Reposted from Data Protection, Privacy and Security Alert

By Michael Malloy and Pavel Arievich

There has been an important development in Russian Data Protection Law. On July 22, 2014 a new law amending the law on data protection and law on information was signed off by the Russian President and thus was officially adopted. The law, will come into force on September 1. 2016.

The law requires all personal data operators to store and process any personal data of Russian individuals within databases located in Russia (subject to few exceptions). The penalty for violation of this requirement is ultimately the blocking of websites involving unlawful handling of Russian personal data. A Register of Infringers of Rights of Personal Data Subjects shall be established by the Russian telecommunication authority (Roskomnadzor) and from there, Roskomnadzor may move to block websites.

As the law is newly passed and not in effect yet, it is unclear as to how this register and the website blocking would work in practice, but we note that blocking websites is a commonly used enforcement method in Russia.

These rules are important for anyone doing business with Russians, regardless of where the business is located.

These new rules will have a considerable impact on Russian and multi-national companies with Russian presence, or with involvement of Russian-oriented web-sites, as many of such activities involve collection, storage and/or processing of personal data outside of the Russian Federation.

Moreover, they are likely to place a burden on the many international businesses operating online (such as travel services companies) who routinely process data of individuals from all countries (including Russia) without having any Russian subsidiary or presence as it would require them to distinguish the data pertaining to Russian individuals and store this data within Russia. A particularly distressing aspect for these companies is that without a Russian presence, they will have little opportunity or ability to engage Roskomnadzor regarding inclusion on the register or blocking of the websites.

According to the views of many commentators, enactment of such unprecedented rules could place a substantial burden on foreign investment into Russia and may broader negative economic consequences than anticipated. With that in mind, there is a good chance that the be modified or fine-tuned before September 1, 2016. this new law creates additional compliance requirements, there are strategies through which efficient compliance be achieved.

At this point, we strongly advise anyone doing business Russia or with Russians to take a close look at how personal data of Russians is handled. We would be more happy to provide any further details or assistance.

Contacts

Michael Malloy

Head of Intellectual Property and Technology Practice

T +7 (495) 221 4175

Michael.Malloy@dlapiper.com

Pavel Arievich

Legal Director in the Intellectual Property and Technology Practice Group

T +7 (495) 221 4472