Russia Clarifies Looming Data Localization Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sergei Blagov

Aug. 5 — The Russian government Aug. 3 for the first time issued a detailed clarification of the country's new data localization requirements, less than a month before they are set to take effect.

The Ministry of Communications and Mass Media (Minkomsvyaz) moved to clarify data localization requirements (Federal Law No. 242-FZ) that will take effect Sept. 1. The law, which President Vladimir Putin signed into law in July 2014, will require data operators to store all personal data of citizens of the Russian Federation in databases located inside Russia.

The clarification is aimed to “minimize tensions” caused by the enactment of Federal Law No. 242-FZ, the ministry said.

In a July 14 statement, the presidential press-service quoted President Vladimir Putin as pledging to discuss with cabinet ministers a possible move of the data localization deadline from Sept. 1 to a later date. The deadline has already been moved once, from Sept. 1, 2016, to Sept. 1, 2015.

The data localization guidelines issued by Minkomsvyaz came as an unusual development. Previously, data localization guidance was issued by the Federal Service for Oversight of Communications, Information Technology and Mass Media, also known under its Russian acronym Roscomnadzor, the agency in charge of data protection and data localization matters.

No Retroactive Effect

If Internet sites can be accessed in the Russian Federation, it doesn't automatically mean that data localization requirements apply to these websites, the clarification said. However, the Russian legislative requirements can apply to foreign entities, including websites, as long as the business activities of the entities are oriented towards Russia's audience, it said.

The ministry also noted the following criteria for Russia-oriented online business activities: the use of specific domain names such as .ru, .su, .moscow, etc.; the availability of the Russian-language version of a website; the presence of Russian-language ads; and an ability to carry out online transactions in Russian rubles.

Provisions of the Federal Law No. 242-FZ can't be interpreted as retroactively effective, the ministry said. Personal data of Russian citizens collected before Sept. 1, 2015, can remain in databases in foreign jurisdictions as long as the data remains unchanged, it said. However, if these databases are updated and changed after Sept. 1, 2015, then these databases become subject to data localization requirements, according to the clarification.

Deliberate Activities

The new data localization requirements will only apply to deliberate activities to collect personal data, the ministry said. If a business makes the contact details of employees available to another business as a part of legitimate business activity, it can't be regarded as personal data collection, the ministry said.

The provisions of Federal Law No. 242-FZ won't apply to cross-border data transfers as long as personal data collection takes place in Russia (in primary databases), and then the transfer of personal data to other jurisdictions (secondary databases) occurs, the clarification said.

The law won't restrict a remote access to databases in Russia, the clarification said. The ministry also said an employer will be able to transfer the personal data of employees to foreign jurisdictions as long as these transfers meet Russian data protection requirements.

Federal Law No. 242-FZ doesn't restrict the disclosure of personal data by Russian citizens so as to use cross-border services rendered by foreign entities, such as online booking, banking services or the online order of goods, the ministry said. The new data localization requirements also won't apply to non-resident entities and individuals located and operating outside Russia, it said.

However, even if data subjects consented to the processing of their personal data outside Russia, such consent won't provide data controllers with legal grounds for these activities, according to the clarification.

To contact the reporter on this story: Sergei Blagov in Moscow at

To contact the editor responsible for this story: Katie W. Johnson at

The ministry's clarification is available, in Russian, at


Request Bloomberg Law: Privacy & Data Security