Personal data storage and management in Russia: Report by EWDN and EY sheds full light on legal and organizational challenges

Starting from September 2015, the personal data of Russian citizens must be stored on servers located physically on the Russian territory. Adopted last year in a bid to affirm Russia’s digital sovereignty, this new law has provided many players with challenges due both to its demanding requirements and the ambiguity of some of its key provisions (see details in EWDN’s free white paper).

A huge number of foreign and domestic players, who either store or used to store their users’ data outside Russia or in borderless clouds, are concerned. Theoretically, even a hotel in the French riviera with names of Russian clients in its computers is supposed to store this data in Russia.

Those failing to meet the new requirements will face fines. Ultimately, access to their site may be blocked by the Russian telecom regulator Roskomnadzor.

In practice, the challenges differ considerably depending on the type of business and database architecture of each. Many companies have worked hard to meet the law’s requirements in time, as illustrated by the public announcements made by Booking.comeBayPayPal, Alibaba’s subsidiary AliExpress, as well as international PSP PayU in the past few months.

Some e-commerce players, such as KupiVip and La Redoute, had even anticipated the law by transferring their data away from foreign servers several years ago.

In July, 53% of the French, Russian and international companies surveyed by the French Russian chamber of commerce (CCIFR) stated that they will meet the deadline to comply with the law on September 1, while 39% said that they will comply but with some delay. Another 8% stated that they were not ready to comply at all.

What have been the difficulties in complying with the law?

CCIFR personal data survey_Difficulties

Survey of 50 French, Russian and international companies in a variety of sectors, from late July 2015. Source: CCIFR

But many international businesses have not been able to meet the Sept. 1 deadline. This seems to be true in the cases of several international Internet giants, if judging by media reports and the “no comment” or otherwise vague statements of their press services. However, Google has already signed a contract to deploy its equipment in Russia at Rostelecom data centers, while Apple has pledged to move its data by Jan. 1, 2016, reports RBTH.

Announcements about work in progress to transfer data to Russia have also been made by SAP, Samsung, Lenovo, and IBM.

Whether or not Facebook intends to transfer Russian personal data to Russia remains unclear, with the company insisting that user information does not constitute personal data.

Telecom regulator Roskomnadzor has announced that no sanctions for failure to comply with the law on storing Russians’ personal data will be applied till the end of the year. Thus, foreign companies have been given a deferral till Jan. 1, 2016, notes RBTH.

Meanwhile some other players, including some important international companies, are considering leaving the Russian market due to the complexities of the new rules and the unfavorable economic context of the present time.

Much-needed clarifications

Until just weeks before the Sept. 1 deadline, implementing the new rules was difficult due to the lack of clarity and precision of the law in several important respects. Ambiguities remained regarding the scope of the law, whether it was permitted to store copies of personal data outside of Russia, how to identify Russian citizens, and many other issues brought before the Russian authorities by the business community. Some statements from the authorities did concern some of these points, but they had no formal value.

Over the past few months, meetings with the regulator helped businesses clarify the situation. In August 2015, as a result of these meetings and of numerous requests from personal data operators, the Ministry of Telecom and Mass Communications expressed its interpretation of the law on its official website. These statements are not legally binding, but may be regarded as guidelines provided to businesses to comply with the law in good faith.

According to these official interpretations, personal data initially collected and stored in Russia can be transferred to or processed in databases located abroad. Key here, in order to protect the subject of personal data, is the initial location.

The questions of whether or not the law would apply to data collected before Sept. 1, 2015, has also been clarified. The rules are not retroactive; only personal data collected from Sept. 1, 2015, must be stored in Russia.

The Ministry also confirmed that certain businesses, whose activity is regulated by an international agreement or specific legislation, would not be affected by the law. This is the case of airlines and air ticket booking systems.

 

Five fundamental legal requirements for dealing with personal data in Russia

  • Personal data may be collected, stored and used only with the consent of the data subject (the person to whom the data refers), preferably in written form
  • Starting from September 2015, personal data should be processed by means of information databases that are physically located on Russian territory.
  • Data operators storing personal data are liable for keeping such data confidential and are not permitted to transfer, share or disclose such data without the consent of the data subject, with special attention paid to internal control mechanisms.
  • Full protection of personal data should be provided through a range of organizational and technical measures defined by the law.
  • The operator should draft and make publicly available an internal policy for processing personal data.

These rules apply specifically to personal data – which should not be confused with any user-related data. According to Russian law, the primary characteristic of “personal data” is the ability to identify among many persons a specific, unique individual.

Top 5 data migration tips

  1. Give yourself a long timespan to fully implement the migration process. Just the delivery of servers itself can take up to two months alone, while testing after installation can also take several months. This adds up to a process that can easily stretch up to eight months.
  2. Find a reliable local partner to assist you with the process. Involve head office team into the selection process.
  3. Use existing import channels to move equipment (unless you opt for an IaaS solution). Usually your Russia-based data center will have a number of reliable and previously tested partners to recommend. These should be large local business integrators, or international suppliers who have a dealer network in the country.
  4. Manage complexity by transparent communication: make sure there is full understanding of the installation design by all parties involved. Language barriers and complex terminology can create major problems between client and contractor in this regard.
  5. Don’t forget about after-migration support: the data-center team and other participating parties should be on stand-by after launch. A properly run data center will have client service thoroughly specified, with procedures, documentation, a 24-hour bi-lingual emergency phone line in place and an online ticketing system to track status.
  • East-West Digital News and EY are offering an update of their white paper on Russia’s personal data legislation. In addition to an in-depth analysis of the legislation, this document provides practical advice to organize data transfer in optimal conditions. It includes contributions from senior experts from EY and J’son & Partners, data-center operators IXcellerateDataSpace and Selectel, and international payment company PayU. To download your free copy, please click here
Topics: Analysis, International, Internet, Legal, Legislation & regulation, News, Personal data
Scroll to Top

This site is under maintenance. Sorry for the inconvenience.

This site is under maintenance. Sorry for the inconvenience.