On 24 June 2014, the draft amendments to the Russian Federal Laws, among others, On Personal Data and On Information, Information Technologies and Protection of Information have been introduced to the Russian Parliament. The amendments were rushed through the Parliament with the second and third reading taking place on 4 July 2014 which was the last day of the Parliament's spring session and promptly signed off by the upper chamber of the Parliament – the Federation Council on 9 July 2014. This draft law became law (the "Law") on 21 July when it was signed by the President and comes into effect on 1 September 2016.
The Law requires a data operator when collecting personal data of the Russian citizens including, among others, on the Internet, to ensure that the personal data is recorded, systemised, accumulated, stored, updated and gathered by using the data bases which are situated in Russia. The above amendments have been widely interpreted in the Russian press as requiring the operators to store and host personal data exclusively on the servers and in the data bases which are situated in Russia. A leading Russian legislation data base provider GARANT expressed a different view saying that the Law does not prohibit duplicating personal data and storing it in Russia and abroad. The Law does not amend or prohibit the trans-border transfer of personal data. Having said this, many including the Russian Association of the Electronic Communication voice concerns that it is unclear on how the trans-border transfer may continue when the Law comes into effect.
The above requirement of the Law does not apply in the following cases which are envisaged in Article 6 (sub-clauses 2, 3, 4 and 8 of part 1) of the Federal Law On Personal Data:
- processing of personal data is required to achieve the purposes which are envisaged by an international agreement or piece of legislation of the Russian Federation in order for the data operator to carry out and discharge the functions, authority and obligations imposed by the legislation of the Russian Federation;
- processing of personal data is required to carry out justice, enforce a court act, act of another body or an officer which should be enforced in accordance with the legislation of the Russian Federation on enforcement procedures;
- processing of personal data is required for the federal executive bodies, bodies of the state non-budgetary funds, the executive bodies of the subjects of the Russian Federation and the bodies of the local governance to exercise their functions and also for the organisations which provide the state and municipal services which are envisaged in the Federal Law No. 210-FZ dated 27 July 2010 "On organising of the provision of the state and municipal services" including registering a data subject in the unified portal of the state and municipal services and/or regional portal of the state and municipal services to exercise their functions;
- processing of personal data is required for a journalist to carry out its professional activities and/or the legitimate activities of the mass media or scientific, literary or other creative activities subject to such activities not infringing the rights and legitimate interests of a data subject.
The members of the Parliament who introduced the draft Law discussed and the Russian press reported that the Law applies, among others, to the foreign companies without the corporate presence in Russia (i.e. no representative office or a branch) which differs from the previously publicised views of the Russian DPA. The Law further provides that on the basis of a court ruling the local DPA may include the owners of the information resources which are infringing the above rules in the register of the infringers and block access to the respective domain names/web-sites. The DPA is yet to voice its views and interpretation of the Law. The members of the Russian Parliament who introduced the draft Law said that YANDEX commenced building data centres in Russia already. BOOKINGS.COM announced that they will comply with the Law.
Further the Law requires the data operator who does not fall within one of the exemptions from notifying the DPA to include in the DPA's notification the information on where the servers/data bases of the operator are located in Russia.