Russia’s New Data Localisation Law Posted by John on 02 September 2015

A new law has been enacted this week in Russia which now obligates companies to store within Russia all data collected about Russian citizens. This new law, which amends existing legislation, has generated uncertainty and concern over surveillance and privacy rights with sceptics labelling it as an attempt to gain access to personal information for security and monitoring purposes. Federal Law Number 242-FZ, also known as the “Localisation Law”, requires companies to ‘record, systemise, accumulate, store, update, change and retrieve personal data with the use of data centres located in the territory of the Russian Federation’. The law also applies if a company is not based in Russia but directs its business activities towards Russian citizens via the internet.


Yet despite this specific intent, there is no clarity regarding the scope of the legislation. Russian companies that buy and sell products or services in Russia to Russians but store consumer data in servers offshore will be under immediate scrutiny. However, international corporations such as General Motors are also included in the list of 317 companies that are to be immediately audited by the federal executive body (the “Roskomnadzor”). Nevertheless, the Roskomnadzor has stated that while it will not be auditing internet giants such as Google and Facebook this year such investigations could occur at some point in the future. Both corporations, who have declined to comment on the situation, currently store their data on servers outside Russia and, as such, are now operating in breach of the new law. 

The Kremlin’s internet clampdown started after the 2012 Moscow riots following Vladimir Putin’s controversial re-election. The mass protests alerted the Kremlin to the growing power of social media. The Russian president even went as far as to label the global internet as a “CIA project” in 2014. Moreover, MP Evgeny Fyodorov (United Russia) has commented that Russian domestic policy is under attack from external influences via the internet: “All information that is stored (on foreign data servers) can be used against Russia. Therefore, we must take these sites under national control in order to protect our country.”

Although the new law has been heralded as being in the best interests of safeguarding Russian citizens’ information privacy, opponents argue that it is in fact anything but. “It has nothing to do with personal data protection. They want foreign companies to put their servers on Russian territory because they need access” according to Andrei Soldatov, an investigative journalist specializing in coverage of Russia's security services. If this is indeed the true intention of the Russian authorities however, the following question must be asked: What separates Russia from private corporations who exert control and influence over global data collection and retention? And also, will Russia’s regulatory policy differ greatly from that of the USA whose own dubious practices have been unearthed by the Snowden revelations? 

Viviane Reding, the former European Justice Commissioner, has stated that the highest level of EU Law provides that everyone has the right to the protection of personal data concerning them: “Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Lisbon Treaty guarantee the fundamental right to the protection of personal data applying to all Union policies.” This honest declaration of openness and transparency in the best interests of the citizen is the ideal approach to a positive relationship between practical government regulation and private sector compliance. The effectiveness of new Russian legislation in achieving and safeguarding such goals will be interesting to observe.