Russia’s media watchdog has blocked professional networking website LinkedIn after the company was found to have violated a law requiring websites to store Russian users’ data on domestic servers.
Speaking to CDR, Olga Tyangaeva, associate at CIS-based law firm EPAM, explains that the social network did not comply with the Russian Federal Law On Personal Data (No. 242-FZ), which came into force on 1 September 2015, “requiring all companies to process personal data pertaining to Russian citizens primarily using databases located in the Russian Federation”.
Tyangaeva recounts that the legislation “caused great concern” to foreign operators collecting personal data on cheaper servers outside the country, causing many companies to restructure their information technology (IT) infrastructures and software.
The fact that LinkedIn is a foreign company without on-the-ground legal presence did not play any role in the Russian court’s ruling, which in turn “may give rise to the kinds of legal and administrative practices that foreign operators feared a year ago”, she says.
Tyangaeva points to a possibility that other major foreign network businesses like Facebook and Twitter could be blocked by the regulator in future under the legislation.
Tyangaeva warns that a company could undergo an unscheduled inspection even if it is not on the regulator’s checklist.
“The LinkedIn Corporation was not included on the list of companies for which checks were planned in 2016. The checklist applies to Russian entities or the affiliates and representative offices of international companies. Thus, no foreign company that processes the personal data of Russian citizens can be sure in advance that there will not be an inspection of its activity.”
Tyangaeva advises that foreign companies who are conductingbusiness relating to Russia to “expedite an analysis of the procedures used to obtain personal data from Russian citizens” and to ensure that collected data is “processed stored in the required manner”.
Additionally, storage requirements should be agreed with local data centres, while cross-jurisdictional data transfers require “separate consent from the persons whose data is going to be processed”.
Tyangaeva suggests that some companies might benefit from using anonymising forms which do not enable personal identification.
“In all other cases, companies must organise storage of personal data in Russia and notify Roskomnadzor about the location of their servers in Russia,” she says, adding that the law does not prohibit the processing of Russian users’ data abroad: “Personal data must be processed using a so-called ‘primary’ database in Russia, with the option of cross-border transfer.”
Please follow the link to find the full text of the article.
CDR, 23 November 2016