Skip to main content

Russian Data Localization Laws: Enriching “Security” & the Economy

February 28, 2018

Authors:

Matthew Newton, Julia Summers

Feature Series

Data Localization Laws & the International Movement of Information

  • Outside_photo_of_METI_Buildings
  • Door_to_Swiss_National_Bank
  • White_balloons_hanging_from_the_ceiling_at_China_Science_and_Tech_Museum
  • Siberian_river_seen_from_plane
  • Photo_of_the_Korean_Penn_from_Space_at_night

Data localization laws require that certain types of data be stored within a country before being allowed to move outside that country’s borders. Internationally, there has been an increase in data localization legislation. And, while the uptick in data localization laws across countries is the logical consequence of Snowden’s revelations in 2013 about U.S. surveillance, Russia’s data laws were also implemented in response to domestic and regional concerns.[1]

These domestic and regional concerns include the Kremlin’s desire to censor information and control dissent – both of which have played a major role in developing data localization policy meant to secure the stability of the Russian state. By tracking personal information of its 100+ million Internet users, securing these data on domestic servers, and emboldening legal institutions to crack down on what the state deems extremism, Russia continues to impose state sovereignty on the digital sphere.[2]

However, Russia is also using data localization laws to provide capital flow to Russian companies by requiring them to pay to store Russian data on Russian servers. Russia understands the value of its massive user-base to international companies such as Facebook, Twitter, Apple, Google, and Microsoft, and wishes to capitalize on their influence and reach. Data localization laws force these companies to play by Russia’s rules. By requiring these and other companies to store Russian citizens’ data on specifically Russian servers, the Kremlin effectively creates additional “barriers to entry” to the Russian market sector. As a result, Russia is forcing Western corporations, which deal with the transfer of data on a massive scale, to ultimately rent Russian server space and pay Russian data services firms or risk being blocked outright in the country. The result appears to be a means through which the Russian state provides capital flow to its private sector by charging admission to international corporations, which target Russian users.

When considering the political implications of data localization, the Kremlin is well aware of the role social media played in massive anti-government protests in 2012.[3] Beginning in December 2011, Internet and social media platforms such as Twitter, YouTube, Facebook and Vkontakte (the Russian-language equivalent to Facebook) and Russian language segments of LiveJournal served as mobilization and communication tools for tens of thousands of Russians during the rallies across the country against fraudulent parliamentary elections.[4] Russian activists also any used available information and communication technology (ICT) to organize the protests. It appears that use of these tools and Russia’s robust online culture fueled mass public gatherings in Russia, led by the liberal opposition leader at that time, Boris Nemtsov, and anti-corruption activist Aleksey Navalny.[5] According to NPR, the December 2011 uprisings were the largest in Russia since the collapse of the Soviet Union in 1991.[6] With the visible increase in intensity and popularity of the mass street protests, the Kremlin began implementing a new series of laws to improve the country’s cybersecurity, among which is the legislature known as Russia’s data localization law.[7]

Russia’s data localization legislation is officially known as Federal Law No. 242-FZ.[8] The final amendments to this data localization law in Russia went into effect on September 1, 2015, and required all domestic and foreign companies to accumulate, store, and process personal information of Russian citizens on servers physically located within Russian borders.[9] According to the law, any organization that stores the information of Russian nationals, whether customers or social media users, must move that data to Russian servers.

The Interplay of Russian Data Localization Laws and Security Laws

Generally, non-Russian companies have been hesitant to move their data to Russian servers because of the interaction between data localization laws and other Russian security laws. For example, in mid-2016, the Russian government passed controversial amendments to anti-terrorist laws known as “Yarovaya’s Law.”[10] According to the law, “the organizers of information distribution on the Internet” are not only required to store the metadata for one year, but also to help the FSB (Russian security service) to de-crypt any user data it requests.[11] Given that, not only will companies that fail to comply be faced with substantial penalties, they also, albeit passively, will be assisting Russian government’s “iron fist” policies for crushing dissent. Dissent is often categorized as “terrorism” in Russia.[12] Ultimately, Russia wants to secure access to its citizens’ private data to control dissent. When data are held transferred onto to Russian servers, it grants the FSB access to users’ audio, text, and video communication online without a court order.[13]

Compliance with the new legislation is strictly monitored and enforced by Russia’s Federal Service for Supervision of Communications, Information Technology and Mass Media, known as Roskomnadzor. Roskomnadzor maintains and regularly updates its online webpage, which contains a shortlist of companies due for future audits.[14] In late 2015, Roskomnadzor reported that it blocked some 7,300 websites deemed forbidden in Russia.[15] Although there were no listed domain names of blocked websites, the announcement sent out a signal that the Russian government takes enforcement of the data localization law very seriously.

