As of September 1, 2015, in the Russian Federation, the provision on the localization of storage and individual processes for the processing of personal data, as defined in Federal Law No. 242 of July 21, 2014 “On Amendments to Certain Legislative Acts of the Russian Federation Regarding the Clarification of the Procedure for Processing Personal Data in information and telecommunication networks.
September 1, 2017 Roskomnadzor published its report on the work done, on compliance with the law, we wrote about it in more detail in our
article .
Well, this is ours. And how in other countries? Roskomnadzor experts conducted their analysis, on the basis of which they posted on the network their “Analytical review of international experience on localization of databases containing personal data of citizens”, who wish to familiarize themselves with the full text of the document, will find it by
reference .
The document is quite extensive and contains both the practice of foreign countries and a review of the application of Russian practice. We will briefly go over foreign practices.
So, participating in the review of the country:
- Australia
- Vietnam
- Indonesia
- India
- Kazakhstan
- Canada
- China
- Malaysia
- Nigeria
Australia
In 2012, Australia passed a law regulating the provision of access to electronic medical records for relevant purposes (Personally Controlled Electronic Health Records Act 2012 No. 63), which, among other things, determined the obligation of persons who have access to information contained in electronic medical records of citizens, to ensure the storage of such information in Australia.
So, according to Part 1 of Art. 77 of this Law, the system operator, registered repository operator, registered portal operator or registered contractual service provider that stores records for the purposes of the PCEHR system, regardless of whether records are stored for other purposes) or have access to information regarding such records, should not :
- keep records or record notes outside of Australia;
- process or process information relating to records outside of Australia;
- allow others to keep records or use records outside of Australia, to process or process information relating to records outside of Australia.
For violation of these prohibitions a penalty of 120 fine units.
At the same time, Part 2 of Art. 77 of the Law provides that for the purposes of operating or administering the PCEHR system, the System Operator is entitled to:
- store and accept such documents outside of Australia, provided that these records do not include personal information in relation to a consumer or PCEHR member or information identifying a natural or legal person;
- process such information outside of Australia, provided that the information is not personal information regarding the consumer or participant of the PCEHR system and / or information that allows you to identify a natural or legal person.
Organizations that process health-related information must create data centers in Australia or assign Australian companies that have such centers in Australia to process such information. It is allowed to process information about the state of citizens outside only in an impersonal form.Vietnam
In September 2013, the Decree on the Management, Provision and Use of Internet Services and Internet Information Content entered into force in Vietnam. So, all companies providing Internet services must have at least one server with databases in Vietnam.
In October 2013, the Ministry of Information and Communications circulated a draft circular, which provides additional data on the implementation of the Decree, including the requirement that, if there are requirements for a server system located in Vietnam, the entire server system located outside Vietnam, must meet these requirements.
Indonesia
In 2012, the Indonesian government demanded that government agencies and organizations involved in the provision of public services ensure the establishment of data processing centers in Indonesia.
Provision No. 82 of the Electronic System Operation and Operations stipulates that the electronic system operator must also create a disaster recovery center in the Indonesian territory for this purpose.
In 2014, the Ministry of Communications extended the requirement for finding a data center for disaster recovery for a wider range of institutions - any institutions and organizations providing services using information technology.
In addition, the electronic system operator must provide storage of transaction data in Indonesia. The requirement to store data arising from electronic transactions between electronic system suppliers and their customers in Indonesia applies to both private and public electronic system suppliers under GR 82.
India
According to the National Data Exchange and Accessibility Policy of India, all data collected using public resources must be stored in India.
In February 2014, the National Security Council of India proposed to ensure the localization of all personal data of Indian citizens in India.
It was assumed that all e-mail service providers could be asked to host their servers collecting data from Indians in India. Also, the initiative of the National Security Council prohibits the creation of mirrors of such servers, if the main server is stored abroad.
Currently, the Telecommunications Law of India provides that all customer information and user information (except roaming information) must be stored in India, remote access to such information from outside India is prohibited.
Kazakhstan
In Kazakhstan, the Law on Personal Data of the Republic of Kazakhstan was adopted in 2013, and in 2015 it was amended. Changes in 2015 were associated with the introduction of the requirement for storage (localization) of personal data in Kazakhstan. The requirement to store personal data in Kazakhstan entered into force on January 1, 2016.
The requirement of localization of personal data requires only to store databases with personal data on the territory of the Republic of Kazakhstan.
The law does not require the preservation of personal data first in Kazakhstan, and then transfer it to other countries. Accordingly, the collection, processing, use and modification of the database can be made first abroad and then save the database with personal data in the territory of the Republic of Kazakhstan. In this case, companies should be ready to provide evidence that the database with personal data was subsequently stored in Kazakhstan.
In the case of the initial storage of data abroad, it is important to ensure the synchronization of databases abroad and in Kazakhstan. Synchronization frequency is not defined in the Law on Personal Data.
