All the superpower states, such as China, the US and Russia, have recently understood that in the internet era, personal data is the new oil, the defining natural resource that makes our lifestyle rise and fall. Consequently, these states have increased their interest in the personal data of their citizens and in the use of that data in business and commerce.
24.4.2015
Personal Data is the New Oil
Related services
The US is by far the leader in the competition to collect, use and control the use of personal data, mainly thanks to large American internet and social media companies and legislation that grants extensive information rights to the state. However, China is not far behind.
Recently Russia has also taken some major steps in the field by enacting new legislative amendments restricting companies’ use of Russian citizens’ data.
Restrictions to Processing Data of Russian Citizens Abroad
In Russia, a set of new legislative amendments will come into force on 1 September 2015. The amendments are primarily aimed at restricting the processing of Russian citizens’ personal data on servers located outside of Russia. They also develop state supervision procedures and empower the Russian Data Protection Authority (Roscomnadzor), under certain conditions, to block access to websites where personal data violations take place.
From the perspective of data operators, it will be illegal to collect personal data of Russian citizens and directly send it to servers located outside of Russia without processing the data ‘with the use of’ a database installed on a Russia-based server or computer.
However, the amendments contain several exceptions. One of them could be interpreted as being applicable to Russian employees of international companies. The obligation to process data in Russian databases may not be applicable if personal data is processed either for purposes stipulated by an international agreement of the Russian Federation, for purposes set out in law or for exercising the powers or performing the functions and obligations of data operators under Russian law. The purposes for which employers process the data of their employees are in fact defined by law and, thus, may fall into the second category.
Websites Containing Illegally Processed Personal Data May Be Shut Down
Under the amendments, Roscomnadzor will be given powers to block access to websites containing illegally processed personal data in Russian territory. For this purpose, Roscomnadzor will enter the banned domain names, network addresses and other details in a special state register.
A website can be blocked only on the grounds of a court act. The website owner will be informed of the violation of personal data laws and asked to rectify the violation voluntarily prior to the website being blocked. If the violation is not rectified, the website will be blocked not later than in three days.
The website owner will have the right to apply for the removal of its website from the state register after all personal data violations have been rectified or if a court reverses the act blocking of the website. These rules can be construed as being applicable only to websites containing illegally processed personal data, including social networks, public databases, address books and blogs. On the other hand, Roscomnadzor may interpret the new rules broadly and try to apply them to all websites used in any way that violates any of the Russian legal requirements concerning personal data.
Practical Solutions to Legal Challenges
How, then, should one react to these new regulations and prevent localisation politics for affecting business? From a formal point of view, it will be necessary to relocate databases containing information about Russian clients, partners and, arguably, employees to Russia. If a company ignores data privacy requirements, it may be subject to several fines for various violations.
However, the legislative changes do not apply to cross-border data transfers. This fact provides certain loopholes for reorganisation of global ICT systems used by international companies. There will be no need to completely disconnect Russian offices or websites from the corporate networks. Keeping in mind that the amendments enter into legal force in less than five months, it is a good time to start assessing possible ways of modifying the ICT systems.
The strategic importance of oil has not prevented it from being an important commodity in international trade. Similarly, increased state interest in personal data is in no way an obstacle to continuing business. The importance of personal data for commercial actors is, indeed, one of the main factors that also make it interesting for any state.
In order to not let variable legislation affect your business in Russia, it’s better to consider possible options for complying with the new amendments and start preparations now.
Latest insights
Article published 2.2.2026 – Data & Technology
Avoid costly risks with well-drafted distribution agreements
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Topi Lusenius & Samuli Salminen
Kim Parviainen & Lauri Laatunen
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
Downing – Acquisition of the entire share capital of Tornionlaakson Voima
We advised UK-based investment company Downing in its acquisition of the entire share capital of Tornionlaakson Voima Oy. Tornionlaakson Voima owns three hydropower plants in the Tengeliönjoki river system – the Portimokoski power plants in Ylitornio, the Jolmankoski power plants in Raanujärvi and the Kaaranneskoski power plants in Sirkkakoski. The power plants produce a total of approx. 45 gigawatt-hours of electricity per year. Tornionlaakson Voima’s daily operations will continue normally, and the transaction will not affect customers. The consummation of the transaction is subject to the approval of the Ministry of Economic Affairs and Employment. Downing has over 35 years’ experience in providing a wide range of investment solutions to the needs of institutional investors, advisers and retail investors. The company manages over £2 billion in assets in both the private and public markets and its current hydro power portfolio includes approx. 50 hydro power plants in the Nordics.
Case published 27.3.2026
LähiTapiola and OP Henkivakuutus – Successful representation of insurance companies in Supreme Administrative Court health data processing cases
We successfully represented insurance companies LähiTapiola and OP Henkivakuutus in two cases concerning an important point of principle: the right of insurance companies to process health data as part of the insurance application process. The Supreme Administrative Court handed down twin decisions ( one published as precedent ) addressing the matter in light of contrary DPA decisions. Under the Finnish Data Protection Act, insurance companies may, to simplify, process health data concerning “insured persons” (vakuutettu, försäkrad) to determine liability under the insurance. This rule constitutes an exception to Article 9 GDPR. At issue was whether the term “insured person” also covers people in the process of obtaining insurance coverage or only people who are already covered. In more practical terms: can an insurance company rely on the rule when considering whether/how to grant the insurance in the first place? The SAC answered in the affirmative and thus upheld the traditional industry approach over the DPA’s contrary view. The SAC noted that the Data Protection Act did not define the term “insured person” and thus looked at insurance legislation for guidance. As argued by the insurance companies, that legislation also uses the term in the context of describing the insured person’s pre-contractual informational obligations. Thus, and in view of the underlying purpose of the rule at issue, the SAC found that an “insured person” could be someone in the process of obtaining coverage, not just a person already covered. The outcome clarifies the scope of the local rule at the insurance application stage for the Finnish insurance industry.
Case published 22.1.2026
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Lantmännen – Acquisition of Leipurin from Aspo
We advised Lantmännen ek för in its contemplated acquisition of Leipurin from Aspo Plc. Lantmännen is an agricultural cooperative and Northern Europe’s leader in agriculture, machinery, bioenergy and food products. Lantmännen is owned by 17,000 Swedish farmers and has 12,000 employees in over 20 countries. Leipurin is a leading Nordic supplier of bakery ingredients, equipment, and expert services to professional bakeries, confectioneries, and food manufacturers. The company operates across Finland, Sweden, and the Baltic countries with subsidiaries located in the aforementioned countries, providing comprehensive solutions to the baking industry. The closing of the transaction remains subject to regulatory approvals.
Case published 25.8.2025