Russia maintains one of the world’s more stringent data localization laws, Federal Law No. 242-FZ, which applies to website operators both established in Russia and outside of Russia–if conducting business “aimed at the territory of Russia.” The latter criteria may be found where a website has a Russian-associated domain name (e.g., “.ru”), and demonstrates other intent to target the Russian market such as by accepting payment in rubles or advertising in Russia.
In June 2019 a bill to amend the localization law was submitted to the lower house of the Russian Federal Assembly. The bill seeks to establish the maximum fines for violations and repeated violations of the law (the latter being set to nearly 250,000 euros), which is seen by some as intending to further compel foreign companies’ compliance with the law. At present, the only appreciable consequence of non-compliance with the data localization law for such companies is the Russian data protection regulator, the Roskomnadzor, applying for a court order to effectively block access to the company’s website.
This alone is a serious threat, as LinkedIn discovered in November 2016 when the regulator succeeded in ordering major Russian ISPs to block access to the professional networking site–as remains the case–for non-conformance with the law. In light of the current law and its proposed changes, in-scope website operators (i.e., those targeting the Russian market) should ensure that any Russian residents’ personal data that they collect is processed through databases located in Russia. For more information and original sources for the draft localization law amendment, see here.