This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.
Question: I heard that the Russian data protection authority (Roskomnadzor) has sent out thousands of inquiries to businesses (including businesses outside Russia) asking them to confirm, within 30 days, that they store personal information of Russian citizens in Russia in compliance with Russia’s data localization law.
My company received the letter. What do I need to know?
My company is registered with the Russian tax authority, but we did not receive such an inquiry. Should I be concerned?
Answer: If your company is a Russian or non-Russian entity that is registered with the Russian tax authority, you should reach out to the owners of the email addresses that were used in your company’s tax registrations at the Russian tax authority to ask if they have received an inquiry from the Russian tax authority, Roskomnadzor. The subject line is likely “О представлении сведений об обработке персональных данных” which translates to “On the submission of information about processing of personal data,” and it may be in their spam folder. The correspondence may have been in English or Russian, or both.
Although the monetary penalty for failing to store personal information of Russian citizens in Russia is relatively low, Roskomnadzor also has the power to, as it has in the past, either slow down traffic to websites of companies that have not complied, or cause those websites to be inaccessible in Russia until their compliance mandate has been met. Therefore, it is important to locate the inquiry from the Russian authority and carefully consider an appropriate response.
The decision of how to respond should take into account the laws of Russia (e.g., does the Russian localization law even apply to your company?) and also any obligations that your company may have in other jurisdictions. For example, Russian data localization requirements could complicate a company’s ability to sell to the U.S. government and government contractors, and may be inconsistent with a company’s FedRAMP requirements. Additionally, contracting to use computing services in Russia could be the subject of scrutiny under new rules in the United States that apply to the information and communications technology supply chain (a topic we addressed in our client alert earlier this year), and may also present national security risks if the company ever needs to go through a CFIUS review. Furthermore, if a company’s solution for complying with Russia’s data localization rule would require it to also store the data of other countries’ citizens in Russia (or to transfer export-controlled technology to Russia), that would raise a host of other privacy and national security concerns.
If the inquiry you received from Roskomnadzor was accompanied by an English translation, note that the translation may have omitted the response deadline (which is usually 30 days from receipt of the email). The correct deadline is present in the Russian language version of the letter, which is the prevailing version and should therefore be consulted.
Visit our Privacy + Data Security page for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the GDPR.