Russian Data Privacy Law: Protection or Profit?
Is the latest move by Putin designed to “protect” his citizen’s personal information, or is it an economic strategy? Given the value of data, could this be his motivation? Or is it all about control?
Google Chairman Eric Schmidt has been quoted as saying that Russia is “on the path” towards Chinese-style censorship of the Internet.
The Law for Personal Data Storage in Russia:
Companies operating within Russian data privacy law regulations will be required to store users’ personal data on servers located within Russian territory by September 2015. They must also notify Roskomnadzor, the country’s data protection agency, of the location of their servers. Information Law No. 242- FZ
While this is good news for Data Centers, it presents a challenge for companies such as banks, commerce, and social sites doing business there.
As one of the only foreign data center providers in the country at this time, Telehouse offers storage, guidance and advice to clients in Moscow. This is a big issue as you can imagine, as the trust level for US companies dealing with the Russian government and regulations is difficult.
For example, when the Russian data privacy laws were announced Google quickly pulled up stakes.
What Information Law No. 242-FZ Entails
The Russian data protection law itself outlines how to collect personal data and document consent. It requires:
- the identity of the data collector(s)
- liability for data operators
- rules for publication of storage policies and technical processes
- disclosure of the physical location of those databases
The sweeping impact of this legislation is not limited to Internet companies and banks. Any entity storing personal data online—from airlines, to rental car agencies, to fast food franchises will need to structure their information, and document that structuring to meet these new legal requirements.
Some companies have already been cited even though the deadline has not arrived.
Big Data is Big Business
Katryna Dow, the CEO of Meeco, a Personal Data Rights company based in Australia, has this to say about the protection of personal data:
“From a Meeco perspective, our focus is always on the sovereign rights of the individual citizen. It is very interesting that Russia is putting in place physical borders to a borderless and connected digital world. However, much like Europe, there is growing concern that data stored outside of controllable jurisdictions, and in particular stored in the US, is subject to monetization and significant loss of privacy.
“More importantly the question is whether or not Russia is doing this to ‘protect’ its Citizens data (much like the EU) or whether it is because it sees that data is highly valuable and the currency of the future. In this case, keeping it onshore increases the likelihood of being able to regulate the trade and exchange of data, or indeed put in place measures in the future if data becomes an alternate currency. Time will tell which are the key drivers to this decision.
“This is likely to be an ongoing challenge where crypto currencies are concerned, given the value is borderless transactions.
“I am happy to see a strong signal being sent to US corporations. This increases the likelihood that they will now need to provide on-shore infrastructure, if they are going to offer services in Russia and Europe, which will host personal data. This might afford citizens and residents increased rights with respect to their privacy, choice and legal protection, much of which is not available when the data is stored in the US.”
Russia and the EU Are Not Alone
The US has itself enacted similar policies within the health and financial sectors. As Dow says, time will tell, but it seems likely that other countries will eventually follow suit in enacting onshore restrictions for housing personal data of citizens.
Personal Data Defined
Personal data, according the EW report, has the ability to differentiate a specific, unique individual from a larger group. It includes parts of a person’s name and contact information depending on the situation. If that’s not already confusing, it get’s more complicated from there. This is definitely territory for legal specialists.
The law defines how data may be used within the territory of Russia:
- Organizations must address the following Data Processing and Protection of Personal Data in their documentation. This reads like HIPAA:
- Onboard Oversight: Someone within your organization has to be appointed to oversee personal data processing
- Awareness Training: Other employees must be kept current on legislation regarding Resolution 228
- Document Policy: Your company must publish an easily findable personal data policy
Clear Steps To Ensure Effectiveness:
Your company must outline all measures in the following categories: legal, technology and organizational. The plan must include security guidelines and these metrics.
- Tools: Enterprise must include required certified software and hardware
- Policies on Policing: Internal controls to ensure compliance
- Damage Assessment Metrics
- Potential Threats Assessments
- Registration Maintenance of all locations where Personal Data is Stored
- Notification Process of all unauthorized access to Personal Data
- Notification of Damage to Personal Data itself
- Rules for and Records of Personal Data Access
- Migrations in Progress May Not Meet Deadlines
Companies who store their users’ personal data in borderless clouds or abroad are the ones primarily affected and face specific compliance challenges.
The Telehouse Moscow Data Center is already at work assisting customers with collocation within this certified premium, Tier III design facility only 15 minutes from the Kremlin.