Since the proposal of Federal Law No. 526-FZ (the Law) in December 2014, the Russian data protection regulator (Roscomnadzor) has not issued any official comments on the application of the new Law. Roscomnadzor did recently hold several meetings with a number of representatives of major IT companies in Russia to make sure that these companies will be ready to comply with the new requirements by the time the Law comes into force on 1 September 2015, and to discuss how to apply the new Law. What was said during the meetings is not publicly known and companies which participated in these meetings have not shared many details. However, we know that during these meetings, Roscomnadzor mentioned that after the law has come into force, it will audit more than 300 companies by the end of 2015. A full list of such companies is not available (although some potential “targets” were mentioned). It is unclear whether the list would include Russian companies only or foreign companies as well and in case of the latter, it is unclear how the audit will be conducted in practice in the absence of proper cross-border investigation tools.
However, the Russian Ministry of Communications and Mass Media (MinComSvyaz), which is not the same as Roscomnadzor but is the Ministry which controls Roscomnadzor, published comments and a set of FAQs (in Russian only) in connection with the application of the Law. These comments and FAQs are not binding, but are likely to be adhered to in practice by administrative authorities and courts. At first glance MinComSvyaz appear to take a reasonably liberal view of the broadly drafted laws, but until there are practical examples, it is hard to form a definitive view.
Here is a high level summary of the MinComSvyaz guidance.
Scope of application – foreign persons: MinComSvyaz states that the new laws apply to a foreign company with no branch / physical presence in Russia if such company and/or its website “directs its activities to” Russia. According to MinComSvyaz, this criteria is similar to the one set out in clause 15(1) of EU Regulation 44/2001 with respect to definition of jurisdiction over consumer contracts. MinComSvyaz states that the following features indicate that a foreign company “directs its activities to” Russia: The company uses a Russian domain name – federal or regional – such as .ru, .su, .рф; or there is a Russian language version of the website and either there are references to RUB as possible currency of payment of services provided / goods supplied by the company; or there are links/advertisements in Russian to the website, etc.
Scope of application – timing: MinComSvyaz states that the new rules will not have retroactive effect, however, any processing of personal data of Russian citizens on databases located abroad is not allowed after the Law has entered into force. It should be noted that MinComSvyaz has said that in their view the notion of “collection” of personal data (which is prohibited in accordance with the new rules unless such data is stored in Russia) excludes receipt by a company from another company in the same group of contact details of employees of the latter. This exclusion should allow a simple exchange of business email-addresses and contact details, but should not go beyond that in practice. MinComSvyaz does not specify which employee data would exactly be covered by this exemption, and does not provide any information about any other exemptions which could apply to other data such as marketing data.
Cross border transfer: MinComSvyaz states that despite the new Law mere cross border transfer of personal data of Russian citizens should be allowed (subject to the consent of the individual in question), however, any further processing of such personal data without localization in Russia is banned.
MinComSvyaz clearly says that further processing abroad (without the use of a database located in Russia) may not be allowed even if the relevant individual has given its consent to processing of its personal data abroad (the aim seems to be to ensure that a complete copy of all data is retained in Russia). It is unclear if processing from abroad but through a database in Russia (by way of remote access) would be allowed.
Remote access: MinComSvyaz states that it is permitted to provide people abroad with access to databases located in Russia (the key feature is location of the database and not the person who accesses the personal data within such database).
Citizenship: MinComSvyaz agrees that the Law does not set out clear requirements as to how citizenship of a person can be established and allows data operators to determine this themselves based on their activities. In our opinion, “based on their activities” is a broad concept and may be interpreted widely, which opens Russian companies up to a degree of risk.
Reliance on the user: MinComSvyaz says that data operators can generally rely on information the users provide confirming their citizenship, but should endeavor to check whether this information is correct. No further guidance is provided on how such confirmation should be sought or information should be checked.
Back-up copies: MinComSvyaz reiterates that the new rules do not distinguish between the “original” copy in Russia and the “back-up” copy abroad. However, their view is that provided that personal data has been collected and processed in Russia, any change or amendment to such personal data is always first collected, stored and further processed in Russia and any subsequent processing abroad is 100% analogous to the processing already done in Russia. Subsequent duplication / duplicative processing (i.e. a backup) abroad is not prohibited. The new rules prohibit a situation, where there is more information on a database abroad than on a database located in Russia or where information on the database abroad is more up-to-date than information on a database located in Russia.