Some foreign players panicked last week when they learned about the new rules adopted by the Russian parliament regarding the collection and storage of personal data – which will be allowed only on Russian territory starting from Sept. 2016. Concerns were fuelled by inflated media reports, including a Google Translate-based article that appeared on an influential Californian tech blog.
While storage of personal data on servers located abroad is allowed under the existing legislation – with some restrictions – the new rules demand that only servers located physically on the Russian territory be used. Should an online resource fail to respect this obligation, access to it from Russia may be restricted or blocked by state regulator Roskomnadzor.
Many businesses will be impacted – but with considerable differences depending on the sector and type of business. These rules will affect international players as well as some domestic companies that currently store users’ personal data on servers located outside Russia – or in cloud storage capacities that are distributed in several locations.
No online hotel bookings for Russians?
International companies which currently centralize data from all countries on their own or third-party servers will have to treat and store Russian personal data separately. This concerns countless international websites, mobile application publishers, airlines, brands, manufacturers and even local small businesses with Russian users or clients.
The operation of segregating Russian user data and storing it separately in Russia may be complex, depending on the architecture of the IT platform. The task could entail significant costs or, at worst, be simply unmanageable, believe the critics of the law. “As a result, it will become impossible for Russian citizens to book an air ticket via the website of a foreign airline or to book a hotel room via international booking systems, since personal data will be collected and stored [outside Russia],” stated industry association RAEC.
However, some market players believe that the law may still be modified before it comes into force in 2016. This might be the case in the field of air ticket bookings, said Biletix CEO Alexander Sizintsev in an exchange with Russian business daily Vedomosti.
Domestic players will also be affected by the new rule if they store user data, fully or partly, on foreign servers. Vedomosti provides the example of MegaFon, a leading mobile operator that stores its customers’ data in the cloud. The new legal requirements “create a strict framework for businesses and will entail significant additional costs at the database level,” the business daily quoted a company representative as saying.
Data repatriation for domestic players
In the vast majority of cases, however, compliance with the new requirements will not be out of reach for businesses.
For companies dealing only with Russian users or clients, data repatriation – if necessary – will obviously be a manageable task. Russian flash-sales site KupiVIP.ru did so last year. “We moved everything from Germany, where we initially had our servers,” said KupiVIP President Oskar Hartmann to East-West Digital News.
iMall.eu, a London-based online fashion retailer targeting Russian clients, will not be seriously affected by the new law, says its founder and CEO Martin Avetisyan. “No one is asking us to move to Russia, it’s just a matter of storing personal data on Russian servers. No doubt by 2016 there will be lots of local hosting offers. Given the potential of Russian business, the implementation costs of storing data locally are absolutely minimum,” Avetisyan wrote in an email exchange with East-West Digital News.
Data segregation for international players
As for multinational databases, several examples show that segregating user data by country of origin is also a manageable – though more complex and potentially costly – task.
At La Redoute Rus, Russian users’ personal data have been stored on Russian servers since the very beginning. “Our Paris headquarters didn’t really understand our decision at that time, but we knew that the Russian authorities may, sooner or later, forbid cross-border personal data transfers. In addition, we surveyed our clients who expressed their preference for storing their personal data in Russia,” La Redoute Rus General Manager José Metz told East-West Digital News.
Some personal data still transits via the group’s international data center in Portugal, “but only temporarily” according to Metz. “Should this process be proven incompatible with the new legal requirements, we’ll have enough time [two years until Sept. 2016] to bring the necessary changes.”
According to a Western developer of international mobile applications, data segregation by country of origin is not a rare case. “For example, for copyright reasons, video content owners want their content viewed exclusively by mobile users from certain countries. From declared data, to geolocation, to browsing data, users’ geographic origin can be defined rather precisely,” the company’s CEO told East-West Digital News.
“Complying with this Russian law will indeed be difficult for complex databases that mix international data – unless their design took into account such evolutions. However, the “data-without-borders” trend died with the NSA scandal. This Russian rule is forewarning of the next trend – the re-segmentation of the worldwide web on a national basis, and tech players need to learn to manage data differently,” the CEO concludes.
Facebook, Google, Lamoda.ru, Otto Group and Ozon declined to answer EWDN’s questions. To see the text of the law as adopted by the Russian parliament, please click here. Additional analysis of this topic can be found in EWDN’s research study on Russian e-commerce, which contains a large section on legal aspects.
- Editor’s note: The new legal requirements concern only personal data, which should not be confused with any user-related data. According to Russian law, the primary characteristic of “personal data” is the ability to identify among many persons a specific, unique individual. If only parts of someone’s personal information are stored – e.g. a person’s name and paternal name (patronymic) but not his or her family name – this will not be considered personal data because it is insufficient to identify the person. Neither will a post in Facebook, or a product review on Amazon, be considered as personal data. In these cases, the data will be considered impersonal and the rules on personal data will not apply.