Having set the precedent through reportedly blocking so many websites in late 2015, Roskomnadzor now conducts audits of compliance with this new data localization law.[16] As a result, many Russian and U.S. companies have moved their data to Russian data centers, although some were blocked from the country for failing to comply with this requirement.[17] For example, Apple, Facebook, and Google all eventually complied with the law. But, in 2016, Roskomnadzor blacklisted LinkedIn’s website in Russia, making it the first international social media network to be banned for failure to comply. Roskomnadzor also required Google and Apple to remove LinkedIn from mobile application stores as well.[18]

Roskomnadzor’s decision to ultimately block LinkedIn represents an additional problem that Russia hopes to solve. As an employment recruiting site, the Russian government understands that its best and brightest can easily “jump ship” and leave for Western firms such as Microsoft and Google, thus robbing the Russian state of critical human resources. Since the collapse of the Soviet Union, “brain drain” has been a critical issue in modern Russia, thwarting innovation in industry, technology, and business. Hundreds of thousands of citizens left the Soviet Union before its collapse in 1991, and Russia is still struggling to replace the social and intellectual capital it once possessed.[19] Thus, closing the door on LinkedIn allows Russia to better control international employment arrangements and makes it harder for talent to find other opportunities elsewhere.

Many other international companies such as eBay, Apple, and Facebook have quietly complied with the law, while Viber, seemingly unconcerned with the inevitable PR hit, was the only one to offer a press release on the matter.[20] Roskomnadzor said that it would unblock LinkedIn should the company comply with Russian legislation by moving users’ data onto Russia servers and adjusting the user agreement “that states that the company collects not only personal data of its users but also personal metadata (IP-addresses and cookie files) of its website’s visitors.”[21]

Although the Russian government seems to be determined to come down hard about the data localization law for noncompliance, Roskomnadzor appears to be selectively patient with the sites it leaves alone. Facebook has been largely left alone by Roskomnadzor until after it released a white paper on September 6, 2017, detailing the extent of the ad-based influence campaign purchased by the Russian government.[22] On September 26, 2017, Roskomnadzor announced that Facebook would have to comply with localization laws or risk being blocked outright in Russia.[23]

This is evidence that Russia is using its localization laws as part of a broader security strategy. The Russian media has reported that Facebook has indeed decided to comply with the laws, and that representatives from Roskomnadzor will meet with Facebook heads to verify progress in their compliance.[24] While it is highly unlikely that Russia will actually block the site, it seems that Facebook takes these threats very seriously, and has few qualms about spending hundreds of millions of dollars to ensure it maintains its presence in Russia.

Data is the New Russian Oil  

While data migration is time-consuming and costly in the short term, Russia stands to benefit in the long term. Along with the Russian government’s political motivations for data localization policies, Russia also stands to realize plenty of economic gain with its data localization laws because of the requirements they place on companies to store data in Russian servers.

Russia’s increasingly weakened economy has thwarted growth in its IT sector. In recent years, economic sanctions from the U.S. and EU have obstructed prospects for growth in the data storage industry in Russia; currently Russia’s data center supply still exceeds demand.[25] Transferring data onto Russian servers is a complex and lengthy process that makes international companies apprehensive due to the costs and operational changes it requires. For instance, the trickle-down costs of data storing for local telecommunication companies may ultimately be passed onto their customers, and raise the prices of their services. The costs associated with setting up separate servers in Russia for smaller e-commerce businesses might not be worth the trouble, thus, resulting in them exiting Russia’s market.

The state and other powerful interests stand to benefit economically by bringing international business to Russia’s newly built datacenters.[26]  The big data market in Russia has been developing rapidly and the new data localization legislature has visibly stimulated its expansion.[27] According to some estimates, by 2015 the data center market exhibited 20% annual growth.[28] For example, both Apple and Booking.com began moving their data to Russia in 2015 in accordance with the data localization law in 2015. To do this, they have made use of server space from a Russian data processing company called IXcellerate.[29] This illustrates how Russia is supporting its private industry by means of data localization requirements, as well as diversifying its ailing economy, which is overly dependent on the export of natural resources, such as oil and gas.

At the same time, Russia is not taking a short-sighted approach. The long-term approach Russia is employing in its new data centers is energy efficient and should be taken seriously. Given the increased dependence on cloud-based storage worldwide, data centers are consuming more and more energy annually.[30] Russia’s response to the issue of energy efficiency and cooling technology is to develop new data centers in Siberia that run on cheap hydroelectric power and nuclear energy.[31] For instance, the Siberian town of Udomlya is due to become Russia’s largest data center, which will consume 80MW to power as many as 10,000 server racks. Alongside this, Russia’s state corporation for nuclear power, Rosenergoatom, has begun building a data center next to its nuclear power plant in Kalinin, which produces 4000MW of electrical energy. The company has even offered Facebook and Google server space to support their data localization compliance.[32]

Conclusion and Implications

Information sovereignty in Russia has larger implications. In one sense, it is a continuation of the Russian authorities’ attempts to “tame” the Internet following the Arab Spring in 2011 and the Bolotnaya protests, which began soon after. In conjunction with Yarovaya’s law and emboldened legal institutions cracking down on what is deemed extremist behavior, data localization supports the FSB’s campaign against dissent and growing domestic opposition.

Furthermore, Russia’s information repatriation indicates growing protectionist tendencies aimed to grant its domestic economies a competitive advantage, while reducing the market influence of Big Data abroad. As a result of these data localization laws, a significant percentage of market share from the data services industry is ultimately shifting towards Russia. This will also support Russia’s desire to control and track its citizens’ private information for national security purposes.

