The Russian Parliament has just passed new rules requiring personal data of Russians to be stored in Russia. This could mean that the big US IT vendors and other businesses that service Russian consumers will have to invest in local IT storage.
This is similar to the issue that businesses have had with some European countries in the wake of the Snowden revelations and the criticism of the US Safe Harbor by the European Parliament. Anastasia Amosova of Dentons St Petersburg office said that “the law was passed today in the second and third readings and will come into force in September 2016”.
The current Russian Data Protection Act has been force since 2006 and currently allows the export of personal data from Russia with, in general, the consent of the relevant individuals. Such consents must generally be in writing where the data is exported to “unsafe” jurisdictions. This would include the US and other countries which are have not signed up to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981 (the original basis of European data protection law) or are not on Roskomnadzor’s list of “safe countries”. Roskomnadzor is the Russian data privacy regulator.
What does this mean?
This could have a huge impact on the numerous global businesses that have invested in and operate in Russia and is in striking contrast to the needs of the global digital economy and the assumed “norm” that personal data should be allowed to flow freely across international frontiers provided it is adequately protected by the recipient.