Privacy and data security professionals worldwide should circle September 1 on their calendars, as it’s the day Russia’s new data localization law goes into effect – and possibly generates major waves far beyond Russian shores.  That’s because the law has significant implications for companies that collect personal information from Russian citizens, even if those companies do not have any physical presence within Russia.  This post provides an overview of data localization laws generally, with a special focus on Russia’s law and its potential effects.

What are data localization laws?

Data localization laws generally mandate that certain types of data collected in a particular country be stored and/or processed within that country.  In other words, those types of data governed by a country’s localization law cannot be transferred to another country for storage and processing – the data has to be stored or processed on servers located in that country.  Data localization laws sometimes are referred to as “data sovereignty laws” because they reflect a particular country’s assertion of sovereignty over data originating in that country.

What issues do data localization laws raise?

Entities subject to data localization laws, such as multinational corporations that collect data within certain foreign jurisdictions, must be aware of, and figure out ways to comply with, those laws.  Complying with data localization laws can be both complicated and costly.  In practice, compliance may mean building and maintaining servers within that country, as well as segregating data collected from various countries to ensure that data subjects’ personal information is stored on servers within those subjects’ home countries, if required.  Furthermore, and as detailed below, there is a great deal of variation in data localization laws worldwide, and companies must become familiar with the ins and outs of each individual law in order to achieve compliance.

Which countries have data localization laws?

A number of countries – including Canada, Indonesia, Nigeria, and South Korea – have data localization laws, but they differ in nature and scope.  For example, at the Canadian provincial level, laws in British Columbia and Nova Scotia mandate that personal information held by certain public institutions must be stored and accessed exclusively within Canada, with a few exceptions.  The Indonesian government requires those entities providing “public services” – a term which may be construed broadly – to maintain disaster recovery centers within Indonesia.  Nigeria requires all government data to be hosted within Nigeria.  A South Korean law has been interpreted to prohibit the storage of mapping data on servers outside South Korea, which means that it may be difficult for foreign visitors to use applications like Google Maps within that country.   Additionally, Brazilian lawmakers considered implementing a data localization law that would require companies to store in Brazil data they collected from Brazilian users, but ultimately decided against it.

Other countries, such as Australia, have laws restricting the transfer of certain types of data outside the country.  While these laws may not specifically require that the data be stored and processed locally, their restrictions on foreign transfers effectively require, or at least strongly encourage, data localization.  Australia’s Personally Controlled Electronic Health Records Act prohibits the transfer or processing of health data outside Australia in some situations, which essentially means that multinational companies dealing with this type of data must either build data centers within Australia or arrange for Australian entities to handle the data.  Even the European Union’s Data Protection Directive could be viewed as encouraging data localization, as an entity may feel pressured to store and process personal information within the EU so as to avoid the need to meet the Directive’s prerequisites for extraterritorial data transfers.

The movement toward data localization laws appears to have been inspired, at least in part, by Edward Snowden’s revelations about the scope of the National Security Agency’s surveillance.  Accordingly, some countries have enacted data localization laws in an attempt to hinder the U.S. government’s perceived ability to access the data.  Other countries have enacted data localization laws in order to allow government access to records.  For example, Vietnamese law requires Internet service providers to keep a copy of their data within Vietnam to allow for inspection by government authorities.  Still others may be enticed by the perceived economic benefits of domestic IT hosting and the ability to restrict competition from foreign companies, although research by the European Centre for International Political Economy suggests that data localization laws have proven economically harmful to at least some of the countries that have enacted them.

Whatever the reason behind their enactment, data localization laws are an important global trend, and privacy and data security professionals must be aware of these laws and the fact that they vary significantly from country to country.

What is the nature of the new Russian data localization law?

Russia’s new data localization law, Federal Law No. 242-FZ, was adopted as a set of amendments to Russia’s On Personal Data Law in July 2014 and originally slated to come into force on September 1, 2016.  However, in late 2014, Russian President Vladimir Putin signed a law changing the data localization law’s effective date from September 1, 2016, to September 1, 2015.

The law requires “operators” to collect, store, and process Russian citizens’ personal data using databases located within Russia.  Given that other countries’ data localization laws often only apply to certain types of personal information or categories of data, Russia’s law is drafted much more broadly.  Additionally, operators also must inform Russia’s Roskomnadzor, the state body that oversees telecommunications, information technology, and mass communication, of the location of the servers where Russians’ personal data is stored.  Internet addresses that are found to be out of compliance with the law may be blocked.  Since the law does not explicitly exempt foreign companies from the its requirements, it should be assumed that Russian enforcement bodies will interpret the law to apply equally to foreign companies that collect, store, and/or process the personal data of Russian citizens – which, in effect, means that multinationals and any other entities that handle Russian citizens’ personal data need to invest the time, energy, and funds needed to investigate the new law and ensure compliance with its requirements, if appropriate.

Russia’s Ministry of Communications released clarifications on its website that provide valuable insight into the government’s prospective enforcement of the law.  Importantly, the clarifications underscore the broad scope of the law: although the site suggests that the law is meant to apply only to those entities within Russian territory, it acknowledges that the “cross-border” nature of the Internet makes it difficult to confine online activities within geographic borders.  It goes on to imply that the law will be construed to apply to foreign entities that direct activities “aimed at the territory of the Russian Federation,” a fairly ambiguous criterion that could be interpreted broadly in practice.

Why is the Russian data localization law so important?

As one of the BRICS economies, Russia is a large and increasingly important market for businesses, many of which already have Russian users, customers, or employees.  This fact, combined with the law’s broad scope, means that Russia’s new data localization law puts the impetus on many companies – not just those based in Russia – to make significant and likely costly changes in their operations in order to comply.  Some companies have responded to the legislation by migrating certain of their data operations to Russia.  At the opposite extreme, other companies may choose to leave the Russian market entirely.

Even if a company chooses to invest in maintaining Russian-based servers in order to avoid running afoul of the law, the company also will have to examine and segregate the data it has collected in order to ensure that Russian citizens’ data stays in Russia.  Although at first glance, it seems like a somewhat easier solution might be to migrate all European storage and processing operations to Russian-based servers, keep in mind that Russia is not in the EU and not subject to the EU Data Protection Directive.  Accordingly, data cannot be transferred from an EU country to Russia as easily as it can be transferred from Italy to Spain, for example (since both Italy and Spain are in the EU and subject to the EU Data Protection Directive).

Although the law has not yet been enforced and its true effect remains to be seen, what is clear is that the law has the potential to affect the operations of many companies around the world in a significant way.  Privacy and data security professionals therefore should study the law, investigate the extent of their companies’ handling of Russians’ personal data, and consider whether they need to take action in order to ensure compliance.