FZ-152 Requirements – Does your Company Need to Comply with them?
After the introduction of the Law on Personal Data in Russia No. 152- FZ, foreign companies operating on the Russian market were forced to take measures to comply with the requirements of the law to avoid the potential risk of fines. The widespread introduction of cloud services, from software to storage systems, has created additional compatibility problems – cloud service providers (CSP) must as well comply with the requirements of the law to store the customers' data in the cloud.
We recommend all data operators handling Russian personal data to review their compliance. In this article, we explain why it is important, especially for the companies entering Russian market.
What is the main purpose of the law?
Federal Law 152-FZ "On Personal Data" strengthens citizens’ privacy. According to the law, all information received by companies, banks, social networks, online stores, etc. from employees and customers must be carefully stored. Transfer of personal data to third parties is subject to administrative and criminal liability. At the same time, an authorized person must be appointed to receive any private information, who will process it and ensure safety.
The Law defines personal data as any information directly or indirectly related to an identified or identifiable individual (the subject of the personal data).
Data operators can collect personal data only with the PD subject’s consent. At the same time, verbal permission is often not enough – it is better to sign a short agreement or (if it is a website) provide for a field with a requirement to tick the consent to the processing of transferred personal data.
The law also requires that data may only be used for the specific purpose for which it was collected.
Businesses must ensure that they take all necessary measures to protect data, as well as be transparent to citizens about how they use collected personal data. Citizens may request to see what data about them is stored by the organization, and may also request to delete it at any time.
Why is it important
The most obvious impact of 152-FZ on foreign companies is data sovereignty. The Data Localization Rules require that all data operators handling personal data of Russian nationals maintain their databases of such data in Russia.
This innovation affects international companies because almost all their internal software (CRM, accounting systems, HR systems, etc.) is global and is often located abroad. In addition, it is important for foreign web services, which have not localized systems (like Twitter and Facebook). The novelty also relates to developers of web-services, which initially decided to localize systems in their native countries, although they target the Russian audience.
For failure to comply with the localization requirements, as well as the requirements of the Russian Federation legislation in the field of personal data, Roskomnadzor can block websites or limit the processing of personal data in non-localized databases. This is indicated in Article 23, paragraph 4 of the Federal Law "On Personal Data". The regulator can check the localization of the website by on-site inspections, establishing the location of the database containing personal information about Russians.
Besides blocking the data operator’s website handling Russian personal data, there are financial penalties. Administrative penalties for non-compliance with the Data Localization Rules by a data operator amount between ₽2 million to ₽6 million (currently approximately US $27 000 to US $80 000) for an initial violation, for repeated violation the fine can go up to ₽18 million (about US $240,000).
They also introduced penalties for top executives of companies (General Director, or CEO). For initial violation up to ₽200,000 (about US $1,560 to US $3,125) for repeated violations between ₽500,000 and ₽800,000 (about US $7,800 to US $12,500).
It is worth noting that if the activity of a foreign organization is aimed at the Russians, then not only the localization requirements are applied to such an organization. There are also other requirements, including notification of the authorized body on personal data processing, the publication of a document defining the policy of the operator regarding the PD processing, the appointment of the person responsible for the processing of personal data, etc.
Recommendations for foreign companies
To avoid fines and risks of blocking Internet resources in Russia, it is recommended to first evaluate whether your company meets the criteria for operating in Russia. If there are factors indicating that the activity is targeting Russians, you should not only localize databases containing personal data of Russian nationals but also comply with other requirements of legislation on personal data, as well as be ready for effective cooperation with Roskomnadzor.
Linkedin refused to store personal data of Russian users within the Russian borders, and was blocked. The story illustrates the potential consequences that foreign companies might have if they don’t comply with the Russian legislation.