On September 1, 2016, Russia’s Federal Service for Supervision in the Sphere of Connection, Informational Technologies and Mass Communications (“Roskomnadzor”) issued a report summarizing the results of implementation and compliance control of the data localization rules in force in Russia as of September 1, 2015.
The data localization rules require data operators that collect personal data about Russian citizens to use databases located in Russia for storing and processing the data. According to a press release available on the regulator’s website, over the last 12 months, 1,036 privacy compliance audits have been carried out, and 1,882 breaches of personal data regulations detected, out of which only 31 related to data localization rules.
While the details of Roskomnadzor’s audits, as well as its reasoning, are not publicly available, some of the reports coming from the regulator’s regional divisions suggest that in most cases, the audits are focused on documentary confirmation of the fact that personal data is stored and processed on Russia-based servers, rather than on actual examination of technical means employed by data operators.
It is reported that in respect of all detected violations of data localization rules, the parties audited have received Roskomnadzor’s orders to cure the violations, with the cure period of up to six months.
Roskomnadzor indicates that 479 more privacy audits are scheduled to take place before the year-end.
