Controversial law on personal data storage comes into force
As of September 1, Russia has new rules obliging all companies offering internet services to store users’ personal information inside the country. The authorities refused to postpone the bill’s enforcement, but allowed exceptions for some businesses, such as air carriers.
President Vladimir Putin signed the bill “On processing of personal data in information and telecommunication networks” into law on December 31, 2014. The initial draft suggested the law would have come into full force on September 1, 2016, but when the bill passed the State Duma it was rescheduled for this year.
The law says the state internet watchdog will be able to blacklist sites that refuse to comply with the new rules and possibly limit access to them. Violations of the law are punishable with a relatively small fine of 20,000 rubles (about $300) and the term for bringing violators’ activities in line with state regulations is six months.
According to the law, personal data collected before September 1, 2015 can remain on foreign servers in its unchanged form. It also allows exceptions for cases described in various international treaties and agreements, such as foreign embassies’ online visa services.
The sponsors of the bill reason that it will prevent foreign states from misusing Russian citizens’ personal data and strengthen Russia’s national security. They also said the new law accords with the current European policy of legally protecting online personal data.
However, online businesses including major international companies have complained that moving information to Russian servers could be complicated and expensive. After talks, the Russian government agreed to grant concessions to air carriers and other websites that sell air tickets, both foreign and Russian-based. The authorities also promised not to launch inspections before the end of the year and said the new law would not affect ordinary users in any way.
The head of Roskomnadzor Aleksandr Zharov told TASS his agency will only launch planned inspections of internet companies at the end of the year, and these checks will only concern documents – state auditors will ask businessmen to show contracts with Russian data-storage companies or their own servers. Zharov added that these plans did not include checks into Google or Facebook branches in Russia.
Major Russian companies such as Rambler, Livejournal, Mail.ru, Yandex and Vkontakte reported earlier that they had already transferred all servers with users’ data to Russia. Rostelecom has developed a major program of data storage facilities designed to satisfy the growing needs of the business community for server space.
The international research company Gartner has conducted a poll among foreign internet businesses operating in Russia, showing that about 33 percent of them were ready to trust personal data storage and processing to Russian providers.
Twenty-eight percent agreed to store a copy of their data dump on a Russian server. Almost 20 percent said they would not change anything before the authorities launch an official inspection and 19 percent said they would wrap up operations in the Russian market.
International internet majors such as Ebay, Samsung, Aliexpress and Booking.com have already confirmed their intent to work within the requirements of the Russian law. Microsoft representatives have told TASS that not all of the company’s services fall under the new regulations, but those that do would be moved to Russian servers in time.
Google and Facebook offices in Russia have declined to comment on the situation.