Just one month before the new Data Localisation Law (‘the law’) is due to come into force, the Russian Ministry of Communications has published its long-awaited clarifications (in Russian) to the new law.
These clarifications, although unofficial and non-binding, provide further guidance on the new law which will require all organisations processing personal data on Russian residents to collect and store such data within Russia. Key clarifications include:
- As a general rule, the law should not apply to non-residents of Russia (including foreign organisations). Because of the nature of the Internet, however, organisations that use the Internet to conduct business within Russia may be caught.
- Organisations that purposefully collect personal data directly from Russian citizens, or use a third party to do so, will fall under the law. Incidental collections will not apply.
- The law will not apply to personal data collected and stored internationally before the effective date of September 1. However, if personal data of Russian citizens is further processed after this date, e.g., if it is updated or changed in any way, the new law will apply even if such data were collected internationally and before September 1.
- The law will not prevent organisations from transferring personal data to secondary jurisdictions as long as any changes, updates or modifications to the data are first made in Russia, and only transferred to the secondary database if required.
Although the clarifications answered some questions, further guidance as to possible exemptions in processing employee data is required. Additionally, Roskomnadzor, the Russian data protection authority, has yet to issue its guidance/clarifications.
Whether we will see the law in force in September remains to be seen. A delay is currently being discussed; but with the Roskomnadzor indicating that it intends to audit organisations from September 1, organisations should ensure they have policies and systems in place to be as fully prepared as possible.