Are you ready for Russia’s new data protection law?

28 July 2015
Knowledge Base

Michel Klompmaker

Russia is one of the world’s economic powerhouses, home to many multinational corporations (MNCs) and set to enact a new, very specific data management law this year. From September 1st 2015, law #242 will come into force, affecting existing laws #149, #152 and #294 respectively, all of which focus on data, information and its protection and confidentiality of Russian Citizens.

To go over all relevant questions that organizations and individuals might have on this new Russian law, there will be an international webinar on 19th August at 15:00 CET and 4th September at 11:00 CET organized by Orange Business Services. The webinar of one hour will be accessible from whatever location of device and will be led by Andrei Zorin, Senior Legal Counsel for Russia & CIS at Orange Business Services. Zorin works and lives in Russia. In the meantime, Risk and Compliance Platform Europe received a preview and interviewed Pieter Bas Kranenberg, Business Development Manager Orange Cloud and Benelux representative at Orange Business Services.

Explain in a couple of words, what is this law about?
Kranenberg: “The new law stipulates that all processing of personal data must be done with the use of databases residing on servers in data centers located in Russia and not outside of the country. Technology can help organizations achieve compliance with the new law. Orange Business Services has some answers. Our private and shared cloud platformsprovide a safe solution to a complex matter.”

Give us a bit of background. Are times for data protection laws changing by the minute?
Kranenberg: “Russia’s plan to implement a dedicated, local data protection law is not the first time it has been attempted. In 2014 Brazil tailored new regulation within its “Marco Civil da Internet”, designed to require global internet companies to store data on servers inside Brazil, only to drop the rule at  the eleventh hour. The reason for this was pressure from internet companies complaining the rule would increase costs and create barriers in one of the world’s biggest online markets.”

What about the European Union?
Kranenberg: “The European Union (EU) enacted strong data protection regulation, requiring that, where data pertaining to EU businesses or citizens is stored outside the EU, data protection regulation at the other end of that transfer must be at least as rigorous as the EU’s own. Russia has, however, moved fast on the issue. Law #242 was originally scheduled for implementation in September 2016, but the Russian government brought the deadline forward a year – placing increased pressure on organizations to be ready in time.”

Is there a dialogue between the EU and the Russian authorities?
Kranenberg: “When it comes to Russia, there is a dialogue between the Association of the European Businesses and the Chamber of Commerce via individual members in France.”

This means that organizations are under pressure?
Kranenberg: “This means both Russian businesses and multinational corporations (MNCs) that either have a presence in or online business that takes place in Russia must comply – meaning storing and processing personal data in a ‘local’ data center. So any foreign social media, e-commerce or any other type of website that receives or carries information about Russian citizens must have a storage location inside Russia.”

What are the sanctions exactly and how enforceable are those?
Kranenberg: “The penalties for non-compliance can be severe; punishments currently include hefty fines for both individuals and companies, while businesses can also risk having their operations suspended and websites blocked. That said, there are still some unclear areas to Russia’s new legislation. Both Russian and international companies asking for more clarity on the law’s guidelines and definitions; what is meant by ‘personal data’ and ‘database’ within the terms of the regulation, for example. Further clarification has been requested on interpretation, as elements of the law can be construed in differing ways. For example, the conservative and literal reading of the regulation implies that storing a single copy of a personal data database on a server outside of Russia is completely prohibited, but informally, authorities are supporting a more liberal view that storing a back-up copy of that same database overseas is permitted so long as the primary database is located within Russia. Ensuring interpretation is correct, is crucial for all. Orange advises, aside choosing the wright cloud partner, to team with legal advisors to make the right choices for specific business requirements. We work as trusted partner alongside customers in their ongoing journey towards digital transformation.”

Are there disputes via European legal parties or governments?
Kranenberg: “My partner in Russia, Andrei Zorin, commented: “Organizations are asking the government for assistance on the issue to help ensure compliance and government is being as cooperative as it can, assisting with guidelines and will continue doing so from September 1st. It is in everybody’s interests that they can meet the new regulatory requirements as quickly as possible.”

How can organizations address the issue?
Kranenberg: “With so much concern around the safety and security of sensitive data alongside the need for regulatory compliance, organizations need the right processes and storage solutions in place. Many companies have turned to private cloud technologies to help them address international data storage and security and compliance issues. Using a private cloud setup for back-end data, processing can deliver the necessary ‘local’ presence that regulation like Russia’s demands, while allowing data to be controlled and managed appropriately. I would urge people to look into risk management, having the right systems and technologies in place and working with the right people. Organizations need a partner with the proper public sector experience, international network and the expertise in managing this kind of cross-border legality. We will expand on that on 19th August and 4th September during the webinar and are looking forward to the questions attendees might have.”

You mentioned Orange cloud briefly in the beginning. Tell us about that.
Kranenberg: “Private cloud and also shared cloud solutions can deliver the necessary functionality. At Orange, we are set up to provide shared or private, on-site or off-site, semi or fully-automated, tailored cloud solutions and our data centers based in Russia ensure compliance. So customers can rely on us to support them immediately from September 1st.”

Some facts on Orange Business Services in Russia

• Only international telecoms and service integration provider with own infrastructure and countrywide license
• Operations in Russia since 1958 with partner SITA
• Provides 5,000+ customers with full suite of voice and data services
• Over 1000 employees in 36 cities
• More than 1300 Point Of Presences
• 3 Tier III Data centers and a local cloud platform in Moscow
• Anti-corruption certification for compliance policy
• CIS offices in Ukraine, Kazakhstan and Belarus

Make sure to register for attendance of the webinar in August and September to find out more.

Please, fill in the details via this link and send an e-mail to confirm via

Leave a Reply

Your email address will not be published. Required fields are marked *