Russia governs personal data of its residents based on a generally applicable law. As a federal country, Russia has rules below the federal law, but they conform to standards set by statute throughout the nation. Though not as comprehensive as Europe’s broadly extensive General Data Protection Regulation (GDPR), Russia’s statute aims to protect the personal data of Russians similar to the GDPR’s approach. Concepts of consent of persons to use their data, privacy by design, data minimization, cybersecurity minimum standards and other principles are augmented by a data localization focus different from the GDPR.
Stanislav Rumyantsev, a leading data privacy and protection attorney at the firm of Gorodisskiy & Partners, provides in a podcast recorded today on the Data Privacy Detective an excellent summary of Russian data privacy principles, with a focus on how they affect global business. Businesses with Russian employees, customers, business chain partners and other personal interactions should consider the following points:
First, check whether Russian data law applies. Simply having a website does not subject a business to Russian law. Because Russia is an international language used in many countries, even having Russian as a website language does not automatically mean that a website must comply with Russian data protection rules. However, if a business deals with Russian customers or others in a manner that gathers and processes personal data, especially sensitive information such as medical or financial details, the business may well require Russian compliance.
Second, if a global business establishes a Russian branch or subsidiary, that legal entity will of course be subject to Russian data protection rules. This will allow the parent company to rely on its Russian branch or subsidiary to localize and address compliance.
Third, for non-Russian businesses that do not have a Russian entity, they have several ways to comply with Russian data protection rules. They must allow Russian personal data to be gathered and processed by a Russia located “database.” This database can ensure compliance with Russian personal data laws, and then essential information can be transmitted properly by the database to a non-Russian company destination that needs the information (after deletion of information not needed by the non-Russian enterprise).
Russia’s data localization approach is not unique to the Russian Federation. It’s working in practice to allow a robust flow of commerce across borders while working to ensure that Russian residents’ personal data are protected according to Russian standards. While this increases compliance cost, it need not constitute a significant barrier to commerce or be viewed as an unfair trade practice.
Stanislav Rumyantsev can be contacted at RumyantsevS@gorodissky.ru. Gorodissky & Partners is a major Russian intellectual property firm with offices across Russia and also in Kiev, Ukraine. www.gorodissky.com.