Four years ago, in 2015, the law came into force, setting out personal data operator’s obligations to store Russian citizens’ personal data on the territory of the Russian Federation. The law applies to those operators that process the data by virtue of servers (internet companies, social media, etc.).
They need to ensure that personal data is processed with the usage of databases located on Russian servers. The definition of “personal data” mirrors the 1981 EC Convention – “personal data means any information directly or indirectly related to an identified or identifiable natural person”. As you can see, it’s very general and does not elaborate on personal data like the GDPR attempts to do – although there will likely soon be a new provision regulating cookies and Google Analytics.
This legislation raises a lot of questions as to what constitutes a database. Many lawyers believe that it can range from an Excel table on a single computer to a huge data center. Some companies adopt a risk-free approach and just store all the data on an offline spreadsheet.
Previously, the fine for non-compliance with data residency requirements was 3 000 rubles, or approximately $45. As the authors of the new law pointed out, such fines were “so insignificant for large Internet companies that they clearly weren’t equal to the type of violation and couldn’t serve as a way to comply with Russian law.”
Under the new law, if passed and signed by the president as is, the fines would range from 2 million to 6 million rubles ($31 000-$93 000). For a repeated violation, the fines would range from 6 million to 18 million rubles ($93 000-$280 000).