A few words on data localisation

We discuss the latest debate on data localisation, the origins of this institution and its aims in our new longread.

Each of you may have heard about the multi-million dollar fines against Google, WhatsApp and Twitter for failing to comply with so-called localisation. In total, fines for non-compliance with localisation requirements already exceed 70 million roubles.

The new litigation, with increasingly large fines, gives us reason to think about the effectiveness of fines as a measure of liability for violations of localisation requirements.

Let's try to figure it out together and find out:
✖️ what is "localisation"?
✖️ what objectives did the legislator pursue when introducing the localisation requirement into Russian law?
✖️ what are the analogues of the localisation requirement abroad?
✖️ what is the target test and how is it applied in practice?
Localisation - is the process of collecting, recording and storing information in a database of any device located within the borders of a particular state.
Where did it all start?

The year 2015 is upon us. Numerous amendments are being made to the legislation on personal data. One of the innovations is a regulation that prescribes that when personal data of Russian citizens is collected, it must be recorded, stored, updated, amended and retrieved using databases in Russia.

The purpose of the localisation requirement is to protect the personal information of compatriots by preventing its accumulation and leakage abroad.

Localisation requirements - a Russian experiment or a widespread tool for data protection?
Data localisation rules are not a Russian innovation. Similar requirements have been implemented in many jurisdictions - the European Union (EU), Vietnam, India, UAE and Saudi Arabia.

Although localisation requirements and the volume of data to be localised vary in the countries listed, what remains common is the reduced activity of businesses which have to incur additional costs to create infrastructure to store user data. For example, strict EU requirements to transfer data to third countries such as the US, where most of the world's servers and parent companies are located, effectively prevent data from leaving the European Union.

This is why some countries explicitly deny the effectiveness of territorial restrictions and advocate (data mobility).
Localisation: the challenges in practice
The localisation regulation introduced into Russian law has literally rattled the market. Not only did foreign companies have to re-engineer processes and acquire expensive equipment, the localisation requirements remained unclear.
- How do I know that the occasional website user is a Russian citizen? Asking him to provide passport details?
This procedure seems not only costly but also time-consuming. Its implementation would obviously lead to a drop in conversion rates.
- Identify the user by IP address?
In theory, this mechanism could work. In practice, however, it would incur additional costs, not always justified given dynamic IP addresses and VPN services that allow bypassing IP detection tools.

In order to somehow bring market participants to their senses, the government has introduced the so-called target test - criteria that can be used to determine that a company should think about localising Russian data.

What are the criteria for a target test?

  • Domain name (.ru, .rf, .su);
  • Access to the functionality of the site in Russian;
  • The possibility of paying in roubles;
  • Advertising aimed at Russian users;
  • Opportunity to provide services in Russia.

It is thus presumed that the company, which is purposefully active in Russia, is processing a fair amount of personal data on Russians.

Target test in action
The first high-profile data localisation dispute dates back to 2016. An inspection revealed that LinkedIn had collected personal data from Russian users in violation of localisation requirements. As a result, LinkedIn was blocked in Russia at the request of Roskomnadzor. It was followed by Google, Twitter and Meta.

Obviously, for the IT giants, million-dollar fines are nothing. On the other hand, banning services because of localisation requirements is a clear and unambiguous signal to potential violators: "we will come after you, you are next in line".
The turn came this year, when IT companies began to be held liable in droves. At the same time, the arguments and rejoinders in support of non-compliance with localisation requirements are increasingly surprising.
In the Ookla case, the court considered that the target test is not applicable in localisation cases (!) because the obligation to localise data falls on every company whose site hypothetically could be registered by Russian users.

In the Spotify case, the court generally stated that the localization of data implies a ban on any processing of such data in other countries (oh, if the court knew that 99% of its data is somehow transferred abroad, otherwise it would not be able to use the simplest things, e-mail, for example...).

Roskomnadzor also sets the tone - now the agency not only has to provide a lease agreement for Russian servers, but also specify what specific data of Russian users under the agreement is being processed.

In lieu of conclusions
As Spotify's representative put it in court, tightening the screws will one day simply lead to all foreign services, even those like Spotify who initially did their best to comply with Russian laws, packing up and leaving.

In the end, it is the Russian user who loses the most because of the restrictions: they have to switch to other platforms, pay for VPN services, open accounts abroad in order to continue listening to music, buying apps, watching films. But that is the reality, and inevitably you have to adapt to it. Being in the same boat as you, we will try to make your journey just a little bit more pleasant.
In our next posts and longreads we'll tell you how you can bypass restrictions, transfer playlists, purchase history, recommendations and preferences from one app to another, and much more.