8 September 2016
The Russian data protection authority (‘Roskomnadzor’) announced, on 1 September 2016, the results of its supervisory activities (‘the Results’) one year on from the implementation of Federal Law No. 242-FZ (‘the Localisation Law’). In particular, the Results highlight that between 1 September 2015 and 29 August 2016, the Roskomnadzor found 23 violations of the Localisation Law, during the course of regulatory audits, amounting to approximately 1.3% of the overall number of data protection violations recorded.
Sergei Volfson, Partner at Jones Day, told DataGuidance, “Such Results are not surprising. According to Roskomnadzor’s original plan of audits and inquiries for 2016, they were focusing on relatively isolated industry sectors. [The] vast majority of these audited businesses are local Russian-registered companies having no substantive international impact. Furthermore, it appears that Roskomnadzor decided not to audit IT businesses in 2016, probably because overall complexity and multinational exposure of major IT businesses working in Russia could be somewhat beyond the reach of Roskomnadzor’s actual resources and the current level of expertise.”
In the opinion of Roskomnadzor, the amount of such violations is insignificant.
Edward Bekeschenko, Partner at Baker & McKenzie, added, “It should also be noted that the schedule of audits included no more than 20-30 international companies, while the majority of companies were Russian, some of which also reportedly conducted such violations. In the opinion of Roskomnadzor, the amount of such violations is insignificant.”
The implementation of the Localisation Law was brought forward by one year from its original date, which was 1 September 2016, following the passage of Federal Law No. 526-FZ. Other jurisdictions, which have taken steps towards data localisation, include, the People’s Republic of China, Indonesia, Malaysia and Vietnam.
Anastasia Zagorodnaya, Of Counsel at Dentons, concluded, “It is rather difficult to make any conclusion from the global point of view, international companies involved in processing of big volumes of data in various jurisdictions are facing the challenge of having to consider local laws irrespective of their legal presence in the country and bearing respective costs. As a practical effect we may see part of those costs transferred to consumers in one form or another.”
Felicity Turton | Privacy Analyst