The Russian law on personal data storage will not apply to airlines and air ticket booking systems, the Ministry of Telecom and Mass Communications has announced on its website.
Adopted last year, the new legislation forbidding storage of Russian citizens’ personal data in foreign countries has posed new challenges to many companies – both foreign and domestic – which store their users’ data in borderless clouds. In addition to the obligation of organizing data migration to Russian servers, these companies must comply with the demanding Russian personal data legislation in its entirety. This legislation includes provisions on data collection, storage, use, and protection, as analyzed in a white paper recently published by EY and East-West Digital News.
In March 2015, as reported by Russian business daily Kommersant, airlines working with global distribution systems (GDS) like Sabre, Amadeus, Apollo, Galileo, Horizon, and SITA warned Russian officials that certain services might be interrupted, should the law be applied to them. The Association of Air Transport Operators, for instance, announced that it would not be able to meet the Sept. 1 deadline to relocate its databases to Russia.
Sabre was not prepared to change its IT architecture to comply with the new Russian law, a source in the airline industry told Kommersant. It would have been simpler for Sabre to cut off GDS service to Russian airlines, the source said.
Sabre declined to comment on the matter.
The decision to exempt airlines and air ticketing systems from the obligation to store personal data domestically might be opposed, however, by Russian secret service FSB, a government official told Kommersant. Also lobbying against this decision could be Rostec, a Russian technology and defense industry conglomerate which has invested resources in building a Russian alternative booking system. The company has yet to comment on the issue.
- A white paper released by East-West Digital News in partnership with EY and leading data centers offers an in-depth analysis of the Russian legislation on personal data. It also provides practical advice to organize data transfer in optimal conditions.