Under Russian Data Protection Law, when collecting personal data, data operators (controllers) must ensure that recording, systematization, accumulation, storage, updating and extraction of personal data relating to Russian citizens are performed utilizing databases located in Russia (data localization requirement).
The new law, adopted by the Russian parliament and signed into law on December 2, 2019, introduces substantial fines for violations of that requirement.
Currently, the most stringent liability for violating the localization requirement is the right of the Russian data protection authority (Roskomnadzor) to block access to internet websites belonging to the entities violating the localization requirement. The most widely known instance of this sanction’s application was the blocking of LinkedIn on the territory of Russia, imposed back in 2016. The blockage still applies – all Russian Internet service providers currently have to deny access to LinkedIn in Russia.
There are currently no substantial fines specifically punishing violations of the localization requirement. The new law introduces significant fines specifically for failure to localize the personal data:
All companies collecting personal data on Russian citizens would be well advised to review their compliance practices.