Data Center Management

London Tech Week: What does the new Russian data law mean?

Last year, Russian president Vladimir Putin passed a number of measures in order to restrict foreign involvement in Russian media. He signed a controversial law requiring bloggers with more than 3,000 unique daily visitors to register with Roskomnadzor, the mass media regulator.

Now, starting from 1st September 2015, Russia’s Data Localization Law will require data operators to ensure that the “personal data of Russian citizens be processed via servers located within the territory of Russia”. The aim behind this law is to prevent security services in other countries from accessing Russian private data.

How will this new law affect foreign companies? This is what the panellists have come to discuss at law firm Simmons & Simmons in London.

Speaker Marcus Clayden, Associate at Simmons & Simmons explains:

“[This law] will apply unilaterally across the board not just to consumer-facing data-driven companies but to all companies that touch Russian personal data. If you’ve got a ‘dot ru’ domain name and your website is translated into Russian and you’re targeting Russian nationalists then it is highly likely that any enforcement action may well come your way.”

The enforcement action Clayden is referring to is fines up to 10,000 RUR (approx. $185 dollars). But this could be raised considerably depending on the type of breach. As Tatiana Menshenina, Counsel at Simmons & Simmons explains, the “Russian authorities also have authority to close websites if storage of data breaches the law”. Companies will only be given three days to comply if found to be in breach.   

Clayden warns that many of the IT infrastructures in multinational companies are set up in a “non-compliant way with the incoming requirements”.

“Many multinational companies will have their data repositories in the States or the EU with an outpost operation in Russia. That kind of mechanism where the ‘master copy’ is retained outside Russia is not going to be compliant with the new requirements. That’s certainly a point of concern and something that companies will need to look at when trying to re-jig their current setups.”

Clayden also says that the identification of Russian citizens data will be problematic for companies as it will be difficult or nearly impossible to work out who is and isn’t a Russian citizen. But it’s best to assume that if you are collecting data on Russian citizens then these will be subject to these new requirements.

But the panellists note that there are many ambiguities in the law. For instance, what if there’s a technical breach in relation to disaster recovery systems?

“It’s important that the ‘master copy’ of data is not stored outside of Russia. But say the database in Russia gets corrupted and wiped and your backup system exists outside Russia? [This could be problematic.]”, says Clayden.

Clayden recommends that companies do an internal audit and start working on how the system can be re-jigged to meet the new requirements.

Guy Wilner, CEO of IXcellerate has on the ground experience of building a datacentre in Moscow.  According to Wilner, Russia is the “fastest growing internet market in Europe and is a great source of income for the west.”

“What the Russia law is also trying to do is build a bit more internet infrastructure in Russia. So what I put is, they are encouraging companies to house their sensitive data.”

How fast will companies rush to comply with the new law? Re-jigging an entire infrastructure in just a matter of a few months is no easy task. Wilner warns that the Russian authorities will clamp down on anyone that doesn’t comply.

“What we can see is anecdotal evidence on the ground. When the smoking ban was due to come in Russia a couple of years back, people were joking and saying it was going to be like France where [you could still get away with smoking in certain parts of the restaurant]. Well no, in Russia it was [implemented immediately].”

Plus we are also seeing examples of data localisation from tech companies already. Wilner explains how Microsoft had to bow down to Canada’s requests for data localisation.

“The Canadian government was upset that everything they did in the cloud with Microsoft was not in Canada. All the data was going out to San Jose and probably going through the NSA on its route. So the Canadian government said no to more government contracts until Microsoft complied. So now we have a localised instance of Microsoft Azure Connect. China has also localised a cloud system with Microsoft Azure. We already have two localised instances of the cloud. “

“Data is the new oil. [Companies] don’t want all their oil shipped out and have somebody else make money from it,” Wilner adds.

The general feeling from the panel is, come September, high-profile incidents of non-compliance by companies will be “used as examples” by Roskomnadzor as a warning to multinational companies and also set a clearer precedent to air out the ambiguities. Wilner makes the comparison of Roskomnadzor with Ofcom, the UK’s media regulator. He says that whilst Ofcom merely “makes suggestions”, Roskomnadzor has “limitless powers” so needs to be taken seriously. But Wilner admits that so far, Roskomnadzor has not been “overly aggressive”.

But the warning to multinational companies is clear: companies need to start looking at their internal IT infrastructures now or risk the wrath of Roskomnadzor. According to Wilner, Roskomnadzor can easily block a company’s website within 48 hours - and for a company that relies massively on its online presence for its revenue this could prove to be devastating.


« Cyber breaches are inevitable: Now deal with it


Mellanox: What does faster Ethernet mean? »
Ayesha Salim

Ayesha Salim is Staff Writer at IDG Connect

  • twt
  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?