On July 1, 2017 new amendments on personal data came into legal effect in Russian legislation. They dictate new rules on processing and storage personal data, and impose additional requirements on service providers.
At the present moment Russian IT infrastructure migrates to cloud storages. As is in European countries this tendency is enforced by legislation, specifically Federal Law 152 “Personal Data Protection”. This law prescribes data processing and storage on the territory of Russia. New legislation requirements are subject to: all companies registered in the country, foreign companies having representations and branches in Russia, other foreign companies which activity is connected with the state and covers personal data of Russian citizens.
Personal data is interpreted as “any information which would enable to identify a person, including e-mail address containing surname and company’s name, number of bank account, mobile phone number”. Since the law on “Personal Data Protection” was officially recognized, there were several precedents and the largest of them was the trial conducted against the American social network Linkedln, which led to blocking the resource on the territory of Russia.
Twenty-one European countries have adopted laws obligating companies to store certain information (first of all personal) locally. The basic code CISPE inherently aimed at keeping European data within Europe, however outflow to cloud storages is associated with the requirements for data processing. In Russia the same tendency originates in personal data handling within the country. Information can be processed abroad but it must be collected and kept within the state and service providers are responsible for meeting this requirement.
Foreign companies use work data of Russian citizens to replace physical infrastructure with virtual storage devices to comply with legal requirements. Experts noted that the “cloud storage” market increased multiple times in 2017 and reached $1.6 billion. They offer several options for implementing the work with personal data of Russian users for foreign companies. The first one consists in data transfer to physical or virtual servers located in Russia. Another option involves information entry to a database outside Russia, but in so doing there must be its copy on the territory of the country and servers are to be synchronized in real time.
Another variant is service of hosting personal data. Such service is offered by cloud solutions providers, for example “IT-Grad”. It provides information security and compliance with requirements dictated by the law. A provider guarantees respect for all regulations and donates certified equipment articulated with provisions of the Federal Law.
Foreign companies might consider hosting service to be useful. Yet, this should be interesting also for Russian business communities to get involved. Companies specifically that are starting from small enterprises hosting online shops or marketing research systems and ending with large corporations which should meet not only legislation requirements but also the high level of reliability while processing and storing data. Companies which rely on cloud storage derive benefits, including: well-protected file hosting using certified equipment produced by hardware manufacturing companies (NetApp, Cisco, IBM and others) and use of software-hardware complex of encryption. Furthermore, in this case the procedure of bringing infrastructure into line with the Federal Law 152 requirements is simplified which results in reducing legal risks.
In addition to obligations imposed on a cloud service provider, legislative acts include duties which must be fulfilled by a customer. In particular, the Government’s Decree № 1119 obligates operators of databases to evaluate types of actual threats, to implement a certain level of information protection and to choose means of data protection. Now there are three types or levels of actual threats.
In addition to the abovementioned, the Federal Law on “Personal data protection” enhances rights of the Federal Service for Supervision of Communications, Information Technology and Mass Media. It has the right to limit access to information, which is processed in violation of the law. For this purpose, the “Register of violators” is maintained and consists of websites which failed to handle information according to the legislation. Control and supervision of data processing is regulated administratively. In addition, the Federation Council has approved changes in the law on databases, in accordance to which rules of state control and supervision over processing personal data will be determined by the Government of the Russian Federation.
Respectful customers strive for using cloud storages lawfully. But this goal can hardly be achieved without cooperation with a law-abiding service provider. Therefore, the tandem of a customer and a provider becomes vital.