Consequences of violation of the Personal Data Law
Russian Parliament is considering a draft law in the field of personal data that is under active discussion. Particularly, it establishes administrative liability on foreign companies for violation of obligation to store personal data of Russian citizens, using databases in Russia.
This requirement is called “localization” and affects mostly foreign companies operating in Russia. The legislator requires that collected data should be stored in Russia. Violation of this requirement leads to negative consequences, an example of which is the social network LinkedIn, which was blocked by Roskomnadzor in 2016. Recently, the court also imposed a fine for violating localization requirements on Facebook and Twitter. For now, fines for violation are insignificant, but in case of entering this law into force, they will be from 2 to 6 million Rubles and from 6 to 18 million Rubles for repeated violation.
The nature of localization requirement is that any company collecting personal data is required to store it, using local databases in Russia. It is notable that the requirements directly cover those companies that collect data, and not those that receives it from the third parties.
Currently, requirement for total localization is being actively discussed by international community. On the one hand, fulfillment of the requirement to store personal data in Russia will increase expenses of foreign companies. On the other hand, adoption of this law will significantly improve safety in storage of Russian citizens’ personal data.