The September 1, 2015 came into force the Russian Federal Law n. 242 of 21 July 2014.
The new law on the location of personal data requires that all personal data of Russian citizens treated by foreign companies, are stored and processed in Russia without exemptions for trade data. The operator must ensure that foreign recording, systematization, saving, storing, updating and retrieving personal data of Russian citizens should be made only in databases located in the State Russian.
The subjects covered in this law are foreign companies with legal presence in Russia and foreign companies not legally present in Russia but that provide online services to Russian citizens (eg. E-commerce).
The main actions are:
• Risk Assessment to determine whether the company will process data as provided by Russian Law Localisation
• internal policies and to define where the data reside in Russia
• specific information and consents
• Local notification to the DPA (Roskomnadzor)
• Data Transfer Agreement
It is really interesting that in these years when cloud computing makes data location unrelevant from a technical point of view, data location is becoming more and more a key issue from a political point of view.
Also the new EU GDPR tries to submit Personal Data to the EU jurisdiction. Article 3, second paragraph of the version approved by the EU Council states as follows: “2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: ….”.
The lawsuit between Microsft and the US Department of Justice refers, again, to the relevance of the place where data are stored in relation with the applicable jurisdiction.
We could say that what is feasible from a technical point of view doesn’t match with the sovereignty principle which nations and States are based on.
The data protection legislation is becoming, worldwide, the intersection between tech and politics.