In September 2015 Russia passed a new data localization law (Federal Data Localization Law No. 526-FZ). The new law requires all businesses that collect personal data on Russian citizens to “record, systematize, accumulate, store, update, change, and retrieve that information” on databases within the Russian Federation.
Personal data, as defined by Russian law is: “any information pertaining to a particular or identifiable, on the basis of such information, natural individual (the personal data subject), including his surname, first name, patronymic, year, month, date and place of birth, address, marital, social, property status,education, profession, income, other information.”
This new law, although it seems specifically aimed at companies with a large online presence, will nonetheless create some burdensome challenges for many companies handling personal data pertaining to Russian citizens. Although, there does, at this point, seem to be some leeway as the the new law does not explicitly prohibit storing a copy of such personal information on systems located outside of Russia as long as a copy is also stored on databases within the Russian Federation. Yet if a record containing personal data on a Russian citizen is to be stored outside of the Russian Federation, then (under current Russian Personal Data laws) permission for cross border transfer must be obtained from the data subject.
Beginning in January 2016 the Russian Data Protection Authority (Roskomnadzor) announced they would proceed with compliance audits involving some multinational companies to find out whether they are meeting the data localization law strictures. In 2015 Roskomnadzor audited over 300 companies, finding less than 5 with violations of the law. To date, Russian authorities have agreed to avoid using compliance audits to shut down foreign company operations in Russia but instead want to use the audits to help bring companies in line with the new data regulations.