Personal data in Kazakhstan should be kept by both database owners and database operators.
Canada
In Canada, in the system of federal legislation there is no requirement for the localization of personal data bases of citizens in Canada. However, such a requirement exists at the level of two provinces - Nova Scotia and British Columbia.
Until December 2017, there was a Law on Freedom of Information and Privacy Protection in British Columbia. According to Art. 30.1. The law requires a public authority to ensure that personal information held by such an authority, as well as access to it, is stored only in Canada. In this case, the data subject could give consent to the storage or use of personal information in another jurisdiction.
In Nova Scotia, the storage of databases containing personal data is regulated by the provisions of the Personal Data Protection Act. The legal provisions for ensuring localization in Nova Scotia are identical to the provisions (Article 5 (1)) that existed in British Columbia.
China
In 2011, the People’s Bank of China published a Notice on the need to increase the levels of personal financial information protection.
In China, personal financial information means personal information (name, gender, nationality, photograph), personal property information, personal account information, personal credit information, transaction information, other derived information (information obtained by analyzing primary information), other personal information, becoming known to the Bank in the course of business cooperation, contractual relations.
The Notification prohibits banks from storing, processing or analyzing outside of China any personal financial information that was collected in China, or to provide personal financial information collected in China to an offshore enterprise.
Violation of the requirements contained in the Notification entitles the People’s Bank of China to order the relevant Bank to correct its inconsistency and demand that the Bank punish the responsible officials.
In addition, on June 1, 2017, the Cybersecurity Act entered into force, which introduced new restrictions for key information infrastructure operators, network operators and network products and services providers.
Thus, Article 37 of the Law on Cyber Security provides that operators of critical information infrastructure must store personal information collected or produced in the mainland of China on the mainland of China. However, when, due to business requirements, it is really necessary to ensure the storage of personal information outside the mainland, operators of critical information infrastructure should follow measures jointly formulated by state network information departments and relevant departments of the State Council to conduct security assessments; but in cases where laws and administrative regulations provide otherwise, it is necessary to follow these provisions.
If the operators of the critical information infrastructure violate Section 37 of the Law by storing data outside the mainland territory or provide network data to individuals or organizations outside the mainland territory without conducting a safety assessment, the relevant competent department issues warnings, confiscates illegally obtained benefits, imposes fines of 50 000 to 500 000 yuan
(9.74 rubles for 1 yuan at the rate of the Central Bank of the Russian Federation on May 29, 2018) and may issue a resolution on the temporary suspension of operations, stop activities to eliminate violations, stop the activities of websites, cancel the relevant activity permits. Those who monitor compliance with the requirements of the law, the responsible persons, in the event of a violation, can be fined in the amount of 10,000 to 100,000 yuan.
Also, the localization requirement concerns databases containing medical information. Thus, Measures to manage public health information, adopted by the State Committee on Health and Planned Childbearing of China, stipulate that medical institutions, social welfare organizations (social services), family planning institutions cannot store public health information on servers abroad or in any other way to place or rent foreign servers.
Regarding the activities of foreign companies in China, we note that periodically a notification is sent to their representative offices in China demanding to localize the storage of personal data in China. In case of refusal, the Internet services of the specified companies are temporarily blocked on the basis of a decision of the authorized executive body.Malaysia
In 2010, the Malaysian Personal Data Protection Act imposed a ban on the transfer of personal data outside the country.
Cross-border transfer of personal data is possible only under certain conditions and in some exceptional cases. The consent of the subject of personal data must be obtained if there is a need to fulfill the contract between the subject and the operator, the need to execute the contract between the operator and the third party that was concluded on request or in the interests of the subject of personal data.
Nigeria
In Nigeria, in 2013, the National Agency for the Development of Information Technology issued a Guide to the Development of Nigerian Content in the Field of Information and Communication Technologies. According to the provisions of the Guide, organizations that carry out actions with data and information that allow identifying a citizen must ensure the localization of such databases in the territory of the country.
Instead of an afterword
As we can see from the examples of legislation of other countries, we are not the only ones who are engaged in localization in one way or another. But, as always, we have our own nature of legislation. In contrast to the examples given, our law provides that the law extends its effect even to organizations that have no representative offices in the Russian Federation. Recall here the comment of the Ministry of Communications and Mass Media:
"... the responsibility for the localization of individual processes for the processing of personal data extends to foreign operators subject to the implementation of directed activities on the territory of the Russian Federation and the absence of exceptions expressly specified in Part 5 of Article 18 of the Federal Law" On Personal Data "(for example, an international agreement for achieving the goals of which processing is carried out). "
PS By the link you can download our White Paper on the Federal Law No. 152 .This is a book that was published to help eliminate confusion in the processing of personal data and clearly describe the process of bringing personal data to IP in accordance with the laws of Russia. The topic is revealed from scratch. It helps to meet the needs of a wide range of readers.