Update on amended Russian data protection legislation: news from the DPA conference in Moscow

12 November 2014

On 5 November 2014, the Russian DPA (Federal Service On Supervising Communication, Information Technologies and Mass Media, - Roskomnadzor) held their annual international conference on data protection in Moscow.

At the conference, the head of the DPA Mr Alexander Zharov clarified that the Federal Law No 242 dated 21 July 2014 introducing localisation requirements (please see our alert dated 24 July 2014) did not prohibit trans-border transfer of personal data of the Russian citizens. Mr Zharov further commented that Russia being a party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (No. 108) is bound to allow trans-border transfer of personal data. By way of an example, Mr Zharov also explained that the Federal Law No 242 dated 21 July 2014 (the "Law ") does not prevent the Russian citizens from obtaining Internet services abroad such as booking the hotels or education services.

The head of the DPA was joined by the other high profile speakers. Notably, Ms Ludmila Bokova (Deputy Chair of the Committee on Constitutional Legislation of the upper chamber of the Russian Parliament), among others, commented that the future policy of Russia will be to increase the level of localisation of the personal data. The Law is the first step in implementing this policy.

The conference was widely anticipated to be a forum for the DPA to provide clarifications in relation to the Law and the localisation of the processing of personal data of the Russian citizens in Russia. Various DPA officials were available for comment in relation to the Law but the DPA reiterated that there will be secondary legislation which will explain how the Law will be applied and enforced.

Various representatives of the DPA commented that when collected the personal data of the Russian citizens in the first instance needs to be collected and recorded on the servers in Russia. The database on the servers in Russia should further allow other data processing operations with the personal data such as systematising, storing and modifying. Trans-border transfer of such personal data is allowed in accordance with the general requirements of the Russian legislation on personal data. Such trans-border transfer should be justified by a legitimate purpose and the data should not be stored abroad beyond achieving such purpose. It remains to be seen whether this interpretation will be supported by the secondary legislation.

Mr Plugotarenko of the Russian Association of Electronic Communications which is closely engaged in clarifying the application of the Law commented that there were initiatives to limit the categories of personal data which are subject to the localisation requirements of the Law but this initiative was dismissed. As the legislation stands now all categories of personal data of the Russian citizens will be subject to the requirements of the Law.

The commencement date for the Law is 1 September 2016.