All the superpower states, such as China, the US and Russia, have recently understood that in the internet era, personal data is the new oil, the defining natural resource that makes our lifestyle rise and fall. Consequently, these states have increased their interest in the personal data of their citizens and in the use of that data in business and commerce.
24.4.2015
Personal Data is the New Oil
Related services
The US is by far the leader in the competition to collect, use and control the use of personal data, mainly thanks to large American internet and social media companies and legislation that grants extensive information rights to the state. However, China is not far behind.
Recently Russia has also taken some major steps in the field by enacting new legislative amendments restricting companies’ use of Russian citizens’ data.
Restrictions to Processing Data of Russian Citizens Abroad
In Russia, a set of new legislative amendments will come into force on 1 September 2015. The amendments are primarily aimed at restricting the processing of Russian citizens’ personal data on servers located outside of Russia. They also develop state supervision procedures and empower the Russian Data Protection Authority (Roscomnadzor), under certain conditions, to block access to websites where personal data violations take place.
From the perspective of data operators, it will be illegal to collect personal data of Russian citizens and directly send it to servers located outside of Russia without processing the data ‘with the use of’ a database installed on a Russia-based server or computer.
However, the amendments contain several exceptions. One of them could be interpreted as being applicable to Russian employees of international companies. The obligation to process data in Russian databases may not be applicable if personal data is processed either for purposes stipulated by an international agreement of the Russian Federation, for purposes set out in law or for exercising the powers or performing the functions and obligations of data operators under Russian law. The purposes for which employers process the data of their employees are in fact defined by law and, thus, may fall into the second category.
Websites Containing Illegally Processed Personal Data May Be Shut Down
Under the amendments, Roscomnadzor will be given powers to block access to websites containing illegally processed personal data in Russian territory. For this purpose, Roscomnadzor will enter the banned domain names, network addresses and other details in a special state register.
A website can be blocked only on the grounds of a court act. The website owner will be informed of the violation of personal data laws and asked to rectify the violation voluntarily prior to the website being blocked. If the violation is not rectified, the website will be blocked not later than in three days.
The website owner will have the right to apply for the removal of its website from the state register after all personal data violations have been rectified or if a court reverses the act blocking of the website. These rules can be construed as being applicable only to websites containing illegally processed personal data, including social networks, public databases, address books and blogs. On the other hand, Roscomnadzor may interpret the new rules broadly and try to apply them to all websites used in any way that violates any of the Russian legal requirements concerning personal data.
Practical Solutions to Legal Challenges
How, then, should one react to these new regulations and prevent localisation politics for affecting business? From a formal point of view, it will be necessary to relocate databases containing information about Russian clients, partners and, arguably, employees to Russia. If a company ignores data privacy requirements, it may be subject to several fines for various violations.
However, the legislative changes do not apply to cross-border data transfers. This fact provides certain loopholes for reorganisation of global ICT systems used by international companies. There will be no need to completely disconnect Russian offices or websites from the corporate networks. Keeping in mind that the amendments enter into legal force in less than five months, it is a good time to start assessing possible ways of modifying the ICT systems.
The strategic importance of oil has not prevented it from being an important commodity in international trade. Similarly, increased state interest in personal data is in no way an obstacle to continuing business. The importance of personal data for commercial actors is, indeed, one of the main factors that also make it interesting for any state.
In order to not let variable legislation affect your business in Russia, it’s better to consider possible options for complying with the new amendments and start preparations now.
Latest insights
Article published 10.10.2024 – Data & Technology
New act on dual-use items entered into force in September – what companies need to know
Article published 5.9.2024 – Data & Technology
Technology acquisitions can boost companies’ growth – or cause them to fail
Article published 6.5.2024 – Employment
Outsourcing company functions – four key points for success
Article published 7.12.2023 – Data & Technology
Agreements define data sharing and re-use
Kim Parviainen, Lauri Laatunen & Joakim Jaulimo
Topi Lusenius, Anders Forss & Kim Parviainen
Tomi Kemppainen, Kim Parviainen & Eija Warma-Lehtinen
Latest references
PwC – Public tender in Kela’s Eepos procurement process
We are proud to have provided legal assistance to PwC in the successful public tendering process for the comprehensive renewal of Kela’s benefits processing systems. Kela is the Social Insurance Institution of Finland, and this project is a significant cornerstone in modernising Finland’s social security infrastructure. PwC was selected as Kela’s strategic partner to implement a comprehensive overhaul of the benefits processing systems, digital services, customer relationship management, and information exchange platforms. The project aims to meet the demands of the future digital environment and enhance customer experience through the adoption of Salesforce technology. The new systems are expected to simplify benefit processes, enhance user experience for both customers, employees and other stakeholders, and ensure adaptability to future legislative changes. Castrén & Snellman provided strategic legal support to PwC throughout its successful bidding process, which was carried out through a competitive negotiated procedure. We extend our warmest congratulations to PwC for their successful bid and look forward to seeing the positive impact of this project on Finland’s social security system.
Case published 24.4.2025
Savings Banks Group – Sale of Sb Life Insurance
We advised the Savings Banks Group on an arrangement whereby the shares in Sp-Henkivakuutus Oy were sold to Henki-Fennia and at the same time the parties agreed on a long-term distribution cooperation for insurance savings and loan protection products. The closing of the transaction remains subject to regulatory approvals. Sb Life Insurance is a domestic life insurance company, established in 2007, offering insurance savings and risk insurance products to private customers and companies. The Savings Banks and Oma Säästöpankki Oyj act as agents for Sp-Life Insurance. Henki-Fennia is a subsidiary of Keskinäinen Vakuutusyhtiö Fennia, specialising in voluntary life, pension and savings insurance.
Case published 11.4.2025
Valio – Acquisition of the Härkis® and Beanit® fava bean brands
We advised Valio Oy in its acquisition of Raisio Oyj’s plant protein business, related fixed assets and the Härkis® and Beanit® fava bean brands. The fixed assets include, among other things, the production equipment of the factory that makes plant protein products in Kauhava. The transaction supports Valio’s strategy to grow from a dairy company to a food company. This business acquisition will make us an even more significant developer and producer of plant-based protein products. The demand for these products will grow in the long term, and a great deal of growth potential still remains. In 2022, we acquired the Gold&Green® business and, since then, we have been carrying out strong product development and renewed the brand. Following successful product launches, sales in the last quarter of 2024 increased by about 50% from the previous quarter. With this acquisition, we are building our own production capacity. The production equipment of the Kauhava factory is just right for our needs and situation. says Kimmo Luoma, Valio’s Senior Vice President. Valio is a Finnish dairy and food company founded in 1905 and owned by Finnish dairy cooperatives. Valio has subsidiaries in Sweden, Estonia, the United States and China. In 2023, the Group had a turnover of EUR 2 278 million and more than 4 000 employees.
Case published 14.2.2025
WithSecure – Sale of cyber security consulting business
We advised WithSecure Corporation in the sale of its cybersecurity consulting business to Neqst. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki). Neqst is a Swedish investment firm, focusing on technology companies. The closing of the transaction remains subject to customary conditions and regulatory approvals.
Case published 24.1.2025