Online firms operating in Russia will be required to store Russian users' personal data locally, say reports

Out-Law News | 08 Jul 2014 | 9:56 am | 1 min. read

Email services, search engines and social networks will be required to store Russian users' personal data solely on servers located in Russia under plans that have been approved by the country's parliament, the Duma.

ITAR-TASS, the Russian news agency, said that the plans had been "adopted" by the Duma and would come into force on 1 September 2016. Company websites and services could be blocked to Russian users if companies do not comply with the law.

Data protection expert Christopher Mann of Pinsent Masons, the law firm behind, said that the new requirements could be "problematic" for international businesses with operations in Russia.

"Businesses and their supply chains would need to ensure compliance with the new requirements, as well as bear the associated costs," he said.

"The move would also be at odds with current European initiatives, whereby - generally speaking - regulators and businesses are looking to agree common standards and processes so as to enable businesses to maximise efficiencies; for example, by aggregating data storage and processing," he said.

According to ITAR-TASS, the new law will require companies that collect personal data whether over the internet or through other means to "provide recording, systemisation, storage and update of the Russian citizen's personal data using databases located in the territory of the Russian Federation". Email addresses and messages will be treated as personal data under the new regime, it said.

Roskomnadzor, the Federal Supervision Agency for Information Technologies and Communications, will be responsible for monitoring compliance with the new regime, according to the reports. It will also maintain a 'blacklist' of those services and web addresses found to be not in compliance, ITAR-TASS said.

Earlier this year Brazil's Senate proposed similar local storage provisions in relation to data held about its citizens by online companies following allegations that the US National Security Agency was intercepting communications in Brazil and many other countries. The plans were dropped by the time that the bill was signed into law in April, and replaced with provisions making companies such as Google and Facebook subject to Brazil's laws and courts in cases which involve information held about Brazilian citizens wherever in the world that data is stored.