The President of the Russian Federation, Vladimir Putin, signed, on 2 December 2019, Federal Law of 2 December 2019 No. 405-FZ on Amending Certain Legislative Acts of the Russian Federation (‘the Law’), which increases the fines for violations of data localisation and processing requirements.

Vyacheslav Khayryuzov, Counsel and Head of Digital Business and Data Privacy at Noerr LLP, told OneTrust DataGuidance, “The authors of the Law believe that non-compliance with the data localisation requirement threatens the safety of Russian citizens and important informational infrastructure, as well as impedes the fight against terrorism. The key take-away would be the increasing risk for companies which are trying to avoid or minimise their efforts in terms of compliance with the data localisation requirement. [In addition, the data protection authority] is expected to run more audits, and now they have a new tool to force the companies to comply.”

Companies working in Russia are encouraged to revisit the topic of data localisation and to have a closer look at their compliance measures

The Law supplements Article 13.11 of the Code of Administrative Offenses of the Russian Federation with parts 8 and 9, which establish administrative responsibility for the operator’s failure to ensure that the personal data of Russian citizens is collected, recorded, systematised, accumulated, stored, updated, changed or extracted using databases located within the territory of the Russian Federation. In particular, a fine of up to RUB 6 million (approx. €85,000) for a first offence, and RUB 18 million (approx. €255,000) for repeat offences may be imposed on a legal entity failing to meet the said requirement.

Khayryuzov continued, “The localisation requirement, which has existed in Russian law since 1 September 2015, can be complied with, for instance, by placing a database with personal data of Russian citizens in a Russia-based data centre or server [that] needs to be ‘primary’. This means that all initial recording and modification of data has to be made to the Russian database first, [while] further mirroring to foreign databases can be made only afterwards. This topic is becoming much more serious [and] therefore companies working in Russia are encouraged to revisit the topic of data localisation and to have a closer look at their compliance measures.”

KOTRYNA KERPAUSKAITE Privacy Analyst