Russia’s data protection authority, the Roskomnadzor, has recently announced its intention to increase the number of data localisation audits it carries out in 2016. It has pledged to conduct around 1,000 data localisation compliance audits and 2,000 monitoring procedures in a bid to check whether businesses are meeting their obligations under data localisation law.
Russia’s data localisation law came into effect 1 September 2015. It requires that all companies that collect or process personal data of Russian citizens, process and store that information on servers in Russia. Companies also have an obligation to notify the Roskomnadzor of the location of such servers.
In a statement published 7 September 2015, the Roskomnadzor confirmed that the regulation applies to any company collecting personal data from Russia, regardless of its place of incorporation. This means that foreign companies fall under the scope of the regulator’s audits.
It is believed that the compliance audit checks will have an increased focus on transnational companies, as they will now have had time to ensure compliance with the law. The Roskomnadzor had previously carried out around 300 audits by the end of 2015, focussing mainly on domestic companies.
Although the law has been in force for some time now, some uncertainty remains as to the full extent of enforcement action that may be taken against non-compliant companies. The head of the Roskomnadzor, Alexander Zharov, has given some guidance suggesting that the regulator could be given powers to block non-compliant websites without court orders, and declare domain names undelegated.
Despite this uncertainty, it is clear that companies will have nowhere to hide as the Roskomnadzor gears up for a busy year of compliance audits.