Russia Steps Up Enforcement of Data-Localization Law

Published: Nov. 16, 2016

Updated: Oct. 05, 2020

The Moscow City Court upheld an enforcement request made by Roskomnadzor, Russia’s telecommunications and media compliance watchdog, to blacklist LinkedIn. Without any hearing of evidence or findings of fact, LinkedIn was declared to be in violation of the data localization requirements of Federal Law 242-FZ (“Law 242”), which requires businesses handling the personal data of Russian users, including social networks, online marketplaces, and messaging services, to (1) store covered data on servers within Russia and (2) notify Roskomnadzor of the location of these servers. The Roskomnadzor found that LinkedIn violated the law by failing to store information about Russians on servers within the country, and by processing information on unregistered users without their consent.

The professional network site boasts 6 million Russian users who stand to lose access to the service. The action against LinkedIn began in August and is the first reported instance of Russian authorities enforcing the data localization requirements against a foreign company. While Law 242 was originally enacted in July 2014, Roskomnadzor did not begin to review compliance by foreign-based companies until 2016, and the agency has apparently reviewed 1,500 websites to date. However, we understand that Roskomnadzor had refused to meet with LinkedIn to discuss its compliance with the law prior to the findings. This is troubling, especially since, according to German Klimenko — the Russian Presidential Adviser for Internet Issues — enforcement against LinkedIn may be intended to serve as a “signal” to larger companies operating within Russia that authorities are serious about enforcing telecommunications laws and regulations. The mechanics of the case also suggest that U.S. companies may not get a full and fair hearing on these enforcement questions before findings are issued.

In August 2015, the Russian Ministry of Communications issued non-binding guidance explaining that authorities would seek to enforce the data localization requirements against companies that physically operate in Russia or “target” Russian consumers. The report elaborated that the relevant factors used to determine whether “targeting” occurs would include whether the website (1) has a Russian domain name, (2) provides a Russian-language version of the website, (3) hosts Russian-language ads, and (4) maintains the ability to process transactions in rubles. While LinkedIn maintains no office or official representative in Russia, it does provide a Russian language version of its service and authorities could have determined that the site meets the other aforementioned factors.

Data localization is not the only area in which web-based companies doing business in Russia should be wary about the possibility of enforcement. Russia’s Federal Anti-Monopoly Service opened an investigation against Microsoft (which is in the process of acquiring LinkedIn in a $26.2bn deal) for abuse of its market position by allegedly limiting the amount of time for independent developers to adapt their antivirus software to the Windows 10 update. These developments suggest that Russian authorities are prepared to actively enforce laws against foreign tech businesses and to take severe steps against alleged violators. Internet companies operating in Russia or that have a significant number of Russian users should therefore take steps to ensure compliance with applicable rules and regulations.