The experiences with Twitter, Apple, and Facebook will influence the strategy of other growing international corporations and websites that target Russian audiences. They will note increased costs due to having to rent server space and data services from Russian IT firms, thus raising the barrier of entry into the Russian market. Likewise, the Russian government will learn from the (un)willingness the parameters of the tool data localization laws provide the state.

Endnotes

[1] Stacia Lee, “International Reactions to U.S. Cybersecurity Policy: The BRICS Undersea Cable,” Henry M. Jackson School of International Studies, Cybersecurity Initiative, January 8, 2016.

[2] “Freedom on the Net 2016: Russia Country Profile,” Freedom House, 2016.

[3] Jackie Northam, “Russian Activists Turn to Social Media,” National Public Radio, January 13, 2012.

[4] Northam, “Russian Activists Turn to Social Media.”

[5] Miriam Elder, “Russian Police and Troops Clash with Protesters in Moscow,” Guardian, December 6, 2011.

[6] Elder, “Russian Police and Troops Clash.”

[7] Sarkis Darbinyan and Sergei Hovyadinov, “WILMAP: Russia,” Center for Internet and Society, Stanford Law School.

[8] “Processing and Storage of Personal Data in the Russian Federation. Changes since September 1, 2015,” Ministry of Telecom and Mass Communications of the Russian Federation, February 12, 2016.

[9] Duane Morris, “Russia’s New Personal Data Localization Law Goes into Effect in September 2015,” Duane Morris LLP & Affiliates.

[10] “Russia’s State Duma just Approved Some of the Most Repressive Laws in Post-Soviet History,” Meduza, Meduza.io, June 24, 2016.

[11] “Overview of the Package of Changes into a Number of Laws of the Russian Federation Designed to Provide for Additional Measures to Counteract Terrorism,” International Center for Not-for-Profit Law, June 21, 2016.

[12] Aleksandr Kuznetsov and Vasili Kuznetsov, “The Legal Definition of Terrorism in the United States and Russia,” World Applied Sciences Journal 28, 1: 130–34, 2013.

[13] “Freedom on the Net 2017: Russia Country Profile,” Freedom House, 2017.

[14] “Inspection Plans,” Roskomnadzor, Last updated December 14, 2017.

[15] “Izvestia: Roskomnadzor Blocked 7,300 Websites,” Roskamnadzor, Last updated December 23, 2015.

[16] Lisa Baird, “Russia to Increase Data Audits in 2016 with Data Localization Law & More News on the EU’s Safe Harbor Ruling,” Life Sciences Legal Update, January 8, 2016.

[17] Olga Razumovskaya, “Google Moves Some Servers to Russian Data Centers,” Wall Street Journal, April 10, 2015.

[18] Cecilia Kang and Katie Benner, “Russia Require Apple and Google to Remove LinkedIn from Local App Stores,” New York Times, January 6, 2017.

[19] Author’s interviews with Russian millennials, Moscow, April 2015.

[20] “Viber Moved Its Servers to Russia,” Vladimir Zykov, Izvestiya, October 19, 2015; and Andrei Soldatov, “All-Encompassing Paranoia: How the Attitude Toward Security Has Changed in Russia,” Russian Social Science Review 2, vol. 58, January 2, 2017.

[21] Nabi Abdullaev, “Why Russia’s LinkedIn Ban Is Not about Internet Freedoms,” Forbes, December 8, 2016.

[22] Alex Stamos, “An Update on Information Operations on Facebook,” Facebook Newsroom, September 6, 2017.

[23] “Russia Tells Facebook to Localize User Data or Be Blocked,” Reuters, September 26, 2017; and Steven T. Dennis, Sarah Frier, and Gerrit De Vynck, “Tech Companies Set to Tell Congress about Russian Election Meddling,” Bloomberg, October 31, 2017.

[24] “Roskomnadzor Will Check Facebook in 2018,” Delovoy Peterburg, November 21, 2017.

[25] Alexey Danilyants, “State of the Russian Infrastructure Market,” Datacenter Dynamics, January 13, 2017.

[26] Kira Egorova, “Russia Boosts Construction of Data Centers. RBTH, August 31, 2015, Accessed July 25, 2017.

[27] East-West Digital News, September 10, 2015. Accessed July 25, 2017.

[28] “Russia’s Data Center Market to Reach Several Hundred Million USD in 2015,” East-West Digital News, September 10, 2015. Accessed July 25, 2017.

[29] James Cook, “Apple Reportedly Agreed to Store User Data for Russian Customers on Servers Inside the Country, Business Insider, September 11, 2015.

[30] Yevgeniy Sverdlik, “Here’s How Much Energy All US Data Centers Consume,” Data Center Knowledge, June 27, 2016.

[31] Max Smolaks, “Russian Billionaire to Build a Massive Data Center in Siberia,” Datacenter Dynamics, September 7, 2015.

[32] Max Smolaks, “Russia’s Largest Data Center Will Be Powered by Nuclear Energy, Datacenter Dynamics, November 26, 2015.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.