B2B: Cross-Border Transfer of Personal Data in a New Environment

The MT Conferences section does not involve the reporting or the editorial staff of The Moscow Times.

In view of the new requirements to localize personal data in Russia, which came into effect September 1, 2015, virtually all companies that process personal data are concentrating their attention and resources (both technical and economic) on ensuring that they comply with these obligations. What is causing companies one of the greatest concerns is whether they will be able to use foreign databases in future to process the personal data of Russian citizens.

The amendments that have come into force have given rise to numerous questions and have been heatedly debated by business and representatives of state authorities for more than a year. Indeed, they are still being discussed. It was just a little over a month before the new requirements came into force that the Russian Ministry of Telecom and Mass Communications started publishing its clarifications on certain issues regarding the requirements for personal data to be localized.

One of the clarifications allowed companies to breathe easy. According to the Ministry, when personal data of Russian citizens is processed, back-up foreign databases may be used alongside databases in Russia. The volume of data located abroad may not exceed the volume of data located in Russia. In other words, data may not be located abroad, if it is not located in Russia at the same time.

Companies striving to keep their foreign databases functioning often do not pay attention to compliance requirements for the cross-border transfer of personal data. However, such a transfer cannot be avoided if any foreign database is used for processing personal data.

We remind the reader that a cross-border transfer of personal data means the transfer of personal data to a foreign state, to a state authority of a foreign state or to a foreign individual or legal entity. The law has not changed its requirements for the terms and conditions of a cross-border transfer of personal data after September 1, 2015: this form of data transfer is not forbidden in itself.

The terms and conditions for the cross-border transfer of personal data vary depending on the state that receives the data. If data is transferred to countries that are parties to the Council of Europe's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, as well as to other countries that ensure adequate protection of the rights of personal data owners, then general grounds may apply for processing personal data. However, the law provides for an exhaustive list of grounds for personal data to be transferred to countries that do not ensure adequate protection of the rights of personal data owners. Each operator working with personal data must, before starting to transfer personal data across the border, make sure that the foreign state to which the data is transferred ensures adequate protection of the rights of personal data owners. Moreover, the company must make sure that the volume of personal data transferred is in line with the objective for which the data is processed.

Whether all the above requirements have been met in terms of classifying the operator's actions connected with cross-border transfer of personal data and ensuring compliance with the legislation is checked by the competent federal authority, the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) during inspections it carries out. The failure to comply with the above requirements may result in the same legal risks for companies that fail to comply with the new localisation rules.

However, if Roskomnadzor might previously have had difficulties with identifying cross-border transfers of personal data and it was easier for companies to escape responsibility, the federal service now has an additional instrument of control.

In accordance with the new legislative requirements, operators of personal data must inform Roskomnadzor of the location of their databases, which contain personal data of Russian citizens (except for situations directly envisaged in the law). At the same time, based on the wording of the law, operators must inform Roskomnadzor of the location not only of Russian databases, but also of foreign databases, even if they simply back up Russian databases. In turn, if operators inform Roskomnadzor about their foreign databases, it will be obvious that the cross-border transfer of personal data is taking place.

Also, please note that, in spite of Roskomnadzor's statement that it intends to check only about 300 large and well-known companies by the end of 2015, this does not mean there may not be non-scheduled inspections of any other companies based on complaints from personal data owners. These could, for example, relate to the contents of personal data and the methods used to process it not being in line with the objective for which it is processed.

To prepare in advance for inspections by Roskomnadzor, and to manage the risks of being held liable or of other enforcement measures being applied based on such an inspection, companies should pay attention not only to where their databases are actually located, but also to compliance with all other requirements of the law on processing personal data.

The MT Conferences section does not involve the reporting or the editorial staff of The Moscow Times.