Russian data localisation law now in force but some leeway for non-Russian Internet companies

Russia's data localisation law, which also applies to websites of foreign companies, entered into force on 1 September (PL&B International Report February 2015 p.6). But large Internet companies, Google, Twitter and Facebook, have lobbied the Ministry of Telecommunications and Mass Communications to give them more time for compliance. According to reports, large non-Russian based Internet companies will have until 2016 to get their house in order. The ministry has published a list of 317 planned inspections, mostly of Russian companies. But it plans to conduct inspections also on foreign companies that have offices in Russia, especially if it is informed of non-compliance. Access to websites of companies that are in breach of the law may be blocked.

The law will be enforced by the data protection regulator, Roskomnadzor. But it is the ministry that has now published its interpretation of some aspects of the law. According to law firm, Charles Russell Speechlys, the ministry has confirmed that the Law does not apply retrospectively. Only personal data collected after 1 September 2015 must be processed in accordance with the law. But as soon as legacy data is used again (for example, updated, changed, or retrieved) the requirements of the law will be triggered. Personal data that has been stored outside the Russian Federation prior to 1 September 2015 is exempt.