Toughening the requirement for localisation of personal data

27 March 2025

On 28 February 2025, Law No. 23* was adopted, amending the regulation of personal data. These changes will come into force on 1 July 2025.

The amendments significantly transform the requirement for localizing personal data of Russian citizens. From now on, when collecting personal data of Russian citizens, it will be prohibited:

to record,
systematise,
accumulate,
store,
clarify (update, change), and
extract such data

using foreign databases.

Previously, the Law on Personal Data stipulated that when collecting personal data, operators were required to perform the initial processing using databases located in the Russian Federation. However, it was not prohibited to transfer or duplicate the data to foreign databases during subsequent processing.

In essence, the provision has shifted from a prescription to a strict prohibition.

These changes have sparked widespread discussion in the professional community, with differing interpretations, including some suggesting a complete prohibition on cross-border data transfer. However, such an interpretation does not appear to follow from a literal reading of the law, and the legal provisions on cross-border data transfer have been left untouched.

The amendments appear to refer only to the primary processing of Russian citizens' data at the point of data collection — that is, when personal data is directly received from the individual (for example, via a registration form). Therefore, based on a literal interpretation, the storage or further processing of this data for other purposes not related to the initial collection, or the processing of generated data, should not be subject to this prohibition.

In particular, the amendments do not exclude the possibility of subsequent cross-border data transfers, provided that the relevant requirements of the Personal Data Law are met.

Importantly, the localisation obligation now applies not only to operators but also to “processors”.

In addition to the amendments mentioned above, Law No. 23* introduces provisions concerning the processing of civil servants' data, along with additional measures to enhance the security of such data.

These amendments are part of a broader trend towards tighter regulations and increased responsibilities in the field of personal data protection.

Given the supervisory authority's close scrutiny of data localisation issues, we recommend that companies conduct audits of their internal processes, data localisation schemes, and partnerships with “processors” to ensure compliance with the law and avoid liability.

* In Russian

Publication is also available in Chinese, Japanese, and Russian.

Authors:

Alisa Mikheeva, Associate

Shermet Kurbanov, Associate

Elizaveta Isaeva, Associate

Intellectual Property & Digital Law

10 December 2024 E-commerce in Russia: what foreign business needs to know

With extensive internet penetration reaching about 88%, development of e-commerce is one of Russia’s key strategic initiatives, currently accounting for about 4.6% of GDP. In 2020, despite overall economic downturn, the pandemic spurred a substantial increase in online shopping across the country, extending even to Russia’s most remote regions. The e-commerce market remains diverse, offering opportunities for businesses across a broad range of products to find their niche.

To learn more about Russia’s e-commerce market, please read our article for Asia Business Law Journal.

19 September 2024 Mining, anonymised data, blogger registration and other recent digital sphere changes

In early August 2024, several significant changes to digital law were adopted. In this material we outline the most important updates.

2 August 2024 New regulation of orphan works in Russia

On 22 July 2024, amendments to the fourth part of the Russian Civil Code were adopted, addressing the regulation of orphan works. These amendments will come into force on 21 October 2024.

25 June 2024 Overview of Supreme Court practice: How to protect copyright and neighbouring rights on the Internet

On 29 May 2024, the Supreme Court approved the Review of judicial practice in cases related to protecting copyright and neighbouring rights from Internet infringements.

The Supreme Court included 41 cases in the Review, grouped into eight sections. In this overview we present the conclusions that, in our opinion, were significant and which were included in the Review.

24 May 2024 New procedure for approving IP transactions

On 20 May 2024, Presidential Decree* No. 430 “On the Temporary Procedure for Acquisition of Exclusive Rights from Certain Right Holders and Meeting Monetary Obligations to Certain Foreign Creditors or Persons under their Control” was signed by the President and entered into force.

Now, within the framework of counter-sanction regulations, transactions on assignment of intellectual property owned by right holders from “unfriendly” states shall be approved by the Government Commission for Control over Foreign Investment in the Russian Federation.

26 February 2024 Digital Law Digest 2023

We are pleased to present a digest encompassing the latest news and all the main changes in Digital Law in 2023. The digest is available in English and Russian.

12 January 2024 A new procedure for approving transactions to dispose of intellectual property is to be put in place

On 14 December 2023, a draft decree has been submitted for approval to the Russian Ministry of Justice (the “Decree”) that provides for amendments to the Presidential Decree No. 81 dated 1 March 2022 introducing a new procedure for approving transactions to dispose of or pledge exclusive rights of right holders from the so-called “unfriendly” countries.

Stay tuned Here you can sign up for our free newsletters to regularly receive information on current law issues and events tailored to your individual needs. SEND