Russia’s Data Localization Law Now Backed with Hefty Fines

A bill introducing high administrative fines for incompliance with Russia’s data localization law entered the Russian State Duma this month, Interfax reported.

Proposed fines for first offense amount to 2,000,000 – 6,000,000 rubles (around US$30,000 – 90,000) for companies. Repeated offense by legal entities is punishable with fines in the amount of 6,000,000 – 18,000,000 rubles (US$90,000 – 280,000).

Localization requirements were introduced in 2015 in the Russian Law on Personal Data. All operators of personal data must ensure recording, systematization, accumulation, storage, amendment and extraction of personal data pertaining to Russian citizens with the use of data bases located in the territory of the Russian Federation. Localization requirements cannot be waived by data subjects.

Until recently, Russian legislation contained no administrative sanctions for the violation of localization requirements. Effectively, the only measure the supervisory authority, Roskomnadzor, could specifically apply was the right to block the access to the web resource in breach of the requirements. This was done in November 2016 when RKN notoriously blocked access to LinkedIn in Russia because the network refused to bring its servers to the Russian territory.

Roskomnadzor has been pursuing Facebook and Twitter with requests for compliance with localization requirements. Both networks were reported to be in discussions with the authority over means to bring their business in compliance with Russian rules but delayed the decision to physically bring their data servers to Russia. Facebook owner Mark Zuckerberg commented that his company has “no intention to store users’ personal data in the countries violating human rights.”

In April, a district court in Moscow fined Facebook and Twitter $46 each for failures to provide Roskomnadzor with the requested information. RKN’s head Alexander Zharov commented that his authority would give the two social networking sites another 9 months to bring their data processing practices in compliance with the local requirements. Now, if the above initiative becomes law, Facebook and Twitter can face both higher administrative fines and blocking in Russia.