Russia’s Federal Law No. 242-FZ, On the Introduction of Amendments to Certain Legislative Acts of the Russian Federation with regard to the Clarification of the Procedure for the Processing of Personal Data in Data Telecommunications Networks, took effect on September 1, 2015 and requires that Russian citizens’ personal data gathered by operators, be stored by servers/data centers located in the Russian Federation (the “Localization Requirement”). The fine for violation of the Localization Requirements was relatively small (approximately US$160).
On December 2, 2019, President Vladimir Putin signed Federal Law No. 405-FZ, On the Introduction of Amendments to the Administrative Offenses Code of the Russian Federation. As of December 13, 2019, the Code has introduced new constituent element of an administrative offense – breach of localization requirements.
Operators must ensure the recording, systematization, accumulation, storage, adjustment (update, alteration), and retrieval of personal data of citizens of the Russian Federation will be performed through database serves located in the territory of the Russian Federation. Failure by an operator to comply with the requirement leads to increased fines:
- for officials – up to RUB 200,000 (approximately US$3,350)
- for legal entities – up to RUB 6,000,000 (approximately US$100,000)
For repeated violation:
- for officials – up to RUB 800,000 (approximately US$13,350)
- for legal entities – up to RUB 18,000,000 (approximately US$ 300,000)