Access to LinkedIn (the “Social Network”) was blocked on 17 November 2016. This followed a ruling of the Moscow City Court at second instance (the “Court of Second Instance”) of 10 November 2016. The Court dismissed the Social Network’s appeal against the decision to put it into the Register of Violators of Personal Data Subjects’ Rights (the “Register”) for non-compliance with the Russian personal data laws.
The Social Network is not the first company to come under the close scrutiny of the Federal Service for Supervision of Communications, Information Technology and Mass Media (“Roskomnadzor”) which had initiated the court proceedings against the Social Network for its non-compliance with the Russian personal data laws. This is, however, the first time that Roskomnadzor has been allowed by court to put a major foreign resource in the Register on such ground, thus preventing access to the Social Network from Russian IP addresses.
On 1 September 2015, the amendments to the Federal Law “On Personal Data”* came into force, under which any Russian or foreign company dealing with Russian citizens’ personal data has to ensure that such personal data is recorded, systematised, accumulated, stored, clarified (updated, modified) and retrieved using databases located in Russia (the “Localisation Requirements”). Please see here and here for our previous reports on this development.
Roskomnadzor, after inspecting the Social Network’s Russian language website, concluded that the Social Network had failed to (i) meet the requirements to locate any servers containing Russian users’ data in Russia; and (ii) comply with the procedure for storing and processing the data of any third parties that are not its users.
Before starting the legal action, Roskomnadzor first sent two letters to the Social Network’s US headquarters requesting it to provide the information on its compliance with the Localisation Requirements. However, according to the authority’s press secretary*, Roskomnadzor did not receive any appropriate response from the Social Network.
At the first instance of the case hearings, the Social Network was not present at the Court. The Tagansky Court of Moscow ruled that the Social Network had violated the Localisation Requirements.
Before the Court of Second Instance, Roskomnadzor’s representatives insisted that the Social Network had in any case violated the Localisation Requirements. Specifically, Roskomnadzor’s representatives, in supporting their accusation that the Social Network located its Russian users’ personal data in the United States, produced a printout of the data from Whois, an open resource enabling enquirers to discover the owners of websites or domain names. The authority also pointed to the fact that the Social Network collected the personal data of all users, whether registered or unregistered, namely, the Social Network collected data on devices’ IP addresses, models and cookies. After hearing both parties’ arguments, the Court of Second Instance ruled in favour of the authority.
Despite the fact that it does not have a representation office in Russia, the Social Network, in order to unblock its operations in the country and resume activities within the framework of the local laws, must locate the servers containing the personal data of Russian citizens in Russia.
This unfolding practice should serve as a signal to both Russian and foreign companies, as well as various online resources used by Russian individuals, which collect Russian citizens’ data, to assess their compliance with the Localisation Requirements. If their operations are non-compliant, they should take all the necessary steps to bring them into full compliance with the laws before being targeted for inspections by Roskomnadzor.
* In Russian