Russian Data Localization Law – Where We Stand in the Beginning of 2016?
For those interested in the Russian market the last year was full of intense discussions. One of the main topics was various legal and regulatory initiatives implemented in Russia with respect to the Internet. As games are mostly online long ago, this can potentially affect game industry (although, frankly speaking, there is no special regulatory attention to games yet). Still, one of the most notorious amendments, the “personal data localization” one, concerns a lot of foreign businesses dealing with Russia, including video games, and this was indeed the main focus.
American Chamber of Commerce, Association of European Business and many other international business organizations held a lot of meetings in 2015 to discuss the “localization amendments” and develop approaches of how to adapt to them. As a view from inside, the public activity has been more than intensive. This resulted in public authorities making a few guiding statements which, albeit being non-binding, can shed some light to what regulatory practice can be expected. Russia is notorious for its recently introduced website blocking procedures, and this particular risk was something which foreign operators discussing the amendments had in mind specifically.
This brief post is intended to provide a short overview of the amendments, current market practice approaches and a recap on where we stand in the beginning of 2016.
A brief overview of the “localization amendments”
The Personal Data Law  has been in effect in Russia for more than eight years, but it mostly concerned the companies “physically” present in the country. However, from 1 September 2015 the amendments  came into effect which added into it one sentence inciting the debase of whether it can concern foreign operators as well:
“While collecting personal data, including by means of the Internet, the operator must provide that record, systematization, accumulation, storage, specification (updating, changing), extraction of personal data of the Russian Federation citizens must be done with the databases located on the territory of the Russian Federation except for the cases stated in Points 2, 3, 4, 8 Item 1 Article 6 of the present Federal Law”.
In short, personal data of the Russian citizens must, at least as the first step, be collected and stored in Russia before it can be transferred abroad. It is worth noting that the cross-border transfer itself is not prohibited. The exclusions to which the amendment refers to are mostly not relevant for business. Besides this particular sentence, formal legal grounds for administrative blocking of websites who fail to comply with the Russian legislation have been introduced, along with a few other technical rules.
Primary database and cross-border transfer
So far, a kind of practical approach to interpretation of this rule has been elaborated: the law says that personal data of the Russian citizens shall be collected and processed in Russia, but it does not say “only in Russia” and does not prohibit cross-border transfer. Thus, the approach which is widely considered as legitimate at the moment is that establishing a database for Russian citizens’ data in Russia (even in remote manner, using local data centers), provided that other formalities are complied with, would satisfy the requirement.
Concerning the concept of “database”, the Personal Data Law does not introduce any specific definition and/or requirements, and it has been stated by the data protection authority (although it was not a legally binding statement) that such database can take any reasonable form. Some companies, where it is practicable, currently opt to use even simple MS Excel spreadsheets.
As soon as the data is collected and stored in Russia, it can be transferred abroad under the existing rules on cross-border transfer. Here it is important that countries are formally divided into those which provide “adequate protection of personal data” (mainly, parties to the ETS Convention 108, such as Germany, or countries specifically white-listed by the data protection authority, e.g. Canada or Israel) and those which do not provide such protection – the most relevant example is the U.S. In the latter case, a written consent, either in paper form or with an e-signature is needed.
A risk-safe approach for cross-border transfer will also imply reflecting relevant procedures in internal documents and data protection policy, and ideally, a data transfer agreement with the recipient(-s).
What makes data personal under the Russian law?
It is crucial that the “localization amendments” and the Personal Data Law as a whole are triggered only in case the data concerned is considered as “personal data”. While the definition is very close to the one adopted in the EU (namely, “any information with relates to a directly or indirectly identified or identifiable individual”), the Russian approach so far has been rather narrow, as the court practice suggests.
In most court cases related to personal data aspects only the information which is enough to identify a real individual has been considered as personal data. It can be said, following this logic, that such information “relates to identified or identifiable individuals” (think of a full name, place of work and position, like “Vladislav V. Arkhipov, of counsel at Dentons, St. Petersburg), in contrast to information which “relates to an unidentifiable range of parties” (think of a first name and profession, like “Vladislav, lawyer”).
This approach leaves behind many details which users provide on the basis of anonymity, or, better to say, “pseudonymity”. A fictional e-mail address with a domain name of general provider such as “Yandex”, even along with a user name and, let us say, date of birth, following this practical logic, will not qualify as personal data. The only “real” data which we have here is date of birth, but there is plenty of people who have birthdays on the same date. This allows companies certain flexibility and one practical route to reduce concerns about personal data regulations – to avoid using any “real life” data as much as possible.
