Russia's New Personal Data Law Will Be Hard to Implement, Experts Say
The new law was signed by Russian President Vladimir Putin in December 2014 and outlined that companies supplying Internet services in Russia, or targeting Russian users, should store personal data in Russia.
In a streak of measures designed to impose stricter control over the Internet in Russia, the law that requires all Internet services store the personal data of Russian users on Russian territory — in effect from Tuesday — will be the most difficult to implement due to its vagueness and the fact that it will be almost impossible to verify whether millions of companies subject to the law actually comply with it.
“Loose definitions used in the law made it unclear what exactly the companies should do to comply with it,” said Karen Kazaryan, chief analyst at the Russian Association of Electronic Communications. “Most probably it will be implemented selectively at the very best.”
Critics of the new law speculated that its sole purpose was to extend the government’s control over society by closely monitoring popular social networks, but the lawmakers insisted their only intention was to protect Russian citizens.
“We worry about the safety of Russian citizens’ personal data and [with this law] we don’t violate any legislation or ethical rules,” Vadim Dengin, a State Duma deputy and a member of the LDPR party, was cited by Russian media as saying last year when the law was being drafted.
There are more than 2.6 million companies that are subject to the law, officials at the state communications watchdog Roskomnadzor claimed last month. But in fact there are more, experts argue, and Roskomnadzor doesn’t have the resources to monitor all of them.
The absence of any measures taken against Facebook, which last week told officials it would not comply with the law, only fueled doubts that the new legislation — aimed first and foremost at foreign companies — would be in any way effective.
Crime and Punishment
The new law was signed by Russian President Vladimir Putin in December 2014 and outlined that companies supplying Internet services in Russia, or targeting Russian users, should store personal data in Russia. Those who didn’t should have transferred it onto Russian territory by Sept. 1, 2015.
While some companies — such as Samsung, Booking.com, PayPal, eBay, Lenovo and AliExpress — expressed readiness to comply with the new rules, U.S. Internet giants Facebook and Google aren’t in a rush to do so.
Just last week, Thomas Kristensen, Facebook’s director for public policy in the Nordics, Central and Eastern Europe and Russia, told Roskomnadzor that the company refused to move its data on Russian users to the country, the Vedomosti business daily reported.
Under the legislation, if companies refused to transfer data to Russia by Sept. 1, Roskomnadzor can now restrict access to their websites. A special registry of websites that violate the law will be created by Roskomnadzor, and as a last resort, these websites can be blocked.
The only way to know whether a company abides by the law is to inspect it and Roskomnadzor has already announced there will be some 300 inspections carried out this year. But Facebook and Google are not due to be inspected until at least January, officials said.
Another major Internet market player, Twitter, does not have to move its data to Russia — according to Roskomnadzor, it doesn’t deal with personal data — fueling speculation that the law is a mere technicality.
It also doesn’t apply to companies that sell airplane tickets, foreign embassies and centers issuing international visas.
Difficult to Implement
The new law will never be implemented, Russian Internet personality Anton Nosik claimed in his blog on Monday, because it doesn’t specify how government agencies will determine which data belongs to Russian citizens and which doesn’t.
“‘The question of establishing citizenship of subjects of personal data isn’t regulated by legislation.’ In other words, no one knows whose data should be transferred to Russian servers,” Nosik wrote, citing the Communications and Press Ministry’s explanatory note added to the law.
Russia’s Internet ombudsman Dmitry Marinichev disagreed and said that the legislation requires the personal data of all users of websites which supply services in Russia be transferred.
“The law applies to those who come to Russia and use the services of websites here,” and that will be determined by IP addresses among other things, he told The Moscow Times in a phone interview Tuesday.
The weakest point of the law, according to Marinichev, is that Roskomnadzor must inspect each company in order to determine whether it complies with the law and there are simply too many of them to be inspected.
“Roskomnadzor said there were more than 2.5 million companies operating in Russia to which the law applies, and announced only 300 inspections in 2015. Even if they inspect 10 times as many next year, it wouldn’t cover all the companies,” he said.
Moreover, there are no technical means to verify whether the company really stores the data on Russian servers or just claims it does, Marinichev said. During inspections officials will only examine the documents supplied by companies, and they will have to trust them at their word.
Difficult to Comply With
There are many non-IT companies that have websites and supply Internet services to people living in Russia and, therefore, the law applies to them, but most of them do not understand the difficulties of Internet regulations in Russia, said Kazaryan of the Russian Association of Electronic Communications.
“It is unlikely they comply with the law at the moment, and it’s unlikely they ever will,” he told The Moscow Times in a phone interview Tuesday.
In addition to that, there are certain industries that can’t comply with this law because they comply with contradicting laws, said Kazaryan.
“Global booking systems, for example, though luckily they’ve been excluded from the law for now. But airlines, for example, don’t comply with similar European regulations, because they can’t decide what takes priority — protecting personal data or revealing it to law enforcement agencies,” he said.
“And there are plenty of these cases when it’s unclear what legislation should take precedent,” Kazaryan added.
In general lack of clarity about what exactly should be done to comply with the law — what constitutes personal data and what data should be transferred to Russian servers — causes contradictions, the analyst said.
“Companies and Roskomnadzor might have different understandings of what it means to comply with the law, and inspections will reveal different violations all the time,” Kazaryan said.
Nevertheless, he said that at least this year officials will show mercy. “The regulator [Roskomnadzor] realizes that there pitfalls in this law. I think at the beginning these inspections will be just a formality,” Kazaryan said.