SaaS Suppliers who will be processing personal data of Russian citizens on behalf of SaaS customers need to be aware of amendments to the Russian Federal Law on Personal Data. From the 1st of September 2015 changes to this Russian law may prohibit foreign SaaS suppliers from processing personal data of Russian citizens on servers located outside of Russia.
The amended law will apply to all ‘data operators’. A data operator combines the duties of a SaaS customer (data controller) and a SaaS supplier (data processor) so the law will apply to both SaaS customers and SaaS suppliers. Under the amended law it will be illegal for a data operator to collect personal data of Russian citizens and send it directly to servers located outside of Russia without using a database installed on a server located in Russia. This means that SaaS suppliers will need to ensure that personal data of their SaaS customers is stored in databases on servers located within Russia i.e. in a Russian data centre.
Export of Data outside of Russia
No explicit restriction on the transfer of personal data outside of Russia is contained in the amendment to the law. The amendment simply says that personal data must be stored in Russia.
It is therefore currently unclear whether the processing of personal data of Russian citizens should only take place in Russia or whether under existing laws personal data can be transferred outside of Russia if the following conditions are met:
- the prior written consent of the data subject is obtained; and
- the transfer is to one of the 46 countries which is a party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Personal Data.
In March 2015, the Russian Internet Ombudsman proposed that foreign online companies be allowed to continue to store personal data of Russian citizens in a third country, if they complied with the above. However, as a number of multinational online companies such as Google are setting up servers in Russia, it seems unlikely that this exception will continue after September 2015.
Unlike EU data protection laws, the amendment to the Russian law does not provide clarification of the personal data to which it applies. For example the amendment to the law says nothing about whether:
- the new rules will apply to personal data already collected from Russian citizens i.e. collected before the amendment comes into force on the 1st of September 2015;
- the new rules apply to personal data of Russian citizens who are not resident in Russia; and
- or not IP addresses are personal data.
Roscomnadzor (the Russian entity responsible for monitoring compliance) will be able to block access to websites in the territory of Russia that breach the new rules. In addition fines can be imposed, although these will generally only be in the region of 150 GBP for each breach. However, the Russian Parliament is currently considering legislation to increase the level of fines and to introduce new categories of personal data breaches.
In light of the above, SaaS suppliers need to:
- identify whether or not they have any SaaS customers collecting personal data of Russian citizens;
- check that SaaS Customers who collect data of Russian citizens have servers physically located in Russia; and/or
- consider providing hosting services themselves from servers located in Russia, particularly if such personal data is only being processed outside of Russia;
- check any developments in this area.
Failure to consider the above and take appropriate actions could result in SaaS suppliers facing fines from the local Russian Roscomnadzor for breaches of the amended law.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
Speaker at the Berlin CloudConf 2013.
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreement – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – EU US Privacy Shield
- SaaS Agreements – Data Protection – Update on new draft EU Data Protection Regulation
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – FISA customer concerns
- SaaS Agreements – Data Protection – HIPAA
- SaaS Agreements – Data Protection – Safe Harbor Still Adequate
- SaaS Agreements – Data Protection – Cyber Security Issues
- SaaS Agreements – Data Protection – BYOD
- SaaS Agreements – Data Protection – Recent ICO Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1
- SaaS Agreements – Data Protection – IT Security Requirements