All You Need to Know About Data Localisation in Russia

For businesses worldwide, whether it is small or large, data holds much importance to drive efficiency. As more sectors rely heavily on real-time data to make a connection with its suppliers, securing that data is also vital. Many malicious actors are intentionally in searching of breaches if any error happens in the data flow. Now countries across the world even realize the significance of data, implementing several robust rules and regulations to protect their citizens’ privacy. Since data may contain records about a nation’s citizens or residents with personal or financial data, the introduction of data localisation goes a step further in requiring that initial collection, processing, and storage occur first within the national boundaries.

Russia is one of the countries that introduced its data localisation law in 2015 to help keep the data safe within the home soil from its adversaries. The law requires data operators to ensure that recording, systematisation, accumulation, storage, refinement and extraction of personal data of the country’s citizens is done using databases located in Russia.

Federal Law FZ-152, also known as the OPD Law or the On Personal Data law, has covered the country’s data protection since 27 July 2006. It contains similar provisions to those in the 1995 European Data Protection Directive and has been in effect since 26 January 2007. The law comprises a number of requirements for companies engaging in commercial activities across Russia by bringing administrative fences.

These blockades include a battery of requirements such as the consent requirement for data collection and transfer to third parties; that data is subject to the right to review or to be forgotten; an obligation for the data processor to notify both the data subject and the authorities in case of a data breach; and the obligation to appoint a data protection officer (DPO) when handling personal data.

Under Russia’s data localisation law, fines for first-time offences range from US$15,000 to US$100,000, with repeat violators liable for US$100,000 to US$300,000. The law also recognized administrative fines for repeat violations by search engines, audiovisual services and instant messaging providers. In this case, both legal entities and responsible managers are liable, with the latter potentially facing fines which range from US$1,600 to US$12,800.

According to the World Bank, the law is aimed at enabling a degree of control over transnational companies operating in Russia and assisting in the development of national players. In the country, revenue generated by digital platforms adds around 1 percent to the national GDP. There are major key players that already dominate their respective market segments include employment, tourism, construction, and health to e-commerce, social networking and others.

The introduction of data localisation law can also help Russia’s broader digital ambitions. As digitisation plays a vital role in making the economy digital, the country has set out many national development goals, with a 2024 deadline.

Furthermore, apart from Russia, countries including Vietnam, China, Indonesia and India have also introduced such data localization laws across all sectors of the economy.