In mid-January, the territorial divisions of Russia’s Data Protection Authority, Roskomnadzor, uploaded their 2016 plans for conducting inspections of local companies’ compliance with Russia’s data localization requirements, and there are a number of prominent multi-national companies on the list.
For instance, the inspection plan of Roskomnadzor’s territorial division for the Russian Central Region (in Russian) contains a number of organizations with an online presence directed to Russia, including Microsoft, Samsung, Hewlett-Packard, VKontakte (Russian social network), HeadHunter.ru (online job search service), Ostrovok.Ru (online booking service), Cronwell Hotels, Chrysler, Volkswagen, Amway, Oriflame, UniCredit Bank, and LaModa.ru (online shop). The full list of data operators included in the inspection plan of Roskomnadzor’s territorial division for the Russian Central Region is available here (in Russian).
This policy of extending the inspections to entities having online activities is in line with the position Roskomnadzor expressed at its November 2015 Personal Data Conference, where Roskomnadzor’s representative informed attendees that in 2016 the regulator would focus its enforcement efforts on organizations acting via Internet (e.g., social media sites, online retailers, financial institutions).
At the same conference, a Roskomnadzor representative announced that its inspections as of that date resulted in three administrative fines issued under the data localization requirement. Roskomnadzor’s representative also announced that 104 websites were included in the Register of violators of Russian privacy laws, although these were because of violations of general provisions of Russian privacy law unrelated to data localization.
Companies operating in Russia should check these inspection lists to determine whether they, or members of their industry, will be subject to audits in the upcoming year.