12.1) million for “abusing” its dominant position in the market by giving preference to its own applications. Apple, however, complies with the personal data storage legislation, says Roskomnadzor.
Russia’s personal data storage legislation: A six-year saga
According to a legislation applicable since September 2015, companies operating in Russia are required to store Russian users’ or clients’ personal data on servers physically located in the country. Numerous foreign and domestic players were concerned, including global players who tended to store their users’ data in borderless clouds (see white paper by EWDN and EY).
A range of international businesses — including, in particular, Alibaba, AliExpress, Apple, Booking.com, LG Electronics, Microsoft, PayPal and Samsung — have managed to transfer user data from foreign data centers to Russia. In total, “as of today around 600 representative offices of foreign companies in Russia have localized the storage of personal data of Russian users,” stated Roskomndazor, cited by TASS, in July 2021.
Several key international companies have been less law-abiding, playing cat-and-mouse with the Russian authorities for years already. Thus, Roskomnadzor requested Facebook and Twitter, which had sent both positive and negative signals on the matter, to report on their compliance with the law, and began fining them for non compliance.
Under a law imposing stiffer fines that President Vladimir Putin signed in December 2019, fines for repeat offenses go up to 18 million rubles (almost $290,000). The authorities may even block access to their sites from Russia – as was the case with LinkedIn in 2016, following two court decisions.
