SaaS Agreements – Data Protection – Russian Data Centres

SaaS Suppliers who will be processing personal data of Russian citizens on behalf of SaaS customers need to be aware of amendments to the Russian Federal Law on Personal Data. From the 1st of September 2015 changes to this Russian law may prohibit foreign SaaS suppliers from processing personal data of Russian citizens on servers located outside of Russia.

Restrictions

The amended law will apply to all ‘data operators’. A data operator combines the duties of a SaaS customer (data controller) and a SaaS supplier (data processor) so the law will apply to both SaaS customers and SaaS suppliers. Under the amended law it will be illegal for a data operator to collect personal data of Russian citizens and send it directly to servers located outside of Russia without using a database installed on a server located in Russia. This means that SaaS suppliers will need to ensure that personal data of their SaaS customers is stored in databases on servers located within Russia i.e. in a Russian data centre.

Export of Data outside of Russia

No explicit restriction on the transfer of personal data outside of Russia is contained in the amendment to the law. The amendment simply says that personal data must be stored in Russia.

It is therefore currently unclear whether the processing of personal data of Russian citizens should only take place in Russia or whether under existing laws personal data can be transferred outside of Russia if the following conditions are met:

  • the prior written consent of the data subject is obtained; and
  • the transfer is to one of the 46 countries which is a party to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Personal Data.

In March 2015, the Russian Internet Ombudsman proposed that foreign online companies be allowed to continue to store personal data of Russian citizens in a third country, if they complied with the above. However, as a number of multinational online companies such as Google are setting up servers in Russia, it seems unlikely that this exception will continue after September 2015.

Personal Data

Unlike EU data protection laws, the amendment to the Russian law does not provide clarification of the personal data to which it applies. For example the amendment to the law says nothing about whether:

  • the new rules will apply to personal data already collected from Russian citizens i.e. collected before the amendment comes into force on the 1st of September 2015;
  • the new rules apply to personal data of Russian citizens who are not resident in Russia; and
  • or not IP addresses are personal data.

Penalties

Roscomnadzor (the Russian entity responsible for monitoring compliance) will be able to block access to websites in the territory of Russia that breach the new rules. In addition fines can be imposed, although these will generally only be in the region of 150 GBP for each breach. However, the Russian Parliament is currently considering legislation to increase the level of fines and to introduce new categories of personal data breaches.

Summary

In light of the above, SaaS suppliers need to:

  • identify whether or not they have any SaaS customers collecting personal data of Russian citizens;
  • check that SaaS Customers who collect data of Russian citizens have servers physically located in Russia; and/or
  • consider providing hosting services themselves from servers located in Russia, particularly if such personal data is only being processed outside of Russia;
  • check any developments in this area.

Failure to consider the above and take appropriate actions could result in SaaS suppliers facing fines from the local Russian Roscomnadzor for breaches of the amended law.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here

______________________________________________________

Other related articles:

Bodle Law
Assign a menu in the Left Menu options.