Last week, the Russian Parliament, the State Duma, adopted a bill in the first reading on GDPR-esque fines for violation of a personal data residency law. The fines under the new bill would amount to a max of $280,000.
How It All Began – Data Residency Laws and Blockage of LinkedIn
Data Residency isn’t a concept native to Russia – but the Russian government takes it extremely seriously. Four years ago, in 2015, Federal Law No. 242-FZ came into force, setting out personal data operator’s obligations to store Russian citizens’ personal data on the territory of the Russian Federation. The law applies to those operators that process the data by virtue of servers (internet companies, social media, etc.).
They need to ensure that personal data is processed with the usage of databases located on Russian servers. The definition of “personal data” mirrors the 1981 EC Convention – “personal data means any information directly or indirectly related to an identified or identifiable natural person”. As you can see, it’s very general and does not elaborate on personal data like the GDPR attempts to do – although there will likely soon be a new provision regulating cookies and Google Analytics.
This legislation doesn’t mean that the data can’t be transferred to foreign servers – as long as it’s initially stored on Russian ones. But it does raise a lot of questions as to what constitutes a database. Many lawyers believe that it can range from an Excel table on a single computer to a huge data center. Some companies adopt a risk-free approach and just store all the data on an offline spreadsheet.
Under the law of 2015, any operator that doesn’t comply faces the risk of the Russian communications watchdog Roskomnadzor (RKN) blocking them. That’s what happened with LinkedIn in 2016. A Moscow court has ruled that the website has violated the data retention law specified above. Despite many negotiations with the authorities, LinkedIn to this day remains blocked in Russia, although over 5 million Russian persons and companies still use it with the help of VPN. Mobile usage is only possible via a browser since the app has been removed from the Russian App Store and Play Market.
LinkedIn is the Russian data residency case of the highest-profile to date. RKN has since issued symbolic fines to Facebook and Twitter and has threatened to block the services on several occasions if they didn’t comply.
Although to this day no blockage has occurred and neither social network has made any serious attempt to comply, the new law might just change the situation.
What Would the New Law Entail?
Previously, the fine for non-compliance with data residency requirements was 3 000 rubles, or approximately $45. As the authors of the new law pointed out, such fines were “so insignificant for large Internet companies that they clearly weren’t equal to the type of violation and couldn’t serve as a way to comply with Russian law”.
Under the new law, if passed and signed by the president as is, the new scale of the fines would be as follows:
- For the initial violation, the fines would range from 2m to 6m RUB, or from $31 000 to $93 000.
- For the repeat violation, the fines would range from 6m to 18m RUB, or $93 000-280 000.
In addition to the general data residency fines, the bill also introduces service- and company-specific fines as follows:
- failure to register with RKN as an organizer of dissemination of information on the Internet may result in an administrative fine up to RUB 1 million (approx. $15,615) for legal entities;
- failure to provide Russian state authorities with information on users and their communications or decryption keys which are necessary to decrypt users’ communications may result in an administrative fine up to RUB 6 million (approx. $93,690) for legal entities;
- failure to install equipment required for conducting criminal investigations by Russian state authorities may result in an administrative fine up to RUB 6 million (approx. $93,690) for legal entities;
- failure to fulfill obligations imposed on video-on-demand service may result in an administrative fine up to RUB 5 million (approx. $78,075) for legal entities;
- failure to fulfill obligations imposed on instant messengers services may result in an administrative fine up to RUB 2 million (approx. $31,230) for legal entities;
- failure to fulfill obligations imposed on search engines may result in an administrative fine up to RUB 5 million (approx. $78,075) for legal entities
Note, however, that these are just proposals and it’s possible that the range and size of the fines would change during the next readings of the bill.
In either case, however, it is unclear what exactly would constitute a “repeat” violation. Is it non-compliance with the first warning that just goes on? Or is it repeat transfer of personal data between the servers located abroad without first storing it on the Russian territory? And how would the extremely wide range of fines apply? History tells us that RKN would most likely apply them at their discretion despite not necessarily having figured out the technical components while doing so. Perhaps it would apply the EU data protection authorities’ approach and assess cases on an individual basis.
What we can be certain of is the inconsistency of their approach – Russian IT and personal data legal landscape is fairly young and prone to frequent changes. For instance, the sovereign Internet law cannot be ignored by any company, not least those who are processing personal data of Russian citizens.
What About Sovereign Internet?
The justification for the updated fines I wrote about above is very similar to that of the so-called “sovereign Internet law”. The authorities believe that non-compliance with the data residency requirements creates a “threat to citizens’ safety” and “obstructs the fight against terrorism and extremism”.
Contrary to the popular hyperbolic interpretation of the media, sovereign Internet does not mean a single provision on adoption of the Chinese or North Korean model of Russia’s complete cut-off from the global online world. Rather, it is a series of several federal laws and 25 (so far) sub-federal legal acts regulating specific aspects of the “sovereign Internet” package. These laws are aimed at creating a “back-up” system in the event of the country getting cut off from the global Internet. The various aspects of this package affect separate business activities.
For instance, subjects of public procurement laws would no longer be able to invite foreign cloud service suppliers to bid on contracts. This could potentially restrict foreign DRaaS and other personal data service providers from participating in what is a large sector of the Russian economy. This restriction comes into force from November 1st of this year.
SaaS and other IT companies would also likely be affected, especially if their contractual performance is tied to their KPIs. When the technical measures following from the law are implemented, it’d likely slow down the Internet and lead to some technical issues within networks (temporarily, of course).
It would also hurt the companies who use cloud-based services for their internal business processes – there is a risk of them losing their data if they don’t have local back-ups. It’s another reason why companies should seriously consider compliance with data residency laws I wrote about in the first part of this piece. If their cloud crashes, for instance, they’d still have a back-up of their data on the Russian territory.
While the fines and the restrictions do look rather intimidating (although by no means as scary as the GDPR, especially to companies like Facebook), it’s too early to make any definite predictions as to what the final edition of the law would look like. However, companies that do business in Russia should start thinking about potential mitigation of associated risks.
Based on the experience we’ve had with RKN blocking Telegram last year, namely, the many glitches in the servers across Russia, it’s safe to say that as sovereign Internet laws come into force and the government starts implementing them, individuals and companies should be prepared to a certain degree of disruption, especially if they conduct a lot of their activities in the digital field. Investing in good corporate VPN is also advised (preferably with an automatic kill switch).