Safe Harbor and the Russian law on storage of personal information

The Safe Harbor agreement between the EU und the USA that previously served as the legal basis for the transmission of European citizen data in the USA has been repealed. The EU data protection authority must consider how this can be regulated in future.

While the EU data protectors were discussing how the European Court’s safe harbor judgement could be implemented, Russia went its own way with a new law. This bans the storage of personal data on servers abroad, as of 1st September 2105.

The Russian solution is especially interesting in this respect. Because although several countries such as China, India, Indonesia, Canada and Australia already prohibit the storage of specific data abroad, Russia is the first country to introduce this requirement for all personal data.

Personal data about Russian citizens must be kept in Russia

The new law that combines and modifies two laws from 2006 leaves the definition of the central term of “personal data” very poorly defined and therefore leaves the authorities a lot of room for interpretation. In this respect, “all information that directly or indirectly affects a specific or identifiable person” and allows this person to be identified, for example name, date of birth, passport number, home address, phone number, is included. It’s unclear, however, whether email addresses are included.

Since the 1st September 2015, all companies that operate in Russia must store personal data about Russian citizens in computer centers within Russia. The server locations must be communicated to the telecommunications and media supervisory authority Roskomnadzor (RKN). Data transmission abroad is still permitted if, for example, it is necessary for the conclusion, execution or fulfilment of a contract.

Non-compliance in Russia is subject to heavy fines

What penalties do companies face for not complying with the legal requirements? If it’s found that data has been transmitted abroad illegally, fines of up to 5,000 Euro can be levied and the company’s websites blocked. Companies that continually violate their obligations are entered in a special register by RKN.

The explanations on the Communication Ministry’s website as well as the supervisory authority, RKN, are unusually comprehensive and there are many ambiguities about how the regulations should be implemented. Nevertheless, most companies have brought personal data about Russian citizens back to Russia by hiring servers in Russian datacenters or building their own datacenters.

As a result, many companies have found that there are considerable technical and financial costs associated with migrating data from abroad to Russia. Although the Russian IT economy has developed extremely well, Russia remains well behind western standards in terms of quality and service.

Can the new law guarantee effective data protection?

The law must still prove its functionality and effectiveness with respect to data protection. It contains too many legal ambiguities and, from the perspective of law enforcement, is not fully thought through. Many companies are cooperative and now willing to store data about Russian customers, in accordance with the law, on servers in Russia.

With all the practical shortcomings, however, the new Russian law – like the European Court’s safe harbor judgement from 2015 – has begun a new phase in the development of data protection and data security.

Through the establishment of its own IT center in Russia, Mapp is one of the few ESPs in Europe that meets the requirements for the storage of data about Russian Internet users within the country and thereby completely fulfils the applicable legal guidelines that have been in place since September 2015.