The Russian Data Protection Law review

As you may now know Russia passed a new law requiring the local storage in Russia of the personal data of Russian citizens. Under the Data Localization Law, businesses and data operators processing data of Russian citizens, whether collected online or offline, are obliged to record, systematize, accumulate, store, update, change and retrieve such data in databases located within the territory of the Russian Federation. It is clear that the new Law will be applicable to Russia-based data operators (including subsidiaries and representative offices of foreign companies). Under the current version of the Law, it will come into force on 1 September 2015.

The legislation has been criticized for its vague wording and practical implications. The important aspect of this law is the fact that it is so far reaching. Even where a business has Russian customers but no legal presence in Russia, it should note that Russian data protection law is considered as public order for all companies collecting and processing personal data of Russian citizens, with no exceptions for foreign companies. Therefore, if a business holds Russian personal data in the US and UK, the law is, technically, applicable to that business.

The business community has applied pressure since the New Law was announced to obtain clarification from the authorities on the implications for those conducting business in Russia and dialogue between businesses and the authorities continues.

Want to know more? Please download our whitepaper here for the full details.



Dennis Dayman, CIPP/US, CIPP/E, CIPT
Chief Privacy and Security Officer
Return Path, Inc.