24.4.2015

Personal Data is the New Oil

All the superpower states, such as China, the US and Russia, have recently understood that in the internet era, personal data is the new oil, the defining natural resource that makes our lifestyle rise and fall. Consequently, these states have increased their interest in the personal data of their citizens and in the use of that data in business and commerce.

The US is by far the leader in the competition to collect, use and control the use of personal data, mainly thanks to large American internet and social media companies and legislation that grants extensive information rights to the state. However, China is not far behind.

Recently Russia has also taken some major steps in the field by enacting new legislative amendments restricting companies’ use of Russian citizens’ data.

Restrictions to Processing Data of Russian Citizens Abroad

In Russia, a set of new legislative amendments will come into force on 1 September 2015. The amendments are primarily aimed at restricting the processing of Russian citizens’ personal data on servers located outside of Russia. They also develop state supervision procedures and empower the Russian Data Protection Authority (Roscomnadzor), under certain conditions, to block access to websites where personal data violations take place.

From the perspective of data operators, it will be illegal to collect personal data of Russian citizens and directly send it to servers located outside of Russia without processing the data ‘with the use of’ a database installed on a Russia-based server or computer.

However, the amendments contain several exceptions. One of them could be interpreted as being applicable to Russian employees of international companies. The obligation to process data in Russian databases may not be applicable if personal data is processed either for purposes stipulated by an international agreement of the Russian Federation, for purposes set out in law or for exercising the powers or performing the functions and obligations of data operators under Russian law. The purposes for which employers process the data of their employees are in fact defined by law and, thus, may fall into the second category.

Websites Containing Illegally Processed Personal Data May Be Shut Down

Under the amendments, Roscomnadzor will be given powers to block access to websites containing illegally processed personal data in Russian territory. For this purpose, Roscomnadzor will enter the banned domain names, network addresses and other details in a special state register.

A website can be blocked only on the grounds of a court act. The website owner will be informed of the violation of personal data laws and asked to rectify the violation voluntarily prior to the website being blocked. If the violation is not rectified, the website will be blocked not later than in three days.

The website owner will have the right to apply for the removal of its website from the state register after all personal data violations have been rectified or if a court reverses the act blocking of the website. These rules can be construed as being applicable only to websites containing illegally processed personal data, including social networks, public databases, address books and blogs. On the other hand, Roscomnadzor may interpret the new rules broadly and try to apply them to all websites used in any way that violates any of the Russian legal requirements concerning personal data.

Practical Solutions to Legal Challenges

How, then, should one react to these new regulations and prevent localisation politics for affecting business? From a formal point of view, it will be necessary to relocate databases containing information about Russian clients, partners and, arguably, employees to Russia. If a company ignores data privacy requirements, it may be subject to several fines for various violations.

However, the legislative changes do not apply to cross-border data transfers. This fact provides certain loopholes for reorganisation of global ICT systems used by international companies. There will be no need to completely disconnect Russian offices or websites from the corporate networks. Keeping in mind that the amendments enter into legal force in less than five months, it is a good time to start assessing possible ways of modifying the ICT systems.

The strategic importance of oil has not prevented it from being an important commodity in international trade. Similarly, increased state interest in personal data is in no way an obstacle to continuing business. The importance of personal data for commercial actors is, indeed, one of the main factors that also make it interesting for any state.

In order to not let variable legislation affect your business in Russia, it’s better to consider possible options for complying with the new amendments and start preparations now.

Latest references

We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We successfully acted as the lead external counsel for Citycon Plc in an arrangement whereby Citycon outsourced its Nordic Accounting and Lease Administration operations and related workforce in Finland, Sweden, Norway, Denmark and Estonia to Staria Plc. The outsourcing is expected to take place as of 1 August 2024. With this outsourcing arrangement, Citycon aims to align the size and capabilities of the company’s finance organisation with its future development, ensuring it can adapt to meet the company’s needs at any given time. During the assignment, we assisted Citycon in drafting the necessary contract documentation and planning the contract negotiations and timetable. We led the outsourcing agreement negotiations and advised Citycon on employee transfer and data privacy related matters. We also coordinated legal advice for other in-scope countries. Citycon is the leading owner and developer of urban hubs in the Nordics and Baltics. Citycon’s 33 mixed-use, necessity-based centres are located in the major cities in Finland, Sweden, Norway, Denmark and Estonia. Citycon transforms unique locations into sustainable communities and cities full of life, serving 140 million people each year and delivering long-term share value. Citycon brings value to communities by developing urban hubs for living, working, socialising and shopping. Citycon has extensive experience as an urban developer and uses its expertise in creating mixed-use centres that include retail, offices, hotels, housing, food & beverage as well as healthcare, culture and leisure services.
Case published 13.5.2024
We acted as Zendesk, Inc.’s Finnish legal counsel in its acquisition of Ultimate Enterprises Oy, an industry leading provider of service automation using AI technology. The cross-border acquisition was completed in cooperation with the transaction’s lead counsel Allen & Overy. Zendesk is a leading global technology company that provides software-as-a-service and customer experience (CX) products based in the US. The acquisition of Ultimate expands Zendesk’s AI-powered CX offerings.
Case published 26.3.2024