With the 1 September 2015 effective date for the Russian Data Location law fast approaching, many American businesses are unaware of the reach – or consequences – of the legislation.

The Data Location law signed by president Vladimir Putin requires foreign companies that collect and store personal information on Russian citizens to process and store the data in servers on Russian soil.

Ostensibly intended to prevent data mining efforts like those disclosed by former US National Security Agency (NSA) contractor, Edward Snowden, data localisation laws are becoming a topic, and a tool, for repressive regimes.

Originally adopted in July 2014, and since amended, Russian Federal Law No. 242-FZ covers some critical points that include the following. Beginning 1 September 2015, US companies with websites, mobile apps or other means to capture or collect personal data from citizens of Russia must first process and store the information on servers physically located in the Russian Federation. In short, any company collecting data on a Russian citizen is subject to the law. For the purposes of the new law, personal data is broadly defined as identifying information such as name, place and date of birth, and current or past addresses. Personal data operators, or those businesses that collect personal information, must report the physical location of their servers to the data protection and enforcement agency (DPA), known as ‘Roskomnadzor’. While the data localisation law does not prohibit the cross-border transfer of data, it does require written consent from the personal data subject if the information is transferred to territories or countries – such as the US – that are not considered to have adequate data protection by the DPA. The personal consent required for the cross-border transfer of information is extensive; the consent requires disclosure of the name and passport details of the subject, as well as information about the business collecting the information. According to the legislation, website operators and companies without a physical presence, or offices in Russia, remain obligated to comply with the law. The consequences of non-compliance remain hazy, but take the form of fines and loss of access.

Oct-Dec 2015 Issue

CLT3 Consulting, LLC