News Archives

Monday, November 28, 2016

Data Localization Taking Root in China, Russia

Significant developments relating to data localization occurred in both China and Russia during November.  In China, the National People’s Congress Standing Committee enacted the final draft of the Network Security Law (also referred to as the Cybersecurity Law) on November 7, with an effective date of June 1, 2017.  The Law requires enterprises providing “key information infrastructure” to store critical data and personal information collected and generated in the course of their operations within the territory of China, irrespective of the citizenship of the data subjects. Such information may be transferred outside of China only when there is a genuine business need to do so and a favorable security assessment has been carried out.  A key issue for multi-national businesses situated outside of China will be how the State Council determines the scope of “key information infrastructure” and how stable such a demarcation will be.  In another important development, the Law establishes a broad range of privacy protections reflective of, and consistent with, the EU General Data Protection Regulation and other international standards.

In Russia, the country’s data protection authority, Roskomnadzor, ordered that access to LinkedIn’s website be blocked as of November 17, making this the first time a foreign online service has been forced to shut down for failing to comply with the Data Localization Law. Other major U.S. web giants, such as Microsoft, Apple and Google, were reported to have conformed to the Law by moving the personal data of Russian citizens to Russian-based servers, while Facebook and Twitter are under regulatory pressure to do so.  Should LinkedIn follow suit, which would be relatively easy to do utilizing data centers operating within Russia such as Microsoft’s, their service could be restored.  In an exceptionally lame excuse for non-compliance, LinkedIn argued that it failed to respond to the inquiry from Roskomnadzor that led to the website shut-down because the DPA had sent its inquiry to the firm’s U.S. office instead of to LinkedIn Ireland, which is responsible for the data of non-U.S. citizens.

No comments:

Post a Comment