Playing russian roulette with employee data?

by Sascha Schneider CIPP/E

Nine months after Russia’s new data localization law came into effect you may be one of many HR professionals concerned by the lack of clarity of Russia’s Federal Law No. 242-FZ. Let us help you refresh your memory with this blog post.Here’s a quick reminder: under the law, introduced on 1 September 2015, any company that processes the personal data of any Russian citizen, can only do so in data centers that are located within the Russian Federation.

Growing trend towards data localization

The Russian Data Localization Law is one of a number of emerging mandates for data localization, the EU Data Retention Directive (ruled invalid by the EU Court of Justice), and Australia’s Electronic Health Records storage rulings being recent examples.

All of these regulations have put up barriers to the free flow of information across borders, driven by concerns around security, privacy, surveillance and law enforcement.

Remind me: what’s in there?

The scope of Russia’s data protection law is not tightly defined. It applies to “any information, directly or indirectly that relates to any identified or identifiable Russian person’.

To add to this, ‘operators’ are any person processing personal data in any form; organizing and/or carrying out the processing of personal information, and/or determining the purposes, content, and actions of personal data processing.

Here’s the rub: the law requires these ‘operators’ to store the data they process in a primary data center in Russia. This is where things get complex for global employers running cloud systems or working with outsourced providers, as this means data of Russian employees must be stored in a data center in Russia.

Still confused?!

The exact wording from the law is to:

“Ensure recording, systematization, accumulation, storage, change and extraction of personal data of Russian citizens with the use of data centers located in the territory of the Russian Federation in the course of collection of relevant personal data of individuals, including via the Internet”.

  • Personal Data: for example name, email address, physical address, phone number, IP address, or national identification number
  • Who: any business with websites or mobile apps that collect and/or store personal information of Russian citizens

Who controls the law?

The Russian Data Protection Authority (Roskomnadzor) is the supervisory regulator. The Russian Ministry of Communication and Mass Media (Minsviaz), then issued guidance and clarification on the scope and application of the amendments. Although not binding, this is the only official documentation and interpretation issued by the Russian Government.

Does Russia’s Data Localization Law affect you?

The law only applies to Russian and foreign entities that are physically based in Russia or that own a website targeting Russian citizens.

  • If your domain is e.g. .ru, .su, .moscow, or you have a Russian version of your website and pay in Rubles, it’s likely that you are affected.
  • It does not apply if you’re a non-resident organization that collects the personal data of Russian citizens abroad.
  • It does not apply to data collected before the law came effective, provided this data has/is not been modified subsequently.
  • Cross-border data transfers are not impacted by this amendment and are still lawful, provided they comply with applicable legislation on data transfers.
  • Although initial collection and processing of data must take place in Russia, data can later be processed and stored in a secondary database outside the Russian Federation.

How do you determine data of a “Russian citizen”?

According to the Ministry, companies are free to set the parameters that determine the nationality of the data subjects.

However, it is likely to be extremely difficult to identify the nationality of each data subject, record evidence of their nationality and then store only their data in Russia.

It is likely to be more straightforward to have the data of every individual of your Russian subsidiary located on a Russian server.

Exemptions to the law

As with every law, there are exemptions to this law too! For example, if your company receives the data in an unsolicited way the law doesn’t apply. Additionally, according to the Ministry, the law does not apply to data that was transmitted in the course of lawful business activity – one legal entity acquires data from a second legal entity.

We all need to take responsibility

NGA is an ‘operator’ of employee data and acts in accordance with all applicable data privacy legislation. However, NGA, as the processor of its clients’ employee data, does not determine the purpose, content and actions upon this data – we only make sure we – and all of our clients – comply with the law.

NGA has a long history of partnering with customers to help ensure their compliance. The only way to ensure data security is for each party involved in the lifecycle of personal records to take responsibility and to understand what needs to be done to act within the laws of each jurisdiction.

So, if you employ staff in Russia, don’t play Russian roulette with employee data. Please make sure your HR and payroll systems comply with 242-FZ.

Disclaimer: This article is intended only as a guide and an information piece on the Russian Data Localization Law. You should always seek independent legal advice when managing data in Russian, and any country, unless this data is managed for you by NGA Human Resources. We will ensure that your data is always compliant.