Russia's new personal data localization regulations: A step forward or a self-imposed sanction?

The paper represents one of the first comprehensive analyses of Russian personal data localization regulations, which became effective at September 1, 2015. This work describes in detail the main components of the data localization mechanism: triggers of its application, scope, exemptions and enforcement. It also takes into account the official and non-official interpretations of the law by Russian regulators, some of which were developed with the participation of the author. Special consideration is given to the jurisdictional aspects of the Russian data protection legislation and the criteria of its application to foreign data controllers. The author also reveals the rationale behind the adoption of data localization provisions and analyzes their possible impact on foreign companies operating in Russia and implementation of innovative IT-technologies (Cloud computing, Big Data and Internet of Things). The paper concludes that most of the potential benefits of data localization provisions, i.e. in the area of public law, law enforcement activities and taxation. Nevertheless, data localization provisions may still have medium-term positive impact on privacy, since they force all stakeholders to revisit the basic concepts of existing personal data legislation (the notion of personal data, data controller, processing, etc.), thus serving as a driver for re-shaping existing outdated data privacy regulations and crafting something more suitable for the modern IT-environment.