Zerophoto - Fotolia

Russian personal data law set to come into force despite fears

New law says all personal data submitted online by Russians must be held in the country's datacentres. But can the infrastructure cope and will the legislation deter foreign companies?

This article can also be found in the Premium Editorial Download: CW Europe: CW Europe – October 2015

A controversial new law on personal data storage that comes into force in Russia on 1 September is set to create problems and confusion for a huge number of companies.

Federal Law 526-FZ was adopted last year on grounds of "overall state security issues" and "increased instances of personal data leakage", but these justifications have been criticised by some entrepreneurs.

The law stipulates that all personal information provided by Russian citizens when registering on websites, making online purchases or sending electronic messages is considered personal data and must be stored inside Russia.

Companies violating the terms of the new law will be placed on a blacklist by Roskomnadzor, Russia's communications watchdog, which would lead to access to their websites being blocked, as well as fines.

The new law will affect the vast majority of businesses operating in Russia. According to Roskomnadzor, about 2.6 million companies process personal data in the country.

The legislation has already discouraged some foreign companies from entering the Russian market. Swedish streaming music service Spotify planned a Russian launch in the first half of 2015 but then cancelled its plans, blaming its decision on difficult economic conditions and the personal data storage regulations.

But those companies that are already in the market see no alternative but to comply with the law, even though it is likely to lead to financial and organisational challenges.

No unanimity

There is still no unanimity among companies about how to interpret the law, says Vladimir Lebedev, business development director at Stack Group, which runs Moscow's Stack.М1 and Stack.HTH datacentres.

"Some believe that complying with it would be enough to transfer personal data collection to Russia, while the collected data could then be stored abroad," he says. "In that case, each company would have to invest between RUB100,000 [$1,700] and RUB1m [$17,000] a month."

But, according to Lebedev, if the entire data infrastructure is transferred to Russia, it would cost companies at least RUB5m ($85,000) to RUB10m ($170,000) a month. Also, investment in IT infrastructure, IT support and amendments to internal IT and business processes could require millions more rubles.

Alexis Rodzianko, president and CEO of the American Chamber of Commerce in Russia, says the law is "broadly drafted and subject to many possible interpretations, which will become clear as time goes by and as legal precedents are set".

"But the immediate impact of the law is the increased perceived uncertainty of operating in Russia and potentially heightened regulatory risk," Rodzianko adds.

"So I think the effect of the law, first of all, is to increase the level of risk for those operating in Russia and increase the level of perceived risk for those who are thinking of coming to Russia.”

Other observers agree that the new law is likely to harm the Russian economy, which is already in a bad shape.

"The measure is likely to have a negative impact on the entire economy, and GDP will shrink by 0.25% as a result of it," says Anton Guskov, a spokesman for the Association of Trading Companies and Manufacturers of Electrical Household and Computer Equipment.
"However, the law is the law, and companies are doing what they can to comply with it."

Prepared to comply

Most foreign companies operating in Russia say they are prepared to comply with the law.

“EBay makes every effort to comply with applicable laws and regulations around the world in order to best serve our customers," says a spokesperson for eBay in Russia.

"Russia is a thriving e-commerce market, and we are currently working with regulators to more fully understand the new law’s implications to the eBay business and our customers."

EBay would not comment on where exactly Russian customers' data would be stored and how much investment the transfer will require.

A spokesman for Lenovo says: "We are acting in compliance with the law. Some personal data has already been transferred, and the rest will be transferred by the deadline."

But while global companies might feel confident about compliance, smaller enterprises are in a more difficult spot.

In mid-July, the Russian Association of Electronic Communication published a survey of companies which found that only 54% are fully prepared for the law coming into force.

According to the study, 27% of companies are not fully prepared to transfer personal data to Russia, and 19% are completely unprepared to do so. About one-third of companies see financial obstacles, and 24% are concerned about their technical capacity for data transfer.

"At the moment, larger Russian datacentres have the resources to execute data transfer tasks," says Lebedev.

Read more on IT in Russia

But if a company chooses to transfer its entire infrastructure, issues could arise over disaster recovery and companies' preparedness to transfer data from global providers' public clouds

"At this point, it is difficult to estimate the entire size of foreign companies' [personal data] infrastructure stored by global providers," says Lebedev, "so it is difficult to judge whether Russian datacentres have sufficient capacity for the data."

In June, a group of European entrepreneurs reportedly asked Russian President Vladimir Putin to delay the enactment of the law to 1 September 2016.

Russian business daily Kommersant has reported that a proposal from the Association of European Business (AEB) was put to Putin under which the law would be enacted as expected, but no punishments for violation would be applied for the first 12 months.

There has been no response from the Russian authorities to that proposal so far, and AEB declined to comment on the situation.

The American Chamber of Commerce's Rodzianko says the law will come into effect as planned. "That is the information I have received from Roskomnadzor and the Ministry of Communications," he says.

Meanwhile, Roskomnadzor has said that by 1 January 2016, it will have inspected more than 300 companies to make sure they comply with the new law.

Read more on Data protection regulations and compliance