Recently two changes to legislation in Russia may have an impact on international businesses because the changes firstly affect the way in which data about Russian citizens has to be processed within Russia and secondly the periods for data retention of online communications.
Proposed changes to the Russian data protection law, which are likely to come into force in January 2016, restrict the processing of personal data on servers located outside of Russia and give greater powers to state supervision by the Federal Service for the Supervision of Communication, Information Technology and Mass Media (ROSCOMNADZOR).
Essentially the Russian law on data protection is intended to be amended so that it will be illegal to collect personal data of Russian citizens and directly send it to servers located outside of Russia without having first processed the data on a Russian server.
It is important to note that as currently drafted the law does not apply to non-Russian citizens nor does it apply to the processing of data relating to employees and contractors of multinational companies that have operations in Russia.
Where Russian citizens data is processed and is caught by the new law then the details of the company processing the personal data must be registered with ROSCOMNADZOR who will have powers to inspect and block websites that violate the law.
A further change affects primarily telecommunications, internet service providers and social media sites to the extent that they are required to log data in respect to users of their services that have Russian IP addresses and to retain such data for at least 6 months.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
