Culture of Privacy in Russia

In Russia the history and culture of data privacy does not significantly differentiate from the currently developed Western legal practices. Russia has signed the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in 2001. In Russia the legislation came into force on 1 September 2013 due to a large number of complications and technical regulations.

Over 60 million Russians are using the internet on a daily basis. Nonetheless, a substantial amount of the Russian general public – according not only to the Washington Post, but also to the Center for Global Communication Studies (CGCS) – does not have positive feelings towards 'the information superhighway'. Similarly to the European public, nearly half of Russian citizens say that governments should have the right to regulate access to the Internet and/or to prevent people from having access to some content on the Internet. However, this does not mean that any of these people favour greater government regulation in general. 

Legal History 

In Russia, the main body of the Russian Federal Law 'On Personal Data' (Федеральный закон РФ от 27 июля 2006 года № 152-ФЗ «О персональных данных») with major reform in 2011, has its additional, rapidly developing branches in the Russian IP-related legislation. Some of these obligations include Art 23 & Art 24 of the Russian Constitution on The Right to Privacy; Art 152.2. of the Civil Code on The Protection of Information on Private Life of Citizens; Federal Law (No. 149 – FZ dated July 27, 2006) on Information, Information Technologies and Protection of Information; Labour Code on Employees Data Protection; and the Code on Administrative Offences & Criminal Code. 

Enforcement and Court Action

The main body responsible for the enforcement of Russian data protection & privacy Law is the Russian Federal Service for Supervision of Communications, Information Technology, and Mass Media (Федеральной службе по надзору в сфере связи, информационных технологий и массовых коммуникаций or 'Roskomnadzor'). It has service tasks to monitor, control, and supervise the fields of media, mass communications and information technology.

Roskomnadzor supervises legal compliance of personal data processing in the Russian Federation. In the field of personal data, it also has the role of coordinating the activities of radio service in Russia. It's the authorised federal executive body for the protection of data subjects' rights. It is also the body administering Russian Internet censorship filters. 

Corporate Risk

Over the last few years Russia has been tightening enforcement actions in the field of personal data protection. The potentially substantial fines that fluctuate from a couple of hundred to tens of thousands of euros per breach, confirm that Russian and or foreign companies, who are conducting business on the Russian market, should take personal data compliance seriously. 

The following table publicly available as curtesy of CMS Legal gives an overview of the current corporate risk for organisations processing personal data. The figures and currency conversion dates from March 2015 and might need to be adjusted to the latest exchange rates. 


Future outlook

From compliance point of view, important changes to Russian data protection & privacy laws came into force on 1 September 2015. The new so-called Data Localisation Law, requires foreign businesses operating in Russia to maintain information about Russian citizens within the Russian Federation. The law is set to impose a variety of penalties for violations, including the authority to prevent offending companies from operating in Russia by blocking their access to local hosting and telecommunications infrastructure. 

Many professionals claim that this law is aimed at large companies such as Twitter and Facebook who do not physically store their data on Russian soil. Others claim the new regulation has resulted from the reluctance of these to respond to hundreds of requests by Roskomnadzor. While both may be true, it is of no doubt that the Russian authorities have a desire to convince international companies that they need not only to comply with EU and US law but also with Russian laws. 

Roskomnadzor's official statement is that Russia cannot be certain to allow access and grant rights to foreign legal entities under a hollow presumption that they will keep the data of millions of Russian citizen safe and secure. The Snowden revelations are also utilised as a paramount argument justifying the global trends in data localisation. 

The legislation has been criticised for its vague wording and impractical implications. Yet, on 22 July 2015 Roskomnadzor has held an extended meeting with numerous representatives from the private sector in order to discuss and clarify the applications of the law on personal data base localization in Russia. 

There is some indication that Russia may be considering giving businesses more time to comply properly with their obligations under the new law. However, this does not rule out the complexity of issues surrounding the rules on data localisation, therefore the help of trusted advisors might be critical for organisations at risk.
Also, a new law has been passed in July 2015, which gives individuals the right to be delisted from search engines (the so called “Delisting Law”). This law came into force on 1 January 2016.


1. CGCS  (2015). Benchmaking Public Demand: Russia’s Appetite for Internet Control. Philadelphia: The Center for Global Communication Studies.

2. Yandex (2015 , March). Retrieved from 

3. CMS Group (2015) 

Data Privacy Recruitment Ltd. 

All rights reserved. All opinions expressed to be treated strictly as guidance and not as legal advice. 

September 2016
London, United Kingdom