Learning to live with Russian Federal Law 152: A guide for foreign companies in Russia
Olga Ermakova Senior Legal and Compliance Officer Linxdatacenter
The Russian market holds major potential for foreign companies. But because of myths about the market and inaccurate views of the risks involved, they often hesitate to develop their businesses here. In particular, they see compliance with local legislation on personal data – a challenge for any business concerned with reputation and future growth – as complicated and costly.
For foreign companies operating or considering operation in Russia, this article offers a brief guide to compliance with the regulations for Russian personal data protection. We hope it will remove some concerns about data processing in Russia and help businesses begin to live with Federal Law 152, the basis of data protection law in this country.
A bit of background
In addition to standard colocation solutions, nearly all commercial data centers offer their customers extensive connectivity. When a company places its IT infrastructure at a data center, it can access IT services from multiple operators all over the world. Synchronization across many systems of various technologies and standards is already complicated. Ensuring legal harmony adds another layer of complexity.
Although digital business began long ago to operate transborder and the number of companies working on the global scale continues to grow, the world is not yet a global village. This is largely because of differences in local legislation. Personal data protection is an area where significant differences demand close attention by outside companies entering the Russian market.
Russian Federal Law 152 (FL-152), various directives of the Russian government, and decrees of the regulators control the processing of the personal data of Russian citizens. In the European Union, the General Data Protection Regulation (GDPR) and local laws of the member countries play a similar role.
We predict that unification of the Russian FL-152 and the European GDPR (and eventually, similar legislation in other regions of the world) is only a matter of time. They already have some similarities but also important differences related to the ways the legislation and practice have developed.
Motivation by inspection and penalty
The penalties for failure to meet data protection requirements motivate companies to pay close attention to the regulations in Russia. The fine for the first violation ranges from $33,000 to $100,000, with repeat violations costing $100,000 to $300,000.
Inspections ensure that companies follow the rules. Since 2019, Roskomnadzor’s (Russian Federal Service for Supervision of Communications, Information Technology and Mass Media) policies for inspection include:
Personal data operators receive three days’ notice before scheduled inspections and 24 hours’ before surprise inspections.
A scheduled inspection can last no longer than 20 days and a surprise inspection no longer than 10.
Legal entities and individual entrepreneurs will not be inspected for the first three years after their registration. This gives a newly founded company the time to ensure compliance of its processes and to prepare for inspections.
The frequency of inspections depends on what data is being processed and how. For most companies, inspections will happen only once every three years.
Companies working with special categories of data (such as biometrics) and operators transferring data to foreign states, companies, and citizens, can be inspected every two years.
A foreign company collecting data of Russian citizens in the territory of the Russian Federation (RF) has two ways to ensure data protection under the law:
Scenario No.1: A foreign company registers as a subsidiary firm, branch, or representative office in Russia.
In this case, the procedure is relatively simple. In fact, if the company complies with the GDPR in Europe, it is not difficult to adapt its processes to the FL-152. Both standards focus most of their requirements for business on organizational measures: policies, processes, and supporting documentation.
The only challenge is technical support for personal data protection: the infrastructure and encryption tools. A company must appoint an information-security specialist who will ensure technical compliance of the infrastructure with FL-152 directives.
This specialist must have training and experience in the application of certain guidelines of the Federal Service for Technical and Export Control of Russia (FSTEK) and Federal Security Service of Russia (FSB).
Because a company just entering the Russian market is unlikely to possess such expertise, it may need outside assistance. Local providers offer FL-152-compliance “turnkey” service and create secure zones for personal data processing on their own infrastructure.
Local infrastructure for processing the personal data of Russian citizens is a requirement. It is critically important for any foreign company processing personal data in Russia. Failure to take it into account presents a major risk.
Scenario No.2: A foreign company has no registered representation in Russia, but it processes personal data of Russian citizens.
In this situation, it is highly unlikely that Roskomnadzor will inspect the company’s business processes, but it can inquire about the location of its IT infrastructure and its policy on data processing. The company must be ready to provide the regulator with answers and related documents on request.
Even if they are not physically present in the country, companies doing business in Russia should not overlook Russian legal requirements. A failed inspection will cause the authorities to block Russian users from the digital resources and services of the company. This may have a strong impact on the business. The penalties for violation are also unpleasant, and the company’s reputation is likely to suffer because such stories always appear in the mass media.
What does FL-152 support look like?
So, what happens when a foreign company needing assistance with FL-152 compliance comes to a Russian service provider for help?
The first step is to decide whether the company needs a full FL-152 compliance service: a complete set of organizational measures. This would include analysis of business processes, preparation of internal documentation, training of personnel, etc. The service here is a made-to-measure project to meet the specific needs of the customer’s business.
Or the company may need only the technical solution: location of infrastructure in the Russian Federation in line with regulations. Technical compliance of the infrastructure usually means a standard, package solution offered by most large service providers. For each customer, the service provider creates a dedicated segment in its own IT infrastructure, within a secure network that meets the demands of FSTEK and FSB.
Where to begin?
A company must define in detail every stage of a personal data protection project, especially the first step, auditing. Here it lays the foundation for an effective future solution and assigns roles of the people who will be responsible for developing and maintaining it.
