Russia's new personal data localization regulations: A step forward or a self-imposed sanction?
Introduction
The Russian legislation in the sphere of information technologies is changing rapidly these days. Lots of newly adopted legal rules are reshaping the IT-market in Russia: software import substitution regulations in public procurement1, special provisions governing blogger's activities, imposition of data retention obligations on Internet communication services, to name a few. But one of the most controversial and widely discussed is the recent “reinforcement” of Russian IT-law that relates to data localization provisions.
Until recently, Russian legislation did not contain any special provisions governing data location: information could be stored and processed everywhere, subject to limitations associated with some traditional special regimes (e.g. information constituting state secret or conditions of transborder data flow to countries not providing adequate protection of personal data).
The first signs of data localization provisions appeared in the banking sphere. In accordance with amendments to Federal Law “On Banks and Banking Activities”, adopted in 2013, financial institutions acting under a license from Central Bank of Russia were obliged to reflect all their financial transactions in electronic databases, allowing to store such data for a period not less than five years. Subsequent regulations of the Central Bank of Russia established that backup copies of such databases should be located in Russia2. However, location of primary databases with such data was not regulated: for the purposes of control and oversight activities, it is more than enough to have local backup databases not complicated by jurisdictional matters.
The second wave of data localization provisions happened in 2014. As a legislative response to the terrorist acts committed in Russian city Volgograd in the end of 2013, the so-called anti-terrorist “package” of laws was introduced, which apart from strengthening criminal liability for terrorist and related activities, introduced additional limitations on anonymous electronic money payments, obligations to identify users of Internet services in public access points and, what is more important, amendments to the main Russian statute regulating information technologies: Federal Law No. 149-FZ “On Information, Information Technologies and Protection of Information” (hereinafter – “Law on Information”)3.
These amendments may be divided into two parts: one relating to bloggers and another one to all other persons, which «organize dissemination of information in Internet». The first part, which was most widely discussed in blogosphere, pursues the goal of equalizing the legal status of popular bloggers (with more than 3000 views per day) with Mass Media and imposing obligations similar to those, which Mass Media has viz specifically, to be responsible for the accuracy of information published, to register with Russian supervisory authority in IT-sphere (“Roskomnadzor”4), to reveal true identity and provide contact details for sending communications relevant in law. Something similar was adopted in China as early as 2005, when all bloggers with independent web sites were required to register with the Government5.
The second part directly relates to data localization requirements. A new legal status has been introduced, named as “Organizer of dissemination of information in Internet” (hereinafter – “Organizer”), which is defined as:
any person, facilitating functioning of information systems and/or computer programs, which may be used and/or are used for receipt, transfer, delivery and/or processing electronic messages of the users in Internet. (Article 10.1 of the Law on Information)
Once it is established that a certain Internet-service falls within the definition of “Organizer”, such person has to fulfil a number of obligations: to notify Roskomnadzor; to store user's traffic and other specified data for six months in Russia; and to cooperate with Russian law enforcement agencies (mostly Federal Security Service) by granting them access to the stored data upon request. Failure to comply with such obligations may lead to fines and blocking access to the web site of such Organizer.
As it may be seen, the definition of “Organizer” is formulated rather vaguely, allowing the inclusion in its scope of almost anyone associated with Internet service, even vendors of server hardware and software. Some further guidance is provided in subordinate regulations: Decree on Data Retention and Storage6. It contains a narrow approach, specifying that special data retention obligations associated with the status of Organizer apply only to providers of “communication Internet-services” understood as an:
information system and/or computer program that is used or may be used for receipt, transfer and/or processing of electronic messages between Internet users, including for sending messages to the general public.
According to this definition, Organizer is understood to be a person providing the services that allow Internet users to communicate with each other. Such an approach narrows the practical application of the legal regime of “Organizer” to such ISPs as social networks, providers of public e-mail, providers of collaboration/storage cloud services, providers of forums and other discussion groups. This narrow approach is used in the day-to-day practice of the Russian supervisory authority (“Roskomnadzor”) as well.
As of July 1, 2014, there were around 60 Organizers registered with Roskomnadzor, which represent major Russian Internet platforms, providing users with communication facilities, among which are: public e-mail services of Mail.ru, Yandex and Rambler; social networks VKontakte and Odnoklassniki; free hosting/web-site configurator service uCoz.ru; cloud storage service YandexDisk; some of the biggest news aggregators with user discussion functionality. There are no foreign Internet businesses, since none have a physical presence in Russia yet. However, Roskomnadzor is conducting extensive discussions with foreign communication Internet-service providers with the intent to facilitate their compliance with the law. Whether many foreign companies will comply with this law yet remains to be seen. For now, it is possible to conclude that addressees of the second wave of data localization are Internet communication services operating in Russia.
The list of the data subject to local storage requirements is provided in the Decree on Data Retention and Storage. It includes several types of data: i) data about user; ii) data about electronic communications occurred and iii) information about electronic payment transactions. Actual content of the communications is exempted from data storage requirements.
