Penalties for violations of Data Localization Rules dramatically increased

By:

Many companies have scrambled to comply with Russia's peculiar Data Localization Rules since their enactment in 2015. While these rules apply to a wide range of companies handling Russian personal data both in Russia and abroad, the penalties for non-compliance were traditionally limited to just blocking the data operator's websites. This somewhat abstract penalty, along with narrow enforcement efforts from Russian authorities created a relatively low risk environment. This has changed with the passage of much higher penalties, along with the extension of administrative liability not only to the data operators, but also to key executives of the companies.

While it is unclear whether these increased penalties signal greater enforcement zeal among Russian authorities, the stakes are significantly higher, so proper compliance with the Data Localization Rules is all the more important. We advise all data operators handling Russian personal data to review their compliance.

Data Localization Rules

The Data Localization Rules essentially require data operators handling Russian personal data to maintain their databases containing such data in Russia. Interpretations by the Russian data authorities (Minkomsvyaz and Roskomnadzor) further indicate a requirement that the initial database of Russian personal data must be in Russia (with the possibility of having copies in locations abroad). This is an over-simplification of this rule, so further consideration and advice is needed to understand compliance options.

The Data Localization Rules apply to all data operators who handle Russian personal data, including foreign data operators without any presence in Russia. The wording of the law is not precise, but the criteria used for asserting jurisdiction over foreign data operators usually focuses on how the data operators' websites are presented; specifically if the website is particularly focused on Russia or Russians. Again, this is an oversimplification and further consideration and advice is needed to understand how this rule would apply in a particular case.

Penalties for violations

The original penalty for a violation of the Data Localization Rules was the possibility of blocking the data operator's website processing Russian personal data. There were no financial penalties and liability was limited only to the data operator (almost always a company). The new penalties, however, feature significant financial penalties and extend liability to executives of the data operator in violation of the rules.

From December 2, 2019, administrative penalties for non-compliance with the Data Localization Rules by a data operator amount to between RUB2 million to RUB6 million (currently approximately USD31,500 to USD94,200) for an initial violation, and if the same violation is committed again, the fine can go up to ₽18 million (about USD280,000).

In addition to penalties for a data operator, sanctions for top executives of the violating companies (in practice, most likely the company general director, or CEO) have been introduced at between RUB100,000 and RUB200,000 (about USD1,560 to USD3,125) for an initial violation and between RUB500,000 and RUB800,000 (about USD7,800 to USD12,500) for repeated violations.

Interestingly, there was considerable discussion among officials and commentators indicating that many (notably including government officials) thought the proposed fines were too high, but the penalties were not reduced in the law as adopted. It is too early to tell whether this sentiment regarding the severity of the penalties will affect penalty levels imposed in cases of violation, but in any event, the consequences for violations of the Data Localization Rules have increased in severity and this highlights the importance of ensuring compliance with these rules.

Enforcement environment

The Russian government has thus far not engaged in widespread enforcement of the Data Localization Rules, but there have been efforts to compel compliance by high-profile global Internet platform operators such as Google, Facebook and Twitter. Most famously in 2016, LinkedIn was blocked in Russia for a failure to comply with the Data Localization Rules. For the most part, however, these actions are the exceptions rather than the rule. While the Data Localization Rules technically apply to a very wide range of data operators, very few have been subject to enforcement actions, so far.

Some commentators believe that the relatively lax enforcement approach taken thus far was because there were no financial penalties associated with violations and it simply was not worth the effort to seek enforcement. If this theory is correct, the new penalties might result in increased enforcement activity.

We do believe that the new penalties signal a deeper commitment from the Russian state to the enforcement of the Data Localization Rules and we advise all data operators processing Russian personal data to review their compliance. The stakes are now higher.