Later on, the company must ensure the continuity of personal data handling within its business processes. Any changes in these processes – to the security protocols, access system, personnel structure, and software, among others – must include update of the related policies, processes, architecture, threat models, etc. It is vitally important to remember this.
When up and running, a foreign company can avoid unscheduled, surprise Roskomnadzor inspections by clearly and publicly posting its policy on personal data in Russian and English on its website. These policy statements must contain detailed descriptions of all scenarios for data processing: data of EU citizens processed according to the GDPR, data of RF citizens processed according to FL-152, etc.
If an inspection is inevitable, it is important to remember this: in all likelihood, only Roskomnadzor will do it, and the regulator’s attention will focus mostly on business processes and their documentation (a “documentary inspection”). The regulator will also be interested in the location of the infrastructure in the Russian Federation and its compliance with the law.
In theory, FSB and FSTEK may have questions regarding technical details of personal data processing and security systems, but it is not likely. Even if they do, there is no reason for concern because providers create a detailed and transparent description of the final architecture of the IT infrastructure (including documents, diagrams, certificates).
Service providers perform their services in the strictest compliance with their licenses. Otherwise they risk drawing the attention of the supervising authorities to their own processes.
FL-152 advantages over GDPR?
Any European company will inevitably consider the effort necessary to ensure compliance with the GDPR in Europe and the FL-152 in Russia. If we analyze the benefits and shortcomings of current personal data legislation in the EU and in the RF, we notice certain advantages of Russian law.
The FL-152 says “meet these requirements by undertaking these specific steps”. The GDPR says “achieve this result” (protection of individuals’ rights to their personal data).
On one hand, the European approach gives the company more freedom. On the other, the absence of a clear, step-by-step manual increases the company’s responsibility and its risk of failure.
In our view, it is easier to ensure FL-152 compliance: we see the laws, decrees, and instructions as a toolkit or template that a company can use to ensure compliance.
The GDPR offers no such kit. The key is the end goal: protection of the individuals’ rights. The impact of company policy on these rights shows the effectiveness of its approach, and the inspector decides whether the company meets the requirements.
So, the GDPR approach is far more difficult. With no templates, it takes more effort and a deeper understanding of tasks and processes to ensure compliance.
Fines for violation in Russia have increased but remain lower than in Europe: the GDPR demands much stricter punishment for potential leaks of personal data. Look, for example, at the operator of a legal-news website that was penalized €15,000 because its privacy statement was only available in English, though it also addressed Dutch- and French-speaking audiences. To make matters worse, the first version of its privacy statement was not easy to find and did not mention the legal basis for data processing under the GDPR.
In another example, the regulator fined German company Deutsche Wohnen SE €14.5 million for archiving customers’ personal data without asking their permission and for failing to provide an option to remove data that was no longer needed.
GDPR and FL-152 in the future
Of course, we may need to return to this discussion. GDPR norms may yet become part of RF law as Russia joins the updated Council of Europe Convention for the Protection of Individuals with regard to automatic processing of personal data.* This convention is the main international agreement on personal data protection and the basis for local legislation in this area. The updated version includes the GDPR approach. We expect that it will eventually bring the FL-152 closer to European norms.
We hope Russian businesses observe the changes in data processing worldwide and see areas for improvement of their own processes.
Compliance with Russian personal data law requires careful study and preparation, but it is an attainable goal. The expectations of the Russian authorities are understandable and reasonable.
Nevertheless, meeting them does demand effort and experience. For a company aiming to use its time and financial resources efficiently, the best approach is to find a reliable local partner with expertise in the field.
*Updated with the Protocol CETS No. 223 dated 18th May 2018, a week prior to the GDPR coming into effect.
Olga Ermakova is the Senior Legal and Compliance Officer at Linxdatacenter. Her work experience of more than 15 years includes comprehensive legal practice in consulting and IT solutions. A graduate of the legal faculty of the St. Petersburg State University, she is certified as a GDPR Data Privacy Professional (GDPR DPP) and holds an ICA Certificate in Compliance.
Olga’s professional achievements at Linxdatacenter include involvement in the creation of its personal data protection system, support for the licensing process for information security (FSTEK, FSB), staff training on personal data processing, and construction of the compliance management system.
Send an enquiry for services in Linxdatacenter
Linxdatacenter, the provider of hi-tech data storage, cloud and telecom solutions, integrated a new tool for data and IT systems protection into the cloud customer portal vCloud Drector: Veeam B&R.
Linxdatacenter completed certification of its cloud platform at the Moscow data center. The platform now formally meets the requirements applied to IT infrastructure used for storage of personal data of Protection Level II (PL-II).
Moscow, April 16, 2021 – The Russian Direct Investment Fund (RDIF, Russia’s sovereign wealth fund) alongside JSC ER-Telecom Holding (Dom.ru and Dom.ru Business trademarks) and Talos Fund I LP, the leading fund from the Middle East specializing in investment in advanced technologies including AI, today announced a joint investment in the creation of a leading autonomous cloud service in Russia based on Linxdatacenter assets.
Linxdatacenter in St.Petersburg has passed the BSI certification for meeting the requirements of the international standard ISO 22301:2019 remotely.