By Conor McSweeney

 

Following Edward Snowden’s explosive revelations in June 2013 of the pervasive data collection methods of the United States National Security Agency, the Russian Federation moved quickly to implement new regulations on personal data collection to prevent foreign governments like the United States from accessing and collecting personal data of Russian citizens. The resulting legislation passed into law and signed by President Vladimir Putin on July 21, 2014 as 242-FZ, requires all companies that collect personal data about Russian citizens to record and store that data in a physical location within Russian territory. The original timeline for implementation of the new regulations called for it to take effect on September 1, 2016, but a subsequent amendment 526-FZ, signed on December 31, 2014, sped up the timeline and caused the regulation to go into effect a year earlier on September 1, 2015. Like most regulations in Russia, the legislative intent of the law is ambiguous enough that its true extent will only be realized through enforcement. This blog post will explore the initial guidance on the applicability and enforcement of the data localization law, critical interpretations and potential business ramifications of the law, and an analysis of the enforcement of the law against LinkedIn, the first major United States company to be blocked access to the Russian internet under the law.

 

Applicability and Enforcement of the Russian Data Localization Law

The Ministry of Mass Communications and Telecom (“Minsviaz”) is the Russian Ministry responsible for issuing regulations and guidance on 526-FZ and the Federal Service for Supervision of Communications, Information Technology and Mass Media (“Roskomandzor”) is its enforcement arm, charged with ensuring compliance with the law. Initial guidance provided by Minsviaz clarified that the data localization law applied to all Russian companies, all foreign companies with an official branch or office located in Russia, and all foreign companies that conduct business with Russian citizens and target Russian consumers, as may be evidenced through a Russian-language website, Russian internet domain, or transactions conducted in Russian Rubles for currency. If a foreign company either has a branch in Russia or targets the Russian market for commercial opportunities, then they are required to comply with the data localization law by storing the personal data it receives of Russian citizens locally in Russia. However, as long as the foreign company initially collects and stores the personal data within Russian territory, that company is allowed to access the data remotely from outside Russia, and may also transfer the data outside of Russia to a secondary location for disaster recovery and continuity purposes.

Roskomandzor is given broad power to investigate potential violations of the data localization law and may bring court action against a company to block access to their website if they are found to be noncompliant. At the outset of the rushed implementation of the law, Roskomandzor acknowledged that it would need to give foreign companies time to review the regulations and bring themselves into compliance. Major United States technology companies like Facebook, Google. and Twitter were specifically informed that they would not be investigated right away because of the complicated nature of their web infrastructure. In addition to shutting off Russian access to a foreign company’s website, Roskomandzor also has the power to levy fines against companies that fail to comply with the data localization law. The penalties were intentionally kept very low so as not to discourage foreign business expansion in Russia, but it is a distinct possibility that further amendments to the law will increase the potential fines if Russia notices a pattern of noncompliance.

 

Critical Interpretations and Business Ramifications

The strongest critical argument against Russia’s data localization law is that it could make it easier for the Russian government to censor and control their citizens’ use of the internet. In fact, the Russian government admitted that one of its motivations in enacting the legislation was to improve its federal security service’s access to the personal data of Russian citizens under the guise of aiding criminal and terrorism investigations. When considering the wave of protests and organizing on display in Russia during the 2012 elections, largely due to the impact of social media, the critics are right to be concerned. The next presidential elections are around the corner in March 2018 and implementation of this new data localization law could be a back-door for the Russian government to spy on the social media accounts of the political opposition. It will be important for pro-democracy advocates around the world to monitor abuses of the data localization law by the Russian authorities and condemn any actions by the Russian government where it purposefully invades the privacy of its citizens.

Aside from domestic snooping concerns, the data localization law also has the potential to have significant ramifications on foreign business conducted in Russia. To start, complying with any business regulation is financially burdensome, but the data localization law requires foreign businesses operating in Russia, or doing business with Russian consumers, to install data centers in Russia to collect and store the personal data of Russian citizens. This is an expensive proposition and may lead foreign businesses to ultimately decide against expanding into the Russian marketplace. There is an alternative argument emanating from Russia that this law will encourage expansion into the Russian market by causing big firms to establish a permanent Russian presence where previously they may have only dipped their toe in the water. Indeed, Russia would be an enticing market opportunity for foreign investment if it were a more stable environment due to its population of almost 150 million people that has been historically underserved by United States and Western European businesses. However, 526-FZ will likely deter foreign investment because it increases the already high initial investment cost to break into the market and entails regulatory uncertainty with respect to how the government will police the law. In addition, foreign companies must factor in the potential public relations cost to their brand if the Russian government uses this law to crack down on its citizens and they are accused of aiding that behavior.

 

Analysis of Enforcement Against LinkedIn

Over a year after the law went into effect, Roskomnadzor successfully won a court case in Russia against LinkedIn in November 2016 for its violation of the data storage requirements of the law. Within twenty-four hours of the judicial decision, LinkedIn’s website was subsequently blocked from being accessed by Russian citizens located within Russian territory and taken down by Russian internet service providers. LinkedIn was the first major United States internet company that had enforcement action taken against them for noncompliance. Roskomnadzor made clear throughout the legal process, even after obtaining a successful ruling against LinkedIn, that it would be willing to unblock the website as soon as it moved Russian citizens’ data into storage on Russian territory. LinkedIn met with the regulator a month later to continue their dialogue but there has been no further updates on LinkedIn’s status since that meeting, as their status remains in limbo. By January 2017, Roskomnadzor forced both Google and Apple to remove the LinkedIn application from their online stores so that Russian citizens could no longer download the application while the website is blocked.

It is unclear the amount of effort and financial resources LinkedIn expended in attempting to comply with the law and fight the court case, but the result will no doubt make other companies think twice before establishing a presence in Russia. LinkedIn, now owned by Microsoft, has widespread global brand recognition and before being blocked had millions of Russian users on the platform. By taking legal action against LinkedIn and blocking access to their website, the Russian government is sending a strong message to the foreign business community that the transition period is over and it now expects all foreign companies to be in full compliance with the law. Foreign businesses that made their initial investments in opening Russian offices might now be considering shuddering them if they are not experiencing substantial returns on their investments, for fear that they could be shut down by Roskomnadzor at a moment’s notice.

Russia could be isolating itself even further from the rest of the world because companies will not want to enter an unstable marketplace with these burdensome regulatory hurdles. It is curious timing for Russia to take this action against LinkedIn in November 2016, when following the election of Donald Trump as President of the United States, it appeared relations between the two countries may be on the mend. Under a Trump presidency, Russia appeared to be a market ripe for United States business investment, but the difficulties of complying with the data localization law learned from LinkedIn’s experience will be cause for concern for any company looking to do business in Russia, no matter who occupies the White House. Russia has certainly set a new tone through its enforcement action against LinkedIn and it will be interesting to watch how United States and other foreign businesses fare under the law over the next few years.

 

Student Bio: Conor is a Staff Member of the Journal of High Technology Law. He is currently a third-year evening student at Suffolk University Law School and works full time in the corporate legal department of a cloud technology company.  He possesses a B.A in Political Science from Siena College with a minor in English.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.