December 7, 2016
LinkedIn is currently blocked in Russia. One of the world’s largest social networking sites with over 400 million users in 200 countries, LinkedIn has not been accessible in Russia since Nov. 22, 2016. On Nov. 10, 2016, the Moscow City Court upheld a lower court’s decision ordering that the website be blocked for all users in Russia.1
Roskomnadzor is the Federal State executive body responsible for supervising all media in Russia, including what appears on the internet. It is also responsible for overseeing compliance with the law protecting the confidentiality and proper management of personal data. In fulfilling that role it initiated a claim against LinkedIn alleging that LinkedIn had violated Russia’s new personal data protection law. More specifically, LinkedIn was said to have failed to comply with the requirement to store personal data of Russian citizens on servers located within Russia. On Aug. 4, 2016, the court of first instance ruled in favor of Roskomnadzor. LinkedIn appealed and lost. Shortly afterwards, Russian internet service providers (ISPs) cut off nationwide access to LinkedIn, and the company is now listed on Roskomnadzor’s non-compliance blacklist.
It has been a year since the amendments to the law governing the protection of personal data came into effect on Sept. 1, 2015. (See Federal Law No. 242-FZ, dated July 21, 2014, “On Introducing Amendments to Certain Legislative Acts of the Russian Federation [Russia] with Regard to Personal Data Processing in Information and Telecommunications Networks” (“Law 242-FZ”). Law 242-FZ amended several Russian laws, including its core privacy law, Federal Law No. 152-FZ, dated July 27, 2006, “On Personal Data.”)
The new data protection provisions oblige all companies processing data relating to Russian citizens to record, systematize, accumulate, store, update, change and retrieve such data in databases located within the territory of Russia. The data could reside for example on company owned and operated equipment or on leased space on a cloud server located in Russia. The law does not explicitly require data operators to perform data processing operations solely within the territory of the Russian Federation. However, a copy of the data must be stored within the country.
Since the data protection law came into force, Roskomnadzor has conducted more than 1,000 planned and ad hoc inspections with only a minor percentage of data localization violations being uncovered. Thus far, the Regulator’s inspections had only targeted small and medium-sized companies. LinkedIn was the first international brand owner to receive a notice of non-compliance from Roskomnadzor. According to Roskomnadzor, LinkedIn did not respond to the notice. The regulator then moved forward and brought the case to court.
On appeal, LinkedIn argued that it is not affected by the law because it does not have any physical presence in Russia and does not specifically target Russian users. LinkedIn further argued that the company had not been given a proper notification as Roskomnadzor communicated with the U.S. office instead of LinkedIn Ireland, the entity processing the data of non-U.S. citizens.2 These arguments, however, did not persuade the court of appeal to reverse the lower court decision.
LinkedIn has an option to further appeal the decision to the Supreme Court or to negotiate with Roskomnadzor to find a solution to the issue. The company is reportedly eager to work with the regulator to come to an agreement.3 Until then, LinkedIn will remain inaccessible in Russia.
The LinkedIn case is one of the first to drive home the extent to which Russian authorities are ready to enforce the new data localization provisions against brand owners and in particular against those who operate websites that are accessible in Russia without maintaining any physical presence in Russia.
Media reports suggest that some international brand owners have already agreed to either place their own servers in Russia or to commit to cloud storage on servers within Russia.4 Apple, Samsung, Uber, PayPal, Alibaba Group, and Booking.com are reportedly among them.
On the other hand, while a handful of leading social media platforms with services extending into Russia have complied, most have not yet done so and remain vulnerable to being targeted by the new provisions. All eyes are now on the future development of this case as it may just be the tip of the iceberg.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.