24 November 2016
The Russian data protection authority (‘Roskomnadzor’) announced, on 17 November 2016, that it had taken steps to block access to LinkedIn Corp.’s website in Russia. The block follows a decision by the Moscow City Court (‘the Court’) finding LinkedIn in violation of Federal Law of 21 July 2014 242-FZ (‘the Data Localisation Law’), which requires companies to store personal data of Russian citizens in Russia. This represents the first time the Roskomnadzor has blocked access to a foreign company’s online services for failing to conform to the Data Localisation Law.
Maria Ostashenko, Partner at ALRUD Law Firm, told DataGuidance, “The restriction of the access to LinkedIn’s website may become a wake-up call for other foreign companies. Through the demonstrative ban of LinkedIn, the Roskomnadzor hopes to strengthen its position before a new round of negotiations with Facebook, Twitter and other foreign companies on the localisation of personal data. However, if large foreign companies refuse to comply, this may turn out to be a tough sell and the shutdown of the websites of such companies may lead to active protest from within Russia. The Roskomnadzor’s approach to other foreign companies, who still have not transferred their data to Russia, will depend on the final outcome of the LinkedIn case.”
Following the entry into force of the Data Localisation Law in September 2015, the Roskomnadzor has carried out a series of compliance checks into the data protection practices of organisations in various sectors. The Roskomnadzor initially commenced an investigation into LinkedIn’s operations, after which it sought a judicial decision from the Court that LinkedIn was in violation of its data processing and localisation obligations.
Vyacheslav Khayryuzov, Head of Technology, Media and Telecoms at Noerr LLP’s Moscow Office, explained, “LinkedIn’s major violation was its failure to store and process personal data of Russian citizens on databases/servers located in Russia. The Court found LinkedIn to be liable for a violation of Article 18, Part 5 of Federal Law of 27 July 2006 No. 152-FZ (‘the Personal Data Law’), as amended by the Data Localization Law. On this basis, the Court ordered the Roskomnadzor to take steps to restrict access to LinkedIn.”
Following the Court’s decision, the Roskomnadzor added LinkedIn to the list of websites that it has blocked for non-compliance with data protection laws. This list currently includes over 161 operators, although the Roskomnadzor’s report on its supervisory activities from September 2015 to September 2016 indicates that it had found only 23 violations of the Data Localisation Law, comprising 1.3% of all the violations recorded. The Roskomnadzor’s report also specifies that the majority of businesses audited have been local Russian-registered companies, even though the Ministry of Communications (‘Minsvyaz’) clarified, on 12 February 2016, the extra-territorial application of the Data Localisation Law.
The requirements of the Data Localisation Law shall apply to LinkedIn even though it does not have a presence in Russia, via its branch, representative office or legal entity.
“The Roskomnadzor and the Court noted that the requirements of the Data Localisation Law shall apply to LinkedIn even though it does not have a presence in Russia, via its branch, representative office or legal entity”, Ostashenko commented. “The requirements do not, however, apply to companies that do not receive the data directly from data subjects or through data processors acting on their behalf. Also, the requirements do not apply to data received inadvertently in the course of a normal business activity, for instance, contact information of individual representatives of other entities involved in business processes.”
Shortly after its decision to deny access to LinkedIn’s website, the Roskomnadzor announced, on 15 November 2016, that Microsoft Corporation had complied with its own obligations under the Data Localisation Law. Additionally, the Roskomnadzor announced, on 19 November 2016, that it has agreed to hold a meeting with LinkedIn’s representatives, in an attempt to resolve the dispute with LinkedIn.
Ostashenko explained, “Microsoft has a substantial presence in Russia, including data centres that could process the data of Russian users and the Russian part of the LinkedIn website. I think that finally the Roskomnadzor and LinkedIn will find a compromise and access to the website will be reinstated.”
LinkedIn can now either attempt to meet the requirements of the Data Localisation Law or file an appeal of the Court’s decision to the Court of Cassation, which can then be further appealed to the Supreme Court.
Khayryuzov concluded, “It does not appear to me to be challenging for LinkedIn to achieve compliance in Russia. Other companies like Apple and Google, who have even more users in Russia, have already done so. I would expect that after the meeting with the Roskomnadzor, LinkedIn would start the process of relocating personal data of Russian citizens to Russian-based servers and bringing their policies at least with respect to Russian users in compliance with the Data Localisation Law.”
Kaveh Lahooti | Junior Privacy Analyst