Roskomnadzor, Russia’s communications watchdog, finds itself in a very strange situation for the second time. First, the agency attempted unsuccessfully to block Wikipedia from working in Russia, and now Facebook has rejected its demand to transfer the personal data of its Russian users onto Russian territory, putting Moscow regulators in a very awkward position.
If they wish to enforce their ill-conceived law — drafted for the sole purpose of extending the government’s control over civil society by closely monitoring popular social networks — Russian officials must now shut down Facebook’s operations in this country. However, Facebook has essentially called their bluff: The officials never wanted to shut down the social network and it is difficult to predict what will happen now.
The law “on personal data” that requires foreign Internet companies to transfer the data of Russian citizens onto Russian territory will go into effect on Sept. 1. According to Pavel Savitsky of the law firm Borenius, the main problem is the loose wording of the legislation.
More than a year after Duma deputies passed the relevant amendments to the law, Roskomnadzor has refused to clearly specify the requirements it places on Internet services, and officials — themselves confused by the rules — have disoriented the business community.
Does the law require Internet companies to keep only their databases on Russian territory, or also the software that constantly exchanges information with foreign servers? Does the requirement that firms “process” their data on Russian territory mean that they must store the data itself, along with other forms of manipulating it, on Russian soil?
If companies do agree to keep their data on Russian territory, are they obliged to share it with government agencies, and if so, by which method? Does the law apply only to Russian companies, to foreign companies with branch offices in Russia or also to foreign companies with no affiliates in Russia? The Communications and Press Ministry has issued only informal guidelines for firms to go on.
The law gives only a very vague definition of what is actually meant by personal data.
The words “any information relating directly or indirectly to an identified or identifiable individual” allows for extremely broad interpretation, and such information often does not refer to a particular person — as in the case of frequently occurring or fictitious names. Facebook refused to comply with the law on the logical grounds that its users’ accounts do not represent personal data, and this forces Roskomnadzor to articulate what it means by the term “personal data.”
The least likely scenario is that Roskomnadzor will issue a clearly worded explanation of its demands, on the basis of which market participants will comply with the law and Facebook will preserve its reputation as a company concerned with the safekeeping of its users’ personal data, and that does not want to go to unnecessary expense by transferring its servers.
In all likelihood, Roskomnadzor will wait for clear political orders. According to Savitsky, rather than protecting personal data, the new law seeks to control that data by prohibiting its transference abroad. In fact, the user agreement that each person “signs” when opening an account on Facebook and other such services already meets the law’s requirement for data protection through a formal agreement between those transferring and those receiving data.