Last week, the Tver District Court in Moscow slapped a fine on Twitch in the amount of 13 million rubles for repeatedly refusing to fulfill the localization requirements for personal data of Russian citizens. Tinder met a similar fate when the court fined it 10 million rubles.

Earlier, the court had already fined the owners of these services (US companies Twitch Interactive and Match Group) for refusing to localize Russians’ personal data. Although, in June of 2022, the punishment for the violators was relatively “soft” – an administrative fine of 2 million rubles.

What’s interesting is that these services have ceased their activity in Russia – Twitch stopped paying Russian streamers last year, and Tinder completed their exit from the Russian market at the end of June this year. So the companies that were fined do not have a presence in Russia, and the prospects of these court decisions being enforced and actual administrative fines being collected are not so great.

However, what these cases do demonstrate, is that the trend toward stricter control and liability for personal data violation continues.

We have once again summed up the localization requirements for personal data in Russia, who is subject to these requirements and how this relates to the requirements for cross-border transfer of personal data.

1. WHAT IS LOCALIZATION OF PERSONAL DATA?

Under Clause 5 Article 18 of the Federal Law “On personal data” (the “Personal Data Law”), when gathering personal data, the operator must ensure recording, accumulation and storage of Russian citizens’ personal data using databases located inside Russia.

A “database” can be any systemized body of data, from a paper card catalog to an Excel spreadsheet. The main thing is that the databases must physically be located in Russia.

As the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) noted on various occasions, this measure allows to ensure the needed level of protection for personal data of Russian users.

That said, the law should be interpreted rather broadly:

• The rule applies to all operators – both Russian and foreign entities engaged in activity that targets the Russian territory (even without actual presence in Russia, as the many examples show, when LinkedIn, Twitter, Facebook, Tinder, Twitch and others were held liable);
• The law applies to all possible methods for collecting personal data, including through the use of the operator’s web site;
• If a personal data subject’s citizenship cannot be clearly established, the rule applies to everyone’s personal data collected in Russia (including on web sites that target Russian users).

2. WHO NEEDS TO FOLLOW THE LOCALIZATION RULE?

Based on the above, if a company collects personal data of Russian citizens or on Russian territory, it is automatically subject to the requirement on localizing databases in Russia.

Additionally, the Ministry of Digital Development, Communications and Mass Media last year already clarified that even in cases where, for example, a company uses a mail service whose server infrastructure is located abroad, and such service can receive email containing personal data of Russian citizens, require localization of the database.

The law provides a limited list of exceptions given in Clauses 2, 3, 4 and 8 Part 1 Article 6 of the Personal Data Law. The localization requirement does not apply to the following situations:

• personal data processing is needed for achieving the purposes of an international agreement to which Russia is a party or of the law;
• personal data processing is conducted as part of a court process;
• personal data processing is required for providing state or municipal services;
• personal data processing is required for the activity of a journalist, a mass media source or other scientific, literary or creative activity.

Therefore, these exceptions apply to a small circle of operators, and the majority must after all follow the database Russian localization requirements.

3. WHAT DOES AN OPERATOR NEED TO DO TO FULFILL THE LOCALIZATION REQUIREMENT?

In order to make sure that a company complies with the personal data localization requirements, the following actions should be taken:

ü Determine whether there will be collection and storage of personal data of Russian citizens (or collection of personal data in Russia in general) and whether such processing falls under any exceptions;

ü Determine the best methods for the initial collection and storage of the personal data, subject to fulfilling the requirement to localize databases in Russia, for example:

• placing electronic databases on Russian servers (including in the cloud);
• storage of part of personal data in hardcopy form as a systemized compilation (card catalog) in Russia;

We recommend first of all to take these measures in relation to the operator’s web sites used to collect and perform other processing of Russian citizens’ personal data, since Roskomnadzor can reveal violations of the localization requirement through online monitoring.

ü Subsequently, after the databases are initially placed on Russian territory, copying databases to foreign servers is allowed. You should keep in mind that if such data is transferred to foreign databases, the requirements concerning cross-border transfer of personal data must be observed.

Keep in mind that if Roskomnadzor conducts a check, the operator needs to prove that the initial placement of the database was on Russian territory.

Otherwise, if the authority reveals that the database was initially placed abroad, the operator could be held liable under Part 8 Article 13.11 of the Russian Code of Administrative Offences, and a fine could be imposed on it in the amount up 6 million rubles (for legal entities).

A repeat violation of the requirement to localize the personal data could entail for the operator an administrative fine in the amount up to 18 million rubles (for legal entities).

4. LOCALIZATION VS CROSS-BORDER TRANSFER

The law allows for subsequent transfer of “localized” personal data of Russian citizens to foreign databases, given, of course, full compliance with the rules governing cross-border transfer of data which we wrote about earlier.

That said, if any changes or updates are made to a database which is copied to a foreign server (so-called secondary base), the changes should first be made to the Russian database (the initial base) and only then can the cross-border transfer to the secondary base be made.

Simultaneous update of databases, same as direct changes to a secondary database, will be a violation of the personal data localization requirements.

The Capital Legal Service Team will be happy to assist you with fulfilling the legal requirements governing personal data processing, developing the needed documentation, as well as to audit your business and determine the most effective ways to localize personal data.

This overview was prepared by Principal Associate of the Corporate practice at Capital Legal Services Vadim Kovalyov, Senior Associate of the IP practice Antonina Shishanova and Paralegal Marina Prygunova.