One of the biggest and most popular Internet companies, LinkedIn, has become the first target of the recent Russian data localization law.
The legislation requires businesses operating online to keep Russian Internet users’ data on servers located within Russia.
The first relevant law dealing with this issue, Federal Law #97, came into force on August 1, 2014. Among other provisions, this law also contained one requiring Internet companies that provide services in Russia to store Russian Internet users’ data on servers located within its borders.
On September 1, 2015, this rule was expanded through Federal Law No. 242 (the „Law“) that requires the same data localization policies for any company that operates online and processes Russians’ data. Roskomnadzor, i.e. the Russian DPA, under the aegis of the Ministry of Communications, regulates the ICT and media sector in Russia and oversees the legal framework in that area.
The Freedom House raised concerns that these laws create two main issues: an obvious challenge for companies operating online, as well as an easier opportunity for Russian intelligence to reach the communications data of Russian Internet users, especially activists and opposition figures who may then face arrest and prosecution.
The Law requires companies that collect personal data to perform the recording, systematization, accumulation, storage, specification (update or change), and retrieval of personal data of Russian citizens using servers located on the territory of Russia. Generally, besides companies with a physical presence in Russia, the main target are companies that store consumer data in servers offshore but include on their websites a Russian-language option, use a Russian domain, or offer buying and selling of products or services in Russia to Russians.
However, these requirements apply only to companies that receive data directly from data subjects or through data processors acting on their behalf. In addition, the data must be collected purposely, i.e. not inadvertently in the course of a normal business activity.
It is unclear how a company may know with certainty which user is a Russian citizen, but the guidance offered by the Ministry of Communicationsstates that such determination can be made based on the specifics of each business. However, in case that a reasonable determinationcannot be made, the localization requirement will apply to all personal data collected by a company on the Russian territory.
This Law grants the Russian DPA the power to put on a blocking list a website that processes information in breach of its provisions. Onceplaced on that list, Russian ISPs are obliged to block such websites under threat of sanctions. However, the DPA can initiate the procedure to block access only if there is a respective court judgment, which is exactly what happened in the case of LinkedIn. Namely, two Russian courts ruled to put this company on a blocking list due to its noncompliance with the Law.
Still, for the better part of the year, these changes in Russian legal framework have not affected major Internet companies. It seemed that, despite all abovementioned concerns, the Roskomnadzor’s plan was not to shut down big companies if they do not comply with the Law, at least not Internet giants. Its focus appeared to be more on the banking sphere, insurance companies, hotels, mobile operators, and e-commerce companies, according to the Roskomnadzor’s spokesman. The idea behind this Law was to have a pretext to force big global companies to talk to the Kremlin, and potentially force them to open offices in Russia, which would then make them more “vulnerable” and inclined to cooperate with the authorities.
However, as of November, LinkedIn has officially become the first Internet company that started feeling the repercussions of the database law’s application in practice. The company has been blocked due to its noncompliance with this Law, although it does not have a physical presence in Russia.
Since September 2015, Roskomnadzor started conveying compliance inspections within various companies. Of the big tech companies, in 2016 only Microsoft was scheduled to be under inspection of compliance with this Law. LinkedIn’s recent acquisition by Microsoft may be the reason for putting this professional network company under the immediate spotlight of Roskomnadzor.
After one such checkup of LinkedIn’s business, the DPA referred the case to a court, asking it to confirm that the company was in breach of the Law. The court agreed and, consequently, LinkedIn was placed on the blocking list. Before becoming blocked, the company tried to negotiate and soften Roskomnadzor’s stance but, apparently, their efforts took an unsuccessful course.
It is yet to be seen what companies will be under the Roskomnadzor’s watch in 2017, and if they will choose to comply with Russian regulations or not. LinkedIn’s case will most likely serve as an example-precedent for all other companies, which puts additional pressure on their executives when working on solving the current problem.