A possibility to apply Russian laws to foreign companies
Initial statements of the Russian authorities made in 2014 and the beginning of 2015, when the discussions started, were quite straightforward – as long as the Internet is concerned, the law does not make difference between companies operating within the country and from abroad. This gave a rise to criticism, and the Ministry of Communications and Mass Media reacted in mid-2015 with elaborating the criteria for application of the Russian law to foreign websites. Although they are non-binding, they provide a guidance to official position and, frankly speaking, are not in conflict with other rules of the Russian law.
The “jurisdictional test” implies principal criteria of “targeting the Russian users/market”. It can be said that a website targets it, when it uses domain names connected to Russia (e.g. “.ru” or cyrilic “.рф”) and/or contains genuine Russian language. Besides that, additional markers, at least one of which should also be present to qualify, can be possibility of Ruble payments, delivery of products to Russia, advertising in Russia or anything else which “clearly indicates” targeting of the Russian market.
It is worth noting that even before the “localization amendments” Russian courts were given grounds to recognize jurisdiction over disputes related to personal data with foreign companies in case just an individual lives in Russia, according to an explicit rule of the Civil Procedure Code. However, this rule has not yet proved that it is workable. Besides that, Russian consumer protection rules can also be applied in a dispute of a Russian citizen with a foreign company, and there have been a few attempts to enforce this in courts.
In general, the suggested jurisdictional test leads to a conclusion that a website or any other web-resource in “.com” domain which has a content in English and does not provide anything else of the aforementioned, but which can be occasionally used just by some occasional Russian citizens, is likely to be out of the scope of regulatory attention.
Practical implications for game industry (user data)
In contrast to many other kinds of business, game industry usually has much more flexibility. While there is a lot of companies which deal with data which is clearly personal (booking, insurance and anything else related to “real life” more than to virtual reality), the majority of data which game companies operate with pertains to users who are not always asked to provide and confirm their real identity. Thus, account names and character names, for instance, in most cases cannot qualify as personal data.
The effect is that in current Russian environment the most critical area for game industry in the context of personal data is payments. Due to a number of factors (including payments legislation itself which, as a general rule, does not stand anonymous payments, whichever country we consider), payment information in most cases shall qualify as personal data. However, one of the possible workarounds can be to leave the personally identifiable data at the side of payment processing company if this service is outsourced, so that game company itself does not have access to personal data of users. This, of course, may highly depend on actual business processes implemented and position of payment processors.
Game companies which consider the implications of the Russian personal data legislation sometimes ask about innovative aspects in this area, such as whether play session data (from which, for instance, cybersport enthusiasts can recognize specific player of renown) can qualify as personal data. While objectively such an approach may have certain reason, right now it seems far too advanced for the Russian regulatory practice.
Where we stand in the beginning of 2016?
To summarize, the “localization amendments” are effective from 1 September 2015. They are triggered by the data which is considered as “personal data”, and this means that such information shall identify an individual.
It is clear for Russian entities and local subdivisions of international companies that they should comply with it and maintain an “entry-level” database locally, although they keep the possibility to transfer the data abroad under the existing rules on cross-border transfer. That said, foreign companies may have reasons to be concerned with the “localization amendments” if they consistently target Russian audience from abroad.
Although this area is quite important if one deals with the Russian market, and is definitely worth a risk assessment, the risks should not be overestimated: while there was a lot of discussions about application of the “localization amendments” to foreign resources, the amendments are in force for more than five months already, and it does not currently seem that authorities are especially keen on chasing those resources which legitimately operate under their respective foreign jurisdiction. While things may, of course, change, only those websites which implied outright breach of individual rights (such as illegal databases of citizens hosted abroad) faced legal actions in Russia.
Besides that, some of the companies operating within the Russian jurisdiction got into lists of scheduled inspections of the data protection authority which were published recently. From now on these inspections will include checking compliance with the “localization amendments”, and the nearest checks are expected to happen during February.
Online game companies do not appear on the list of scheduled inspections for 2016, neither does game industry as a whole is listed as subject to general monitoring. This, however, does not exclude individual user claims which can trigger regulatory attention.
This post presents personal opinion of the author and does not convey opinion of any organisations he is affiliated with.
 Federal Law of 27 July 2006 No.152-FZ “On Personal Data”
 Federal Law of 21 July 2014 No. 242-FZ “On Amending of Certain Legislative Acts of the Russian Federation in Part of Specifying the Procedure of Personal Data Processing in Information and Telecommunication Networks”