Multinationals to Meet Russia Data Localization Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sergei Blagov

Sept. 2 — Many multinational businesses have pledged to comply with new Russian data localization rules that took effect Sept. 1, the head of Russia's data protection regulator said in remarks released Sept. 2.

The data localization law (Federal Law No. 242-FZ ), which President Vladimir Putin signed into law in July 2014, requires data operators to store all personal data of citizens of the Russian Federation in databases located inside Russia.

Alexander Zharov, head of the Federal Service for Oversight of Communications, Information Technology and Mass Media, also known under its Russian acronym Roscomnadzor, said that Samsung, Lenovo Group Ltd., AliExpress,, PayPal, eBay Inc., Uber Technologies Inc. and Citibank agreed to meet the data localization requirements.

He dismissed earlier media reports that Facebook Inc. and Twitter Inc. refused to meet these requirements. Zharov said the agency was still waiting for official responses from these companies.

Zharov also reiterated that the data localization requirements wouldn't be amended, at least for now.

Upcoming Compliance Audits 

Roscomnadzor plans to carry out 90 compliance audits in September and 317 before the end of 2015, Zharov said. Roscomnadzor auditors would request that a company disclose an agreement with a Russian data center, or documents confirming that the company has an in-house data center, he said.

None of the major social media entities are included on the list of businesses to be subject to the planned audits, according to Zharov. However, businesses can also be subject to unplanned audits following complaints from data subjects, he said.

Cross-Border Transfers

The new law doesn't limit cross-border transfers of personal data, but the data must be collected in Russia and transferred from servers located in Russia, Zharov said.

For example, was among the first businesses pledging to comply with the new requirements by storing personal data in Russia, transferring it to foreign jurisdictions for booking purposes and deleting the personal data from servers outside Russia upon the end of a data subject's trip, he said.

In August, Roscomnadzor had talks with Facebook executives on data localization, including complying with the new requirements of the Russian legislation.

To contact the reporter on this story: Sergei Blagov in Moscow at

To contact the editor responsible for this story: Katie W. Johnson at

The full text of Zharov's remarks is available, in Russian, at


Request Bloomberg Law: Privacy & Data Security