Mauricio F. Paez of Jones Day writes:
During the first week of July 2014, the State Duma (lower chamber of the Russian Parliament) adopted a set of amendments to the Federal Law “On Information, Information Technologies, and Information Protection” (“Information Law”) and to the Federal Law “On Personal Data” (“Personal Data Law”). The draft legislation was approved by the Federation Council (upper chamber of the Russian Parliament) on July 9, 2014, without change. The legislation now awaits signature by Russian President Vladimir Putin to become law. When signed, and there are some mass media reports in Russia that President Putin may sign the legislation any moment now, the law will become effective as of September 1, 2016.
The most significant change, which appears likely to have a significant business impact on companies operating in and outside of Russia, is a new requirement that “databases which are used for gathering, recording, systemizing, accumulation, storage, updating and uploading of personal data of the Russian citizens” shall be located in Russia. Under the amendments, “an operator gathering personal data, including by Internet, must ensure recording, systemizing, accumulation, storage, updating and uploading of personal data of the Russian citizens with the databases located on the territory of the Russian Federation.” Hence, operators collecting data from Russian citizens will need to move their information technology infrastructure to a data center located in Russia, whether such data relates to consumers, employees, or third-party partner personal data.
Read more on Jones Day.
Updated July 20: Great thanks to a reader who sent me a copy of a Hogan Lovells newsletter that reports:
The Draft Law was signed by the Russian President on 9 July 2014, and will come into force on 1 September 2016.
Update 2 and possible Correction of July 22: Well, this is interesting. Although Hogan Lovells reported the law was signed into effect on July 9, Interfax reports that it was just signed today.