Gowling WLG (International) Inc - Russia
At present, LinkedIn is blocked in Russia. One of the world’s largest social networking sites with over 400 million users in 200 countries, LinkedIn has not been accessible in Russia since November 22 2016. On November 10 2016 the Moscow City Court upheld a lower court’s decision ordering that the website be blocked for all users in Russia.
Roskomnadzor is the state executive body responsible for supervising all media in Russia, including what appears on the Internet. It is also responsible for overseeing compliance with the law protecting the confidentiality and proper management of personal data. In fulfilling that role, it brought a claim against LinkedIn alleging that LinkedIn had violated Russia’s new personal data protection law. More specifically, LinkedIn was said to have failed to comply with the requirement to store personal data of Russian citizens on servers located within Russia. On August 4 2016 the first-instance court ruled in favour of Roskomnadzor. LinkedIn appealed and lost. Shortly afterwards, Russian internet service providers cut off nationwide access to LinkedIn and the company is now listed on Roskomnadzor’s non-compliance blacklist.
The amendments to the law on personal data protection came into effect on September 1 2015 (Federal Law 242-FZ on Introducing Amendments to Certain Legislative Acts of the Russian Federation with Regard to Personal Data Processing in Information and Telecommunications Networks (July 21 2014). Law 242-FZ amended several Russian laws, including core privacy laws such as Federal Law 152-FZ on Personal Data (July 27 2006). The data protection law obliges all companies processing data relating to Russian citizens to record, systematise, accumulate, store, update, change and retrieve such data in databases located within Russia. For example, the data could reside in company-owned and operated equipment or in leased space on a cloud server located in Russia. The law does not explicitly require data operators to perform data processing operations solely within Russia; it merely requires that a copy of the data be stored in the country.
Since the data protection law came into force, Roskomnadzor has conducted more than 1,000 planned and ad hoc inspections with only a minor percentage of data localisation violations being uncovered. Previously, the regulator’s inspections had targeted only small and medium-sized companies. LinkedIn was the first international brand owner to receive a notice of non-compliance from Roskomnadzor. According to Roskomnadzor, LinkedIn did not respond to the notice, and the regulator then brought the case to court.
In the appeal, LinkedIn argued that it was not subject to the law because it had no physical presence in Russia and does not specifically target Russian users. LinkedIn further argued that the company had not been given proper notification as Roskomnadzor communicated with the US office instead of LinkedIn Ireland, which processes the data of non-US citizens (www.vedomosti.ru/politics/news/2016/11/10/664418-internet-ombudsmen). However, these arguments did not persuade the appeal court to reverse the lower court decision.
LinkedIn can further appeal the decision to the Supreme Court or can negotiate with Roskomnadzor to find a solution. It is reportedly eager to work with the regulator to reach an agreement. Until then, LinkedIn will remain inaccessible in Russia.
The LinkedIn case is one of the first to drive home the extent to which Russian authorities are ready to enforce the new data localisation provisions against brand owners, particularly against those which operate websites that are accessible in Russia without having a physical presence there. Media reports suggest that some international brand owners including Apple, Samsung, Uber, PayPal, Alibaba Group and Booking.com have already agreed either to place their own servers in Russia or to commit to cloud storage on servers within Russia. However, while a handful of leading social media platforms offering services Russia have complied, most have not yet done so and thus remain vulnerable to being targeted. All eyes are now on the LinkedIn case in case it is just the tip of the iceberg.
For further information please contact:
This is a co-published article whose content has not been commissioned or written by the IAM editorial team, but which has been proofed and edited to run in accordance with the IAM style guide.