On 21 July 2014, Russia adopted a law which generally requires all companies that collect and process personal data of Russian citizens to use databases located in Russia. On 19 and 24 September 2014, the Russian State Duma passed in the first and second readings a draft law that will change the implementation deadline from 1 September 2016 to 1 January 2015. However, on 9 October 2014 a number of State Duma officials announced in Russian mass media that they no longer intend to change the implementation deadline to 1 January 2015, but a less significant change in implementation deadline still remains possible. No changes have been made to the draft law since then. Russian and foreign companies that collect the personal data of Russian citizens (either through websites or otherwise) will be required to maintain databases to store and process such personal data on Russian territory. However, the minimum steps required to comply with the Law are not currently clear. In accordance with the Law, operators of web resources through which personal data of Russian citizens are collected must ensure that the databases used to record, systemise, accumulate, store, amend, update and retrieve data are located in Russia. Note that the definition of “personal data” is very broad under Russian law. Personal data include any information that directly or indirectly relates to a particular individual. There is no exhaustive list of such data, but normally it includes name, date of birth, passport data, address, education, family status and other information disclosing the identification of an individual. The Law does not expressly require databases handled abroad in accordance with previous regulations to be returned to Russia and does not additionally restrict cross-border personal data transmission. Therefore, the interpretation of the new law in conjunction with other laws in this sphere leads us to believe that the new law does not restrict sending and processing personal data abroad, and a structure with a mirror database in Russia may be sufficient to comply with the law. In September 2014, Russian authorities suggested a more restrictive interpretation, according to which databases located within Russian territory must always be used at least for primary processing of personal data (recording, correction, alteration, etc.). If such interpretation prevails, companies would be required to reroute their flows of personal data through Russian IT facilities when Russian citizen are concerned. While this interpretation is nonbinding and further interpretations may be less restrictive, we find this development important due to the substantial changes and short period of implementation. If companies fail to comply, the Russian regulatory authorities will be able to block access to non-compliant websites based on a relevant court decision and/ or to impose administrative fines and issue binding orders to cease violations. A company’s resource may be unblocked if the underlying court ruling is overturned or if the company demonstrates that it has discontinued the violation. Currently, Russian law has no concept of a “server-based” taxable permanent establishment. However, many tax concepts developed by OECD countries are currently bein implemented in Russia. In the long term, companies operating Russia-based databases in connection with their commercial activities might face the risk of “serverbased” permanent establishmentclaims in Russia, especially in the e-commerce and cloud computing market segments. The potential change in effective date of the Law would significantly affect the Russian segment of businesses that use online personal data collection as a core element of their commercial activities. Despite the ongoing uncertainty, companies which are involved in the collection and processing of Russian nationals’ personal data, and which currently do not use a Russia-based personal database, should explore the legal and technical possibilities of creating such a Russia-based personal database while managing the tax and other risks associated with the same. They should also consider both the initial and possible restrictive interpretation of the law, as well as potential revision the implementation deadline. By Maxim Kalinin*, Edward Bekeschenko**, Alexander Monin**, Arseny Seidov** and Igor Makarov**.
Alexander Monin is a partner in Baker McKenzie's Moscow office. He practices in the areas of trade and commerce, mergers and acquisitions, as well as private equity. He is recommended by European Legal 500 in its 2008 edition. Mr. Monin earned his Bachelor of Law and his Law Degree in International Law at the Moscow State Institute of International Relations, and was admitted to practice law in Russia in 1997. Mr. Monin focuses his practice on commercial agreements and contracts, private M&A transactions, private equity and anti-corruption matters. His practice also includes corporate counseling and governance for private companies.