Key Points

According to recently published amendments to Russia's law "On Personal Data," the entire cycle of handling personal data, including collection, systematisation, storage, updating, modification and deletion, must take place exclusively within Russia's borders.

Starting July 1, operators will no longer be permitted to interact with databases located outside Russia at any stage of data processing.

The amendments also extend the storage and processing obligations to third-party data processors, who provide tools or platforms for data analytics and management. This includes vendors offering services such as Google Analytics, HR management systems and customer relationship management platforms, reports Xinhua news agency.

Alexander Kirsanov, head of legal at MTS Link, a Russian platform for business communication, was quoted by RIA Novosti as saying that such platforms do not collect personal data directly but receive it from primary operators like banks, telecom providers, IT companies and online marketplaces.

"After the amendments take effect, regulators are expected to scrutinise more closely the organisations entrusted with handling Russian citizens' personal data," he said. "It will become increasingly difficult to use foreign services for analytics."

Kirsanov added that the legislative change aims to reduce the risk of data breaches involving Russian citizens. However, he also pointed out that reliance on foreign software carries additional risks.

"Since 2022, Russian businesses and government agencies have frequently faced abrupt suspensions of foreign services, despite holding long-term licenses. These interruptions have caused workflow disruptions and data losses," he said.

Personal data under Russian law includes full names linked with email addresses, phone numbers or passport data, birthdates and birthplaces tied to names, residential addresses, identification numbers and biometric information, as well as digital identifiers such as IP addresses and online accounts.

- IANS