Privacy & Information Security Law Blog

Last week, the Russian Parliament adopted a bill amending portions of Russia’s existing legislation on privacy, information technology and data protection. Among other provisions, the law would create a “data localization” obligation for companies engaged in the transmission or recording of electronic communications over the Internet. Such companies would be required to store copies of the data for a minimum of six months in databases that must be located within the Russian Federation. The new bill also would empower the Russian data protection authority to block public Internet access to any service that does not comply with this requirement.

It appears the amendments are aimed at preventing foreign intelligence services from accessing Russian citizens’ data, as well as facilitating such access by Russia’s own law enforcement agencies. Some commentators have suggested that the new bill also is intended to encourage the development of home-grown online services in Russia.

Earlier this year, the European Union’s highest court struck down a broadly comparable data retention requirement, and Brazilian lawmakers withdrew the data localization provision from a legislative proposal in the face of opposition from Internet companies.

Reports indicate that, subject to the approval of the upper house of Russia’s Parliament and signature by President Vladimir Putin, the law will become effective in the second half of 2016.