29 December 2016
How Legislation on Handling Personal Data Will Be Enforced in the Future: LinkedIn Case Study | Pavel Sadovsky and Olga Tyangaeva, The Russia and Eurasia Committee Newsletter by the ABA Section of International Law

A Russian court published its exceptional decision and ruled that LinkedIn’s activity in Russia was in breach of Russian personal data law. The court of appeal did not overturn the decision: LinkedIn.com is now blocked in Russia.

Russian Federal Law No. 242-FZ as of 1 September 2015 requires all companies to process personal data pertaining to Russian citizens primarily using databases located in the Russian Federation. LinkedIn was accused of breaching the requirements of the law and citizens’ rights to privacy. The domain names and index pages of the site linkedin.com and its network address on the Internet were added to the register of personal data rights violators.

Foreign companies cannot be held administratively liable or fined under Russian law. However, their activity on the Internet could be restricted if their business is aimed at the Russian market. The company may have a Russian version of its website, use the domain names .ru and .рф, deliver goods to Russia, provide an option to pay in rubles and, most importantly, process the personal data of Russian citizens.

Each year, Roskomnadzor (the Russian supervisory authority for telecommunications, information technology, and the media) conducts audits of various entities, in accordance with a schedule. For 2016 there is a checklist of 136 companies. Usually, the companies on the list are involved in the media or banking sectors; it rarely includes other businesses. In 2016 Roskomnadzor conducted 981 checks, 24% of which were unscheduled. The total amount of the imposed fines was more than 4.8 million rubles. But even if a company is not mentioned on the checklist, it may still be subject to an unscheduled inspection.

During regular monitoring or checks conducted at the request of citizens, Roskomnadzor may monitor violations using public resources. Roskomnadzor checks whether the company sent the authority an official notification about the processing of personal data. Roskomnadzor has the right to request information regarding compliance with the law. If no response is received or if the response is unclear, Roskomnadzor could initiate a claim to protect the public’s rights and will represent the public’s interests in court.

The LinkedIn Corporation was the first large foreign corporation found liable under the Law. It was not included on the list of companies for which checks were planned in 2016. The checklist applies to Russian entities or the affiliates and representative offices of international companies. Thus, no foreign company that processes the personal data of Russian citizens can be sure in advance that there will not be an inspection of its activity. In addition, the Russian authorities’ new risk-based policy means that it is not possible to predict how many audits will take place within specific companies or sectors.

by Pavel Sadovsky and Olga Tyangaeva

Selected Resources and Publications:

  • Moscow City Court, Court of Appeal, Case No. 33-38783/2016 (Russian)
  • Consultant (2016), Russian Federal Law No. 242-FZ as of 1 September 2015
  • Tagansky District Court of Moscow, Case No. 02-3491/2016 (Russian)

Key contacts