Go back to menu

Russian personal data localisation law

The first statistics

27 April 2017

The Russian personal data localisation law came into effect on 1 September 2015. The law introduced several requirements for the processing and collection of personal data of Russian citizens, including the most talked-about, that of ensuring that recording, systematising, accumulation, storage, adjustment (renewal, modification), extraction of the personal data of citizens of the Russian Federation made with the use of personal databases located in the territory of Russia. Failure to comply with these localisation requirements could result in fines for the relevant entity and the blocking of its website. However, the exact scope and impact of the "localisation" requirements are not entirely clear, and so the business community has been waiting to see how the Russian Data Protection Authority would actually enforce the law.

A year after the enactment of the law, on 1 September 2016 the Authority  published an overview with some statistics related to its implementation. The overview shows that the Authority was fairly mild in implementing the law, and its supervision was primarily focused on the sectors connected with retail clients and their personal data online processing. Furthermore, the Authority stated that there were few breaches of the law.

file

We set out below the key highlights of the report, including the principal sectors being closely watched and the authority's methods of supervision:

  • since the localisation requirements were introduced, the authority has conducted 954 scheduled audits and 82 unscheduled audits (i.e. audits prompted by complaints from individuals). By the end of 2016 it has to conduct a further 479 scheduled audits. (In conducting these audits the authority does not focus only on the localisation rules, but also checks general compliance with personal data laws);
file

  • the authority has also started to apply "systematic monitoring", i.e. remote monitoring of the companies identified, where they may be reasons to suspect that they are not compliant with personal data law (e.g., by examining their websites remotely without notifying the company and by recording the results in its internal reports; if violations are detected, these reports may be used as evidence);
  • the list of the most targeted sectors of scheduled audits and "systematic monitoring", identified as high-risk sectors, includes banks, headhunting firms, hotels, travel agencies and online booking and ticket sales services. In general, the content of this list reflects that the authority deals mainly with consumer data, rather than any other data that the Authority could be interested in;

  • the authority has also started to apply "systematic monitoring", i.e. remote monitoring of the companies identified, where they may be reasons to suspect that they are not compliant with personal data law (e.g., by examining their websites remotely without notifying the company and by recording the results in its internal reports; if violations are detected, these reports may be used as evidence);
  • the list of the most targeted sectors of scheduled audits and "systematic monitoring", identified as high-risk sectors, includes banks, headhunting firms, hotels, travel agencies and online booking and ticket sales services. In general, the content of this list reflects that the authority deals mainly with consumer data, rather than any other data that the Authority could be interested in;
file
  • the audits revealed 1,822 instances where the law was breached, with just 23 instances related to incompliance with localisation requirement and rules on cross-border data transfers (i.e., 1.3% of all violations);
  • as for "systematic monitoring", this revealed 492 instances of violations of the law on personal data protection, with only eight instances being related to personal data localisation requirements (i.e. 2% of all violations);
  • the companies which violated localisation requirements have at least six months to remedy their violation(s); and
  • finally, the report states that 161 websites processing the personal data of Russian citizens were blocked because of a breach of the personal data localisation requirements (the report does not identify these sites, and instances of a website or intranet of a prominent multinational entity being blocked by the authority are unknown).