Global players challenged by new Russian law on personal data storage

Just two months before the new Russian law on personal data storage will come into effect, many international players are implementing the necessary steps to comply with it.

Thus, last month announced that all data from its Russian users will soon be transfered to a local data center. Preceding were such companies as eBay, Google, PayPal, Alibaba’s subsidiary AliExpress, as well as international PSP PayU.

Some e-commerce players, such as KupiVip and La Redoute, had even anticipated the law by transferring the data from foreign servers several years ago.

But not all international businesses are fully aware of their obligations, and many of them are unlikely to meet the September deadline, according to a white paper recently published by EY and East-West Digital News.

Some players, including some important international companies, are even considering leaving the Russian market due to the complexities of the new rules and to the current unfavorable economic context.

Change your database architecture – or leave the country

Adopted last year in a bid to affirm Russia’ digital sovereignty, the law requires companies operating in Russia to store Russian users’ or clients’ personal data on servers located physically in the country, starting from September 1, 2015.

Many foreign and domestic players, who store their users’ data in borderless clouds, are concerned. Those failing to meet the new requirements will face fines. Ultimately, access to their site may be blocked by the Russian telecom regulator Roskomnadzor.

This legislation initially triggered a wave of criticism in and outside Russia, with some foreign players seeing in the new rules the beginning of the end to their digital business in Russia.

There are considerable differences, however, depending on the type of business and database architecture. Certain business will not even even be affected by the law, “if their activity is regulated by an international agreement or specific legislation,” as stated in late June by telecom and mass media minister Nikolai Nikiforov.

The businesses concerned by the law can continue operating with Russian users or consumers by implementing a series of identified organizational, technical and legal steps.

However, things have been made difficult by the lack of clarity and precision of some provisions of the law. “There are still no specifications in the regulations about the possibility of storing copies of personal data outside of the Russian territory. No clarity either about the way to identify Russian citizens – for the protection of whom the law was intended,” notes Anastasia Kuznetsova, lawyer at EY’s Intellectual Property Center of Excellence (CIS).

“Information about the possible interpretations of the law is available only in the form of announcements from state authorities which have no formal legal value,” she adds.

Over the past few months many companies met the regulator in an attempt to clarify these points.

Five fundamental legal requirements for dealing with personal data in Russia

  • Personal data may be collected, stored and used only with the consent of the data subject (the person to whom the data refers), preferably in written form
  • Starting from September 2015, personal data should be processed by means of information databases that are physically located on Russian territory.
  • Data operators storing personal data are liable for keeping such data confidential and are not permitted to transfer, share or disclose such data without the consent of the data subject, with special attention paid to internal control mechanisms.
  • Full protection of personal data should be provided through a range of organizational and technical measures defined by the law.
  • The operator should draft and make publicly available an internal policy for processing personal data.

These rules apply specifically to personal data – which should not be confused with any user-related data. According to Russian law, the primary characteristic of “personal data” is the ability to identify among many persons a specific, unique individual.

Top 5 data migration tips

1. Give yourself a long time to fully implement the migration process. Just the delivery of servers itself can take up to two months alone, while testing after installation can also take several months. This adds up to a process that can easily stretch up to eight months.

2. Find a reliable local partner to assist you with the process. Involve head office team into the selection process.

3. Use existing import channels to move equipment (unless you opt for an IaaS solution). Usually your Russia-based data center will have a number of reliable and previously tested partners to recommend. These should be large local business integrators, or international suppliers who have a dealer network in the country.

4. Manage complexity by transparent communication: make sure there is full understanding of the installation design by all parties involved. Language barriers and complex terminology can create major problems between client and contractor in this regard.

5. Don’t forget about after-migration support: the data-center team and other participating parties should be on stand-by after launch. A properly run data center will have client service thoroughly specified, with procedures, documentation, a 24-hour bi-lingual emergency phone line in place and an online ticketing system to track status.

This article originally appeared on EWDN on July 3, 2015 by EWDN and Internet Retailer