The Russian law that will require all personal data of Russian users to be stored in data centers within the country’s borders goes into effect in less than two months — on September 1 — and several major internet properties are working toward compliance. Others are exiting the Russian market altogether.
It will be difficult for companies that have been operating globally distributed services, where data is stored in multiple locations around the world, to build out new data center infrastructure in Russia to comply. Difficult, but not impossible, and some companies are rethinking their infrastructure in the country.
The On Personal Data (OPD) Law was expanded in July 2014 to include a data localization requirement. It means that many websites serving Russian users will have to change the way they host personal information. Namely, databases will have to be physically located on Russian territory, and personal data will have to remain in-country.
A European think tank, called the European Centre for International Political Economy (ECIPE), called the move a “self-imposed sanction,” estimating the losses for implementing the law at $5.7 billion.
Russia’s move is somewhat similar to data sovereignty laws popping up in other countries, however, there is a larger context of digital sovereignty: in addition to keeping data in-country, the Russian internet at large is increasingly isolated. Vietnam, China, Indonesia, and India have implemented similar laws. Brazil implemented but later withdrew data localization, reportedly because of its potential for economic damage.
Kommersant, a Russian news daily, attributed the law’s creation directly to spoiled relations with the west (in Russian) as a result of the crisis in Ukraine and the annexation of Crimea.
While advantageous to some Russian data center providers and providers of other IT and communications services, the law will be damaging to others. On one hand, it will encourage hosting locally, meaning more business. On the other hand, the exit of some companies from Russia will shrink the market’s size.
Government-controlled companies that stand to benefit from the law include the likes of Rostec, a massive corporation that serves defense and civilian sectors and has been working on rolling out an online air-travel booking service, and Rostelecom, which has been building out and buying data center capacity in the country, according to Kommersant.
The news service pointed to Google’s announced plans to discontinue development work in Russia and move its engineering operations there to other countries. Adobe said it would close its offices in Russia, and Microsoft closed a developer office in the country, moving a significant portion of the operation to Prague.
But this doesn’t mean companies like Google are not going to compete in Russia, which is simply too big a market to ignore. Those that wish to continue to serve the Russian population now have less than two months to migrate data or equipment in-country.
To comply with the law, many have already moved servers inside the country’s borders. eBay, Google, and others are in the process or have already moved user data in-country. eBay is transferring data from Switzerland to Russia. Google has moved some servers in-country to comply, reported the Wall Street Journal in April.
Hotel booking site Booking.com said that it is ready to move personal data, reported Kommersant. Russia is one of the company’s bright spots in terms of growth. Booking.com said it had 3.3 million visitors a month from there.
There is a big cost impact. Data migration is time-consuming and costly, and companies will likely have to rely on local partners for help.
Another issue is properly identifying Russian citizens. Operators storing personal data are liable for keeping data confidential, and a range of organizational and technical measures regarding protection of personal data are outlined, however, there’s uncertainty regarding things like storing copies of data outside of the country.
Adding to the uncertainty is that the law applies to personal data and not necessarily other user-related data. According to the law, personal data is defined by its ability to identify a specific individual. But ECIPE, the European think tank, sees this as an issue.
“In reality, there is no technical or legal way to separate personal data from non-personal mechanical information,” wrote ECIPE. “Any transaction on the internet made while logged in to an account is effectively personal data, and even the most harmless pieces of company data will contain information about the employee. The scope of the law is sweeping, and firms are likely to store non-personal data locally.”
Russian President Vladimir Putin said in April 2014 that the state should defend its interests on the internet. Last year, the Ministry of Communications along with security forces carried out exercises on disabling the internet in case of emergency from within and from outside of the country in case of “malicious acts.”
Last year, Symantec reported that an unknown government—likely in the west—was spying on Russia and Saudi Arabia. Data collection and spying occurred through complex surveillance software called Regin.
Russia is also advocating controlling traffic and domains in the .ru and .rf Top Level Domains (TLDs), filtering all network content.