Taking into account that, from a legal perspective, most of the information which has to be stored by Organizers falls within the definition of “personal data”, this relates to individuals, which can be directly or indirectly identified by means of it7. So, it is possible to argue that Federal Law No. 97-FZ has established a regime of partial local storage of personal data, thus preparing the ground for subsequently adopting Federal Law No. 242-FZ on full local storage and processing of personal data of Russian citizens. (This will be reviewed later in this paper.)
However, it needs to be mentioned that Federal Law No. 97-FZ does not require that the data are stored exclusively on the territory of Russia. In other words, it does not prevent data from leaving Russia by prohibiting its processing abroad. The law only requires that the copy of it is stored locally. That seems to be logical taking into account the main purpose of this law: facilitating investigatory activities without jurisdictional complications. For such purpose, it is enough to facilitate availability of relevant data to local authorities: exclusive storage of data in Russia seems to be an excessive measure.
Generally, Federal Law No. 97-FZ can be perceived as a legislative response to the convergence of Internet services and traditional telecommunication providers8. Historically, telecommunication operators were subject to multiple regulations, facilitating investigatory activities (e.g. as one of the conditions of their telecom license was that they have to implement special wiretapping infrastructure (“SORM”) and provide relevant information upon request to authorized law enforcement agencies). However, in the modern era, where communications in the Internet environment become more and more common, limitation of those obligations to traditional fixed/mobile operators is no longer adequate. There are more and more voices in favour of the position that services of similar value and purpose need to have similar treatment, at least in critical matters. Of course, data retention obligations could be introduced without the localization requirements, but in such cases, Russian law enforcement authorities would lack enforcement teeth when such data are stored abroad. In such cases, special mutual legal assistance treaties should be followed, which provide lengthy procedures and discretion to the other party. So, absent other efficient enforcement mechanisms, localization of such data becomes an essential element of national sovereignty. But its limitation to traffic data and one type of actors (communication Internet-services) is not enough to make it efficient. Something more universal is needed; thus, the third wave of data localization has been introduced.
Such third wave is represented by the Federal Law No. 242-FZ, which supplemented Federal Law No. 152-FZ “On Personal Data” with a very controversial obligation. Data controllers, while collecting personal data of Russian citizens online, are obliged to store and process such data in databases located within the territory of the Russian Federation.
The Draft of Federal Law No. 242-FZ was prepared and adopted very quickly: it was submitted to the State Duma (lower house of Russian parliament) at June 24, 2014. On July 4, 2014, it was approved by State Duma, and on July 9, it was approved by the Federal Council (upper chamber of Russian parliament). On July 21, 2014, the President signed it. Explanatory materials accompanying the draft contain little information regarding the motives or justification of the proposed regulation. It simply states that the law is aimed at enhancement of the existing procedures of processing personal data and is “in line with the case law of European Court of Human Rights”, referring to the decision of European Court of Justice of May 13, 20149. Evident confusion of European Court of Justice with European Court of Human Rights illustrates the haste that accompanied the preparation of the draft and formal approach to its justifications. What can be said with absolute confidence, however, is that it will be adopted regardless of the presence or absence of persuasive arguments in its favour.
Regardless of all the circumstances surrounding the process of drafting and adoption of the Federal Law No. 242-FZ, the result is evident: Russia has introduced unprecedented regulation in the sphere of personal data protection.
Section snippets
Overview of Russian personal data localization law and its existing interpretations
The well-known truism that “the devil is in the detail” perfectly applies to the matters of practical implementation of data localization provisions and their alignment with the rest of the corpus of data protection laws. It is one thing to proclaim data localization provisions and quite another to make them work. Not surprisingly, initial feedback on the data localization concept was very sceptical because of the difficulties of its alignment with the possibility of transborder data transfer
The reasons behind the adoption of personal data localization requirements in Russia
One of the key questions lying on the surface, while analyzing new personal data localization obligations, concerns the purposes of their adoption. What were the goals the legislator tried to achieve and have they been achieved? Depending on the answers, some predictions about future enforcement can be made, as well locating the key for interpretation of its uncertain provisions.
Potential impact on the market and technologies
After all the buzz personal data localization regulations created on the Russian market, they will hardly remain only on paper. However, compliance with them has economic as well as technological consequences, which are substantially intertwined. This section will provide a brief analysis of the potential impact of data localization on the Russian market in general and the IT-market in particular.
Conclusion
The trend towards sovereignty of the Internet is present not only in Russia: many other countries, including those in Europe, are trying to increase control over information processes in their national segments of the Internet. Russia has adopted an unprecedented personal data localization mechanism, which does not have analogues in foreign countries and which has attracted a great deal of attention from foreign companies operating in the Russian market. The Russian mechanism of data
References (0)
Cited by (17)
The use of Big Data: A Russian perspective of personal data security
2017, Computer Law and Security ReviewThe Regulation of Personal and Non-Personal Data in the Context of Big Data
2023, Journal of Human Rights, Culture and Legal SystemContested Spatialities of Digital Sovereignty
2023, GeopoliticsChina, Trust and Digital Supply Chains: Dynamics of a Zero Trust World
2022, China, Trust and Digital Supply Chains: Dynamics of a Zero Trust World