Sun, Mar
42 New Articles

Russia: Uncertainty Over Personal Data Localization Legislation

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

You load the picture from your recent gathering of friends on Facebook. Immediately, and by itself, the website defines all the persons who are in the photo: surnames, age, habits, personal life. Everything is in the social network.

On the first day of your employment you give your employer copies of all documents proving that you are a citizen of this country and this city and that you were educated somewhere and maybe even worked. And the company, in turn, transfers that data to the dozens of organs that calculate taxes, your salary, give you medical insurance, even render a visa for a journey to Europe, and so on.

Every day we hand out our private life of our own free will or within the frame of requirements of common practice. The most interesting thing in Russia is that, even if the initiative comes from your side, the party receiving the personal data (PD) is nevertheless obliged to ask for your consent prior to processing it. Employers, doctors, banks and shops, counterparties – in all these cases your data may be used only in accordance with the specific aims for which it was provided.

The consequences for breach of this rule are real, and severe. For instance, last year Russian society lost access to the two extremely popular web-resources, PornHub and LinkedIn; the latter specifically due to the site’s violation of PD legislation. 

LinkedIn was shut down in Russia following a ruling that it had violated two laws in its activity: (1) It did not obtain prior consent from users for PD collection and processing, and (2) because the processing that it did undertake was executed outside of Russia, it violated the law (the “PD Localization Law”) requiring that PD collected from Russian citizens must be collected, kept, and processed first in Russia, and only then may be transferred across borders. The PD Localization law is rather new – it was enacted in September 2015.

LinkedIn, in its defense, claimed that because the company had no representative office in Russia, Russian data protection legislation was inapplicable to it. The social network, it argued, had no “target by IP-address, location, and the Russian language switches automatically under browser settings.” 

In fact, the PD protection law does not contain specific clauses that regulate its jurisdiction by territory and persons. Usually Russian legislation is limited in application to the territory of Russia, but the Internet is boundless, and much of the information on it, here and there, is untraceable. Thus, Russian state organs have established criteria for determining whether resources are “oriented” towards the Russian Federation: 1) use of the “.ru” domain name; 2) presence of a Russian-language version of the site created by the owner; or 3) any other demonstration of interest of the site owner to Russian-speaking society and/or the Russian market (such as advertising in Russian). These criteria are mentioned on the control bodies’ websites, but are not stipulated directly by law. 

Similar criteria of “orientation” can be found in European legislation. For example, consumer law can be applied if a supplier on another market “by all means orients its activity to the consumer country” (p. 1 of Art. 6 of the Regulation No 593/2008 of the European Parliament and of the council on the law applicable to contractual obligations). 

Since 2013 Russia became a party of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data CETS No. 108. Based upon the dispositions of the Convention, the localization rules are not applicable to non-residents of the Russian Federation who are located and acting in another country. The Convention requires that PD be used within the frame of the aims for which it was collected and in accordance with the legislation of the country where the non-resident is located. The Regulation also prohibits the creation of barriers to the flow of PD among and between the countries that are parties to it. This contradicts the current version of the PD Localization Law.

Unfortunately, it is unclear whether this Convention could have assisted LinkedIn. Roskomnadzor (the Russian organ overseeing PD collection and processing) sued the US-based LinkedIn Corporation. Later LinkedIn, on the appellate stage, claimed that the LinkedIn Corporation was responsible only for the processing of US citizens’ PD and was therefore the wrong defendant, as the processing of all other PD was performed by the LinkedIn Ireland Unlimited Company, located in Dublin.

Roskomnadzor’s answer on the question regarding the conflict of provisions of the Convention and localization law was simple: The localization law is based on the Convention and there is no conflict. 

To this point, no party to any case after September 2015 has relied on the Convention. Partially this is connected with the fact that most of the biggest networks – including AliExpress, eBay, Booking.com, PayPal, Citibank, Lenovo, Samsung, and Uber – have agreed to transfer storage of PD to Russia. But not all; Twitter, Facebook, and Google have refused to do so. Roskomnadzor has announced in recent conferences that it will not check these companies this year but will return to the question next year.

This Article was originally published in Issue 4.4 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Our Latest Issue