Data Privacy Detective Podcast - Episode 28 - Russian Data Privacy and Protection // Frost Brown Todd19 November 2018
Stanislav Rumyantsev, a leading data privacy and protection attorney at the firm of Gorodisskiy & Partners, provides in a podcast recorded today on the Data Privacy Detective an excellent summary of Russian data privacy principles, with a focus on how they affect global business. Businesses with Russian employees, customers, business chain partners and other personal interactions should consider the following points:
First, check whether Russian data law applies. Simply having a website does not subject a business to Russian law. Because Russia is an international language used in many countries, even having Russian as a website language does not automatically mean that a website must comply with Russian data protection rules. However, if a business deals with Russian customers or others in a manner that gathers and processes personal data, especially sensitive information such as medical or financial details, the business may well require Russian compliance.
Second, if a global business establishes a Russian branch or subsidiary, that legal entity will of course be subject to Russian data protection rules. This will allow the parent company to rely on its Russian branch or subsidiary to localize and address compliance.
Third, for non-Russian businesses that do not have a Russian entity, they have several ways to comply with Russian data protection rules. They must allow Russian personal data to be gathered and processed by a Russia located “database.” This database can ensure compliance with Russian personal data laws, and then essential information can be transmitted properly by the database to a non-Russian company destination that needs the information (after deletion of information not needed by the non-Russian enterprise).
Russia’s data localization approach is not unique to the Russian Federation. It’s working in practice to allow a robust flow of commerce across borders while working to ensure that Russian residents’ personal data are protected according to Russian standards. While this increases compliance cost, it need not constitute a significant barrier to commerce or be viewed as an unfair trade practice.