Skip to main content

Russian data protection law is primarily governed by Federal Law No. 152-FZ on Personal Data (2006), which establishes rules for collecting, storing, processing, and transferring personal data. This law is supplemented by other regulations, including Federal Law No. 149-FZ on Information, Information Technologies, and Protection of Information (2006), the Russian Constitution (Articles 23 and 24), and international treaties such as the Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data.

The Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) is the primary regulatory authority overseeing compliance with data protection laws. It enforces rules, conducts inspections, and imposes penalties for violations.

Key definitions

  • Personal data: Any information directly or indirectly related to an identified or identifiable individual, including names, addresses, phone numbers, and online identifiers.
  • Sensitive personal data: Includes data related to race, ethnicity, political opinions, religious beliefs, health, and sexual life. Processing such data requires explicit written consent.
  • Biometric data: Information about physiological or biological characteristics used to identify individuals, such as fingerprints or facial recognition data.
  • Data operator: Any entity (individual or organisation) that processes personal data, determining the purposes and methods of processing.

Core principles of data protection

Principle Description Examples
Consent Data processing generally requires the data subject’s informed, specific, and documented consent. Exceptions include legal obligations or public functions. A website obtaining user consent before collecting email addresses for newsletters.
A hospital obtaining explicit consent before processing health data.
Data minimisation Only data necessary for the stated purpose should be collected and processed. An online store collecting only the billing address and payment details, not unrelated personal information.
A recruitment agency collecting only relevant employment history, not unrelated personal details.
Accuracy Data must be accurate and updated as necessary. A bank regularly updating customer contact details to ensure accurate communication.
An e-commerce platform allowing users to correct their delivery address.
Storage limitation Data should not be retained longer than necessary for its intended purpose. A company deleting job applicant data after the recruitment process is completed.
A retailer purging customer purchase records after the warranty period expires.
Security Data operators must implement technical and organisational measures to protect data from unauthorised access, loss, or destruction. Encrypting sensitive customer data stored in databases.
Implementing access controls to restrict employee access to personal data.

Data localisation requirements

A key feature of Russian data protection law is the data localisation rule, introduced in 2015. It requires that personal data of Russian citizens be stored and processed on servers located within Russia.

Cross-border data transfers

Cross-border transfers are allowed if the receiving country provides adequate data protection, as determined by Roskomnadzor. Transfers to countries without adequate protection require explicit consent from the data subject or other legal grounds.

Rights of data subjects

  1. Right to access: Individuals can request information about how their data is processed.
  2. Right to rectification: Individuals can demand corrections to inaccurate or incomplete data.
  3. Right to erasure: Individuals can request the deletion of their data when it is no longer necessary for its intended purpose.
  4. Right to object: Individuals can object to data processing, particularly for direct marketing purposes.
  5. Right to withdraw consent: Consent can be revoked at any time, requiring the operator to cease processing.

Obligations of data operators

  • Notification: Data operators must notify Roskomnadzor before processing personal data, unless exempt.
  • Appointment of a data protection officer (DPO): Legal entities must appoint a DPO to oversee compliance.
  • Security measures: Operators must implement measures such as encryption, access controls, and regular audits.
  • Breach notification: In case of a data breach, operators must notify Roskomnadzor within 24 hours and affected individuals without undue delay.

Recent amendments to the law on personal data

Since its adoption, the Federal Law No. 152-FZ on Personal Data has been amended on numerous occasions to introduce new data localisation requirements and clarify the rules on consent. The most recent significant update is the Federal Law of July 14, 2022 No. 266-FZ on Amending the Federal Law on Personal Data (commonly referred to as the Amendment Law). This law imposes stricter obligations on both domestic and foreign data operators, particularly in terms of:

  1. Interaction with data subjects: Enhanced requirements for transparency and communication.
  2. Engagement with processors: Clearer rules on accountability and contractual obligations.
  3. Compliance demonstration: Operators must now provide more robust evidence of compliance, especially in cases involving cross-border data transfers.

