Many companies have scrambled to comply with Russia’s peculiar Data Localization Rules since their enactment in 2015. While these rules apply to a wide range of companies handling Russian personal data both in Russia and abroad, the penalties for non-compliance were traditionally limited only to blocking of the data operator’s websites. This somewhat abstract penalty, along with narrow enforcement efforts from Russian authorities created a relatively low risk environment. This has changed with the passage of much higher penalties, along with extension of administrative liability not only to the data operators, but also to key executives of the companies.
While it is unclear whether these increased penalties signal greater enforcement zeal amongst Russian authorities, the stakes are significantly higher, so proper compliance with the Data Localization Rules is all the more important. We advise all data operators handling Russian personal data to review their compliance.
Data Localization Rules
The Data Localization Rules essentially require data operators handling Russian personal data to maintain their databases of such data in Russia. Interpretations by the Russian data authorities (Minkomsvyaz and Roskomnadzor) further indicate a requirement that the initial database of Russian personal data must be in Russia (with possibilities to have copies in locations abroad). This is an over-simplification of this rule, so further consideration and advice is needed to understand compliance options.
The Data Localization Rules apply to all data operators who handle Russian personal data, including foreign data operators without any presence in Russia. The wording of the law is not precise, but the criteria used for asserting jurisdiction over foreign data operators usually focuses on how the data operators’ websites are presented; specifically if the website is particularly focused on Russia or Russians. Again, this is an oversimplification and further consideration and advice is needed to understand how this rule would apply in a particular case.
Penalties For Violations
The original penalty for violation of the Data Localization Rules was the possibility of blocking the data operator’s website handling Russian personal data. There were no financial penalties and liability was limited only to the data operator (almost always a company). The new penalties, however, feature significant financial penalties and extend responsibility to executives of the data operator in violation of the rules.
From December 2, 2019, administrative penalties for non-compliance with the Data Localization Rules by a data operator amount to between ₽2 million to ₽6 million (currently approximately US $31,500 to US $94,200) for an initial violation, and if the same violation is committed again, the fine can go up to ₽18 million (about US $280,000).
In addition to penalties for a data operator, sanctions for top executives of the violating companies (in practice, most likely the company General Director, or CEO) are introduced at between ₽100,000 and ₽200,000 (about US $1,560 to US $3,125) for an initial violation and between ₽500,000 and ₽800,000 (about US $7,800 to US $12,500) for repeated violations.
Interestingly, there was considerable discussion amongst officials and commentators indicating that many (notably including government officials) thought the proposed fines were too high, but the penalties were not reduced in the law as adopted. It is too early to tell whether this sentiment regarding the severity of the penalties will affect penalty levels imposed in cases of violation, but in any event, the consequences for violations of the Data Localization Rules have increased in severity and this highlights the importance of ensuring compliance with these rules.
The Russian government has thus far not engaged in widespread enforcement of the Data Localization Rules, but there have been efforts to compel compliance by high-profile global Internet platform operators such as Google, Facebook and Twitter. Most famously in 2016, LinkedIn was blocked in Russia for failure to comply with the Data Localization Rules. For the most part, however, these actions are the exceptions rather than the rule. While the Data Localization Rules technically apply to a very wide range of data operators, very few have been subject to enforcement actions, so far.
Some commentators believe that the relatively lax enforcement approach taken thus far was because there were no financial penalties associated with violations and it simply was not worth the effort to seek enforcement. If this theory is correct, the new penalties might result in increased enforcement activity.
We do believe that the new penalties signal a deeper commitment from the Russian state to enforcement of the Data Localization Rules and we advise all data operators handling Russian personal data to review their compliance. The stakes are higher now.