1. Localisation
The law amends paragraph 5 of Article 18 of the Federal Law On Personal Data.The new wording explicitly prohibits, when collecting PD (including via the Internet), the recording, systematisation, accumulation, storage, clarification (updating or modification), and retrieval of PD belonging to citizens of the Russian Federation using databases located outside the territory of the Russian Federation.
Previously, this requirement was explicitly directed at PD operators; however, the prohibition now formally applies to all entities.
There is a risk that the amendments will be interpreted liberally as constituting an almost complete ban (with certain exceptions) on the use of foreign servers and databases for processing the PD of Russian citizens, including PD collected through cookies.
Since the revised wording retains the qualifier «when collecting PD», mitigating these risks will require a clearer distinction—both in processes and documentation—between the concepts of «collection» and «use». This is complicated by the absence of precise statutory definitions for these terms.
In addition, adjustments will be needed in the use of global data-processing systems (including HR and CRM systems) and in the practice of creating «mirror» databases abroad. Previously, such arrangements were permissible on the condition that all actions involving PD were initially performed in the Russian databases, that the volume of data in the Russian databases was at least equal to that in the foreign databases, and that other legislative requirements were met. Under a liberal interpretation of the new rules, processing PD of Russian citizens in global databases, creating "mirror" databases abroad, or transferring databases from Russian servers to foreign ones could now be prohibited.
Furthermore, the revised localisation requirements create uncertainty regarding cross-border data transfers—specifically, from which point an operator is considered to have fulfilled the localisation requirement and is therefore entitled to carry out such transfers.
Aside from the liberal interpretation, there is also the view that the law does not introduce substantial changes to the previously existing rules. No official guidance from the regulator on these changes has yet been issued.
Given the extraterritorial effect of the Federal Law On Personal Data, the prohibition on using foreign databases may also apply to foreign entities with no presence in Russia that process PD of Russian citizens on the basis of their consent, a contract, or another agreement with the data subjects.
Administrative liability for breaching the localisation requirement remains unchanged: fines of up to 200,000 roubles for officials (up to 800,000 roubles for repeated violations), and up to 6 million roubles for legal entities (up to 18 million roubles for repeated violations)². It is also possible that using foreign databases in violation of localisation requirements will, in practice, be regarded as a personal data breach, for which significant penalties, including turnover-based fines, will apply from 30 May 2025³.
2. Special Categories of PD Subjects
In addition to the localisation provisions, the new law updates the rules on processing PD relating to special categories of data subjects.
These include officials of certain public authorities (in particular, law enforcement, supervisory, and judicial bodies), persons providing them with confidential assistance, individuals under state protection, victims, witnesses, and other participants in criminal proceedings. The specific rules for processing PD of these persons are set out in special legislation.
The law also requires PD operators, upon instruction from authorised officials, to provide access to their information systems and/or databases containing PD of these special categories of subjects, including enabling changes to be made.
Recommendations:
- Review PD processing activities involving foreign entities, break them down into stages (collection/receipt, recording, systematisation, re-recording, use, transfer, cross-border transfer, etc.), determine the locations of the servers involved, and identify the roles of the parties involved (operator or processor). Assess whether there is a legal basis for using foreign servers/databases.
- Develop separate algorithms for PD processing operations relating to collection and to the use and/or transfer of already collected PD.
- Check your information systems and databases for possible PD of special categories of subjects.
- Update internal documentation to reflect the new legislative requirements.
¹ Federal Law of 28 February 2025 No. 23-FZ On Amendments to the Federal Law «On Personal Data» and Certain Legislative Acts of the Russian Federation (hereinafter, the «Law»). The new rules enter into force on 1 July 2025.² Paragraphs 8 and 9 of Article 13.11 of the Code of Administrative Offences of the Russian Federation.³ https://epam.ru/ru/legal-updates/view/uzhestochenie-otvetstvennosti-v-oblasti-personalnyh-dannyh:-oborotnye-shtrafy-i-specialnaya-statya-v-ugolovnom-kodekse-rf.
This material has been prepared solely for informational and/or educational purposes and does not constitute legal advice or a legal opinion. EPAM Law, its management, lawyers, and staff cannot guarantee the applicability of such information to your specific circumstances and accept no liability for any decisions you make, or for any direct or indirect losses and/or damages arising from the use of the information contained in these materials, in whole or in part.