The majority of the Amendment Law’s provisions came into effect on 1 September 2022, with the remaining provisions taking effect on March 1, 2023.

Enforcement and sanctions by Roskomnadzor

The Roskomnadzor actively enforces data protection laws through regular inspections, issuing orders, and imposing sanctions for non-compliance. Recent enforcement actions have focused on:

  • Data localisation violations: Ensuring personal data of Russian citizens is stored within Russia.
  • Breach notifications: Timely reporting of data breaches to both Roskomnadzor and affected individuals.
  • Cross-border transfers: Compliance with restrictions on transferring data to countries without adequate data protection.

Penalties for non-compliance can include fines ranging from ₽60,000 to ₽18,000,000, depending on the severity of the violation. Repeated offences may result in higher fines, website blocking, or other operational restrictions.

Challenges for international businesses

Russia’s data protection laws, particularly the Federal Law No. 152-FZ on Personal Data, present unique challenges for international businesses. These challenges stem from strict regulatory requirements, enforcement practices, and the complexities of operating across multiple jurisdictions. Below is an expanded overview of the key challenges:

1. Data localisation requirements

Challenge: The data localisation rule mandates that personal data of Russian citizens must be stored and processed on servers physically located within Russia. This requirement applies to both domestic and foreign companies operating in Russia.

Implications for businesses:

  • Infrastructure costs: Companies must invest in local data storage infrastructure or partner with Russian-based data centres.
  • Operational complexity: Managing data across multiple jurisdictions while ensuring compliance with local laws can be logistically challenging.
  • Cross-border transfers: While cross-border transfers are allowed, they are subject to strict conditions, such as ensuring the receiving country provides adequate data protection.

Example: A multinational e-commerce platform must store customer data (e.g., names, addresses, and payment details) of Russian users on servers within Russia, while also complying with data protection laws in other countries where it operates.

2. Dual compliance with Russian and international laws

Challenge: International businesses must comply with both Russian data protection laws and international regulations, such as the General Data Protection Regulation (GDPR) in the European Union.

Implications for businesses:

  • Conflicting requirements: Russian laws and international regulations may have differing requirements, such as data localisation versus free data flow under the GDPR.
  • Increased administrative burden: Businesses must develop separate compliance frameworks for each jurisdiction, increasing operational complexity.
  • Legal risks: Non-compliance with either set of regulations can result in significant fines and reputational damage.

Example: A global social media platform must ensure that its data processing practices comply with Russia’s data localisation rules while also adhering to the GDPR’s principles of data minimisation and user consent.

3. Strict enforcement and penalties

Challenge: Roskomnadzor, Russia’s data protection authority, actively enforces compliance through regular inspections, audits, and penalties.

Implications for businesses:

  • Frequent inspections: Companies may face unannounced audits, requiring them to maintain up-to-date records and documentation at all times.
  • Heavy fines: Penalties for non-compliance can range from ₽60,000 to ₽18,000,000, depending on the severity of the violation.
  • Operational disruptions: Repeated violations can lead to website blocking or suspension of services in Russia.

Example: A foreign cloud service provider failing to localise Russian users’ data could face fines, operational restrictions, and reputational damage.

How ITLawCo can help

ITLawCo offers tailored services to help businesses navigate the evolving landscape of Russian data protection laws. Our expertise includes:

  1. Compliance audits: Assessing your current practices to identify and address gaps.
  2. Policy updates: Drafting or revising privacy policies and data processing agreements to align with the latest amendments.
  3. Cross-border transfer support: Ensuring compliance with localisation and transfer requirements.
  4. Breach response: Assisting with breach notifications and regulatory communications.
  5. Training programmes: Educating your team on the latest legal requirements and best practices.

By partnering with ITLawCo, businesses can stay ahead of regulatory changes, mitigate risks, and avoid costly penalties. For more information, contact us today.