On 21 July 2014, the Federal Law No 242-FZ (the "Law") amending, among others, the Russian data protection and information legislation was signed by the President. The Law requires all "data operators" who are processing personal data of the Russian citizens including on the Internet to do so on servers/data bases within Russia. The Law envisages a commencement date of 1 September 2016. Please see our alert of 24 July 2014 for more information.
On 24 September 2014, the Russian Parliament approved in second reading the draft law aimed at bringing the commencement date of the Law to 1 January 2015 instead of 1 September 2016 ("Draft Law"). To become law the Draft Law needs to be approved in third reading by the lower chamber of the Parliament, approved by the upper Chamber and then signed by the President. The Draft Law does not provide for a transitional period and is expected to become law imminently.
There is still no official clarification from the Russian DPA (Roskomnadzor) in relation to the application or enforcement of the Law. Prior to the Draft Law being introduced to the Parliament Alexander Zharov, the head of the DPA, in an interview to a leading publication Vedomosti suggested that in order to check whether the data operators are storing the personal data in Russia the DPA will be conducting field audits to check whether the companies have server capacity in Russia and checking the content of the servers. Mr Zharov further suggested that a technical solution developed in collaboration with the Internet community might be required for a more detailed audit of the data operators.
On 2 October 2014, Kommersant newspaper reported that according to a source in the DPA, the DPA will be developing a policy for the enforcement of the Law together with the market participants after the Draft Law is signed by the President. The same Kommersant publication cited a personal view of the head of the State Legal Administration of the President Ms Bricheva that duplication of personal data of the Russian citizens in Russia and abroad is not allowed. In her view it is not allowed to have a copy of the database in Russia whilst processing is done abroad. Ms Bricheva also commented that once in force the Law will apply to any data of the Russian citizens which was transferred abroad prior to the commencement date as such data may only be stored in Russia.
The Law does not prohibit trans-border transfer of personal data and duplication in principle should be allowed. It remains to be seen how the DPA will interpret the same.
The Russian DPA is organising an international data protection conference on 5 November in Moscow which will present opportunities to obtain a clarification from the DPA in relation to the enforcement of the Law. We will report further after the conference.