On Nov. 17, 2016, Roskomnadzor (the Russian data protection authority) included LinkedIn to the database on the Register of Personal Data Infringers as the violator of data subjects’ rights, and sent an order to telecommunications companies to block access to LinkedIn within Russia. The order (in Russian) was issued according to a Moscow District Court decision (in Russian) from August, 4 2016, to block LinkedIn, along with the formal opinion of Moscow City Court from November 10 to uphold that decision.
The dispute appears to be the first major test of the law, which passed in 2014 and came into effect on Sept. 1, 2015. LinkedIn was found to be in violation of the data localization requirement as well as a number of other requirements such as collecting personal data from non-users without their consent before they complete the registration process.
Below are several highlights from the court opinion on the case that affect the understanding of the Russian privacy regulations.
Personal data. According to the court decision, if the company collects data from unregistered users, such as IP address, device model number and cookie files, this data is considered to be personal data in Russia.
LinkedIn did not get an explicit written consent from users to process their personal data, and, therefore, their rights were violated. According to the law, foreign countries are formally divided into two groups: those that provide “adequate protection of a personal data” (mainly, parties to the ETS Convention 108, such as Germany, or countries with an omnibus approach, e.g., Canada or Israel) and those, that do not provide such protection – the most relevant example is the U.S.
In addition, Roskomnadzor has adopted the official list (in Russian) of countries (including Australia, Argentina, Mexico and New Zealand) that may provide the adequate protection level for the purposes of cross-border transfers of personal data. The level of adequate protection has been measured by two factors – national legislation regarding privacy with core principles and adequate procedural/enforcement mechanism to protect privacy rights.
The U.S. was not included in the list of such countries. Thus, if a company wishes to transfer personal data to the U.S., the company must obtain written consent from the data subject. An individual’s written consent is required either in a form of a whitepaper hardcopy or in electronic format with a valid e-signature. LinkedIn’s argument that users’ gave their voluntary consent by using the website was found insufficient.
Localization. The Court concluded that LinkedIn’s servers are located only in the U.S. based on publicly available data from the WHOIS database. Therefore, LinkedIn is in non-compliance with the requirement to transfer Russian user data to servers located in Russia. According to the law, personal data from Russian users should be collected and processed in Russia, any change or amendment to such data should be always collected, stored and further processed in Russia, and any subsequent processing abroad should be exactly the same as the processing already done in Russia.
Investigation Procedure. The Court agreed with Roskomnadzor that an inspection of a platform and review of publicly available documents without even the investigation of registration procedure are sufficient evidence of social media platform functionality without a need for a detailed investigation.
Poor Communication. LinkedIn did not take all efforts to communicate with Roskomnadzor properly. The agency warned the company before bringing the case to the court, but the company did not reply. LinkedIn’s representatives did not attend the first hearing of the court, despite the fact that the company was well informed (according to the court perspective) before the hearing and that LinkedIn should have received the notice.
Scope of Application. The Court defined that LinkedIn platform is subject to Russian law because it offered a Russian-language version that is available by default for users accessing the website from within Russia, and ads on the website were provided in Russian. Thus, it targeted the Russian Federation market after Sept. 1, 2015, and should comply with the Russian Data Localization Law.
For now LinkedIn can file a cassation within the six-month period to the Moscow City Court and then an appeal to the Supreme Court of Russia, but that does not change the fact that the decision has come into force. For now LinkedIn has not announced their intentions on whether they are going to appeal further.
At the same time, LinkedIn may choose to start working on the program to get into compliance with the ruling and transfer Russian user data to servers located in the country. For example, Microsoft Corp. went through a Roskomnadzor inspection in 2016 and the agency affirmed (in Russian) that Microsoft complies with the Russian Data Localization Law. The inspection was conducted according to the list of the planned audits for 2016. Thus, there is the evidence that it’s possible to create a program to comply with the Law.
It’s fair to mention that LinkedIn was not on the list for the inspections in 2016, and there are no claims from users about their rights violation. The agency decided to inspect LinkedIn after the analysis of the market and the information about a data breach happened in 2012.
In mid-December, Roskomnadzor had uploaded their 2017 plan for conducting inspections of local companies’ compliance with Russia’s data localization requirements. The good news is, there are no U.S. multi-national companies on the list. However, it would be a good idea to check it to determine whether members of your industry will be subject to audits in the upcoming year.
Overall, it is not yet clear how often Roskomnadzor is going to enforce the data localization requirements using just analysis from public sources, but for now it’s clear that Roskomnadzor has enough power to block websites in Russia. Moreover, the fines for non-compliance according to Russian State Duma (the lower chamber of the Russian Parliament) information (in Russian) would be increased. The draft amendment was adopted in the second reading on Jan. 11, 2017. Therefore, U.S. companies should take steps to examine their compliance with Russian data localization requirements if they plan to target the Russian market.
photo credit: Russia | Kremlin via photopin(license)M/p>