Last Wednesday, President Trump signed an immigration-related Executive Order (EO) titled “Enhancing Public Safety in the Interior of the United States” that, among other...30 January 2017
Russia Enacts Data Localization Requirement; New Rules Restricting Online Content Come into Effect
Both houses of the Russian Parliament have approved legislation requiring data operators to store personal data of Russian citizens on servers inside the territory of the Russian Federation, and the legislation which was signed by the President on 9 July. Therefore, data operators (including Internet companies) collecting personal data of Russian citizens will need to use servers based in Russia to store that personal data by September 2016 or face being blocked from the Internet.
As of yet, the Russian telecommunications regulator, Roskomnadzor has not interpreted the legislation’s applicability to foreign data operators (including foreign websites processing personal data of Russian citizens). Typically, Russian data protection legislation applies only to Russia-based data operators and foreign data operators having a legal presence in Russia (e.g., subsidiaries, representative offices) that process personal data in Russia. If the same determination is made with respect to this legislation, websites and data operators without a legal presence in Russia would be excluded from the requirement.
The legislation sets out a judicial and administrative process to restrict access to infringing websites. First, if a court determines that a website operator is in violation of the law, Roskomnadzor, is charged with determining the website’s hosting provider and notifying it of the court’s decision. Second, the law requires the hosting provider to inform the website owner of the infringement determination within one working day of receiving the notice. Website owners would then have one additional day to come into compliance. If the website owner fails to comply, the hosting provider has the responsibility to restrict access to the website.
The legislation currently does not provide for specific penalties; therefore, general administrative liability for violations of Russian legislation on personal data would apply. Legal entities would face fines up to RUB 10,000. By September 2016, however, specific liability may be introduced.
Web Content Law
The data localization legislation comes on the heels of another recently passed Russian online content law that creates new obligations for companies that facilitate the exchange of information online. Under this online content law, which goes into effect on August 1, 2014, all “organizers of dissemination of information over the Internet” that receive, transmit, deliver or process electronic messages of Internet users – which may include social media websites, email services, online forums, and many others – are required to register with Roskomnadzor. If covered, an online service is required to store information about its users and the circulation of electronic messages on its website for six months in Russia. The law mandates that this information be provided at the request of government investigators, including relevant law-enforcement authorities. Violations of the law could lead to a website being blocked or fines up to RUB 5,000 on citizens, RUB 50,000 on officials, and RUB 500,000 on companies.
Additionally, the law subjects “bloggers” (defined as websites having more than 3,000 viewers per day) to special control by the state authorities. Bloggers will be required to fact-check their content, immediately delete false information, and identify themselves by providing their full name and email address. Bloggers also will be prohibited from disseminating information recognised as an “abuse of mass media freedom.” The law instructs Roskomnadzor to create a special register of bloggers and empowers it to request information necessary to identify popular website owners. Violations of the law could lead to a 30-day suspension of business activity or the imposition of an administrative fine of up to RUB 50,000 on citizens and up to RUB 500,000 on companies.
A stricter regime for profiling07 June 2016
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016