By Lore Leitner & Ksenia Koroleva

Since the proposal of Federal Law No. 526-FZ (the Law) in December 2014, the Russian data protection regulator (Roscomnadzor) has not issued any official comments on the application of the new Law. Roscomnadzor did recently hold several meetings with a number of representatives of major IT companies in Russia to make sure that these companies will be ready to comply with the new requirements by the time the Law comes into force on 1 September 2015, and to discuss how to apply the new Law. What was said during the meetings is not publicly known and companies which participated in these meetings have not shared many details. However, we know that during these meetings, Roscomnadzor mentioned that after the law has come into force, it will audit more than 300 companies by the end of 2015. A full list of such companies is not available (although some potential “targets” were mentioned). It is unclear whether the list would include Russian companies only or foreign companies as well and in case of the latter, it is unclear how the audit will be conducted in practice in the absence of proper cross-border investigation tools.

However, the Russian Ministry of Communications and Mass Media (MinComSvyaz), which is not the same as Roscomnadzor but is the Ministry which controls Roscomnadzor, published comments and a set of FAQs (in Russian only) in connection with the application of the Law. These comments and FAQs are not binding, but are likely to be adhered to in practice by administrative authorities and courts. At first glance MinComSvyaz appear to take a reasonably liberal view of the broadly drafted laws, but until there are practical examples, it is hard to form a definitive view.