News & Insights

Client Alert

June 19, 2019

Data Localization in Russia: Now Backed with Big Fines


On June 13, 2019 a bill of law entered Russian State Duma to introduce to the Code of Administrative Offense administrative fines for failure to comply with the requirements for localization of processing of personal data of the Russian citizens. Proposed fines for first offense amount to RUB 2,000,000 – 6,000,000 (approximately US$ 30,000 – 90,000) for legal entities. Repeated offense by legal entities is punishable with fines in the amount of RUB 6,000,000 – 18,000,000 (approximately US$ 90,000 – 280,000).

Localization requirements were introduced in 2015 in the Russian Law on Personal Data and provide for mandatory obligation for all operators of personal data to ensure recording, systematization, accumulation, storage, amendment and extraction of personal data pertaining to Russian citizens with the use of data bases located in the territory of the Russian Federation. Localization requirements cannot be waived by data subjects.

Until recently, Russian legislation contained no administrative sanctions for the violation of localization requirements. Effectively, the only measure the supervisory authority (Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications, or RKN) could specifically apply was the right to block the access to the web resource in breach of the requirements. This was done in November 2016 when RKN notoriously blocked access to LinkedIn network in Russia because the network refused to bring its servers to the Russian territory.

Since December 2018 and January 2019 respectively RKN is pursuing Facebook and Twitter with requests for compliance with localization requirements. Both networks were reported to be in discussions with the authority over means to bring their business in compliance with Russian rules but delayed the decision to physically bring their data servers to Russia. Mark Zuckerberg commented that his company has no intention to store users’ personal data in the countries violating human rights.

In April 2019 a district court in Moscow fined each Facebook and Twitter for RUB 3,000 (US$ 46) for failures to provide RKN with the requested information. RKN’s head Alexander Zharov commented to mass media that his authority would give the two social networking sites another 9 months to bring their data processing practices in compliance with the local requirements. Now, if the above initiative becomes law, Facebook and Twitter can face both administrative fines and blocking in the territory of the Russian Federation.

Experts consider the possibility of the amounts of fines to change during the course of discussions in the Russian Parliament. However, the news is already stirring the market and will most definitely lead to an increase in demand for compliance counselling.

Despite the urge to bring their business in compliance, companies should be on the alert about overpriced and even fraudulent offers of data compliance services, including technical.