Under Russian Data Protection Law, when collecting personal data, data operators (controllers) must ensure that recording, systematization, accumulation, storage, updating and extraction of personal data relating to Russian citizens are performed utilizing databases located in Russia (data localization requirement).
The new law, adopted by the Russian parliament and signed into law on December 2, 2019, introduces substantial fines for violations of that requirement.
Currently, the most stringent liability for violating the localization requirement is the right of the Russian data protection authority (Roskomnadzor) to block access to internet websites belonging to the entities violating the localization requirement. The most widely known instance of this sanction’s application was the blocking of LinkedIn on the territory of Russia, imposed back in 2016. The blockage still applies – all Russian Internet service providers currently have to deny access to LinkedIn in Russia.
There are currently no substantial fines specifically punishing violations of the localization requirement. The new law introduces significant fines specifically for failure to localize the personal data:
- for the first violation: fines on private citizens up to RUR 50,000 (approx. USD 780); on officials up to RUR 200,000 (approx. USD 3,100); and on legal entities up to RUR 6 mln. (approx. USD 93,750); and
- for repeated violations: fines on private citizens up to RUR 100,000 (approx. USD 1,600); on officials up to RUR 800,000 (approx. USD 12,500); and on legal entities up to RUR 18 mln. (approx. USD 281,000).
All companies collecting personal data on Russian citizens would be well advised to review their compliance practices.