Russian Privacy Legislation - Безопасность прежде всего!

European Data Privacy regulations have been dominant in the media in recent months, but there are important new regulations that are being implemented in one of the world's biggest markets.

European Data Privacy regulations have been dominant in the media in recent months, but there are important new regulations that are being implemented in one of the world’s biggest markets that have gone relatively unnoticed. The Russian Data Localization and Right to be Forgotten Laws will be critically important for organizations doing business in the Russian Market as well as for Cloud and Search Providers servicing Russian Businesses.  

Data Localization

In September, Russia’s new Federal Law No. 242-FZ became effective. This regulation specifies that, with very few exceptions, organizations maintaining personal data, must retain the data in databases located in the territory of the Russian Federation. This includes multinationals having employees in Russia. Several countries have data localization laws, but they all differ. Interestingly, the Russian Law also applies to websites that focus on Russia or Russians. This would apply to domain names that are relevant to Russia (i.e., .ru or its Cyrillic equivalent) as well as Russian language versions of websites. Some countries have laws restricting the transfer of certain types of data outside national boundaries. The Russian Law allows organizations to transmit personal data of Russian citizens outside of Russia if there is also a copy of the data that is kept in Russia. The Law also does not prohibit remotely accessing a database which is located in Russia. Minsviaz (Минкомсвязь), the Russian Ministry of Communications is the main governmental body responsible issuing this regulation. Within Minsviaz, Roskomnadzor (Роскомнадзор), will enforce the law. Organizations must inform Roskomnadzor of the location of the servers where Russians’ personal data is stored.  

Right to be Forgotten (правo быть забытым)

The “right to be forgotten” is growing as an important aspect of data privacy. The EU has been leading the way in this area and now their efforts are being complemented by the new Russian law. The Russian Right to be Forgotten Law will take effect on January 1, 2016. The Law imposes an obligation on search engines to remove search results listing information on individuals where such information is unlawfully disseminated, untrustworthy, outdated, or irrelevant Both the EU and Russia have a stated goal of protecting personal privacy, but there are differences between the EU and Russia in terms of the protection for public figures. Russia also permits public figures to have information about them removed from search engines.  

Дела говорят громче слов

These new laws are going to seriously impact organizations that collect personal information from Russian citizens. Will these laws be too onerous for these organizations? Will they be able to fully document all the places in their networks where personal data exists throughout the entire company? With the increased emphasis on data privacy, organizations that do business in Russia or with Russians must ensure the protection of personal data. Paying lip service can have damaging consequences.

Joe Santangelo, Delphix Corp. +1-646-596-2670 @jisantangelo