In this uncertain time, some global companies are announcing that they are “leaving Russia.” What does it mean to “leave Russia,” and what are the data privacy implications of doing so? Setting aside the broader business, political, and other legal considerations, the following are some initial thoughts on these challenging and rapidly developing data privacy issues.
What does it mean for a global company to “leave Russia”? The specifics of the answer to this question depends on each company’s approach and timing, which may vary based on industry sector, risk tolerance, expectations of how long and how deep the current crisis will go, and other factors. Fundamentally, “leaving” Russia likely involves the cessation of engaging in the provision of products and services in Russia. With the overlay of the complexity of rapidly developing sanctions restrictions, there are a wide range of employment, real estate, banking, and other substantive legal issues in this context.
But what about the collection and processing of personal data, such as data about the company’s identified or identifiable employees, consumers, patients, business contacts and other individuals in Russia (“Personal Data“)? Russia’s data localization rules, set in place many years ago, have caused many companies to retain Personal Data in Russia, either on their own servers or on servers of local vendors. When leaving Russia, companies at least in principle may have at least three options for the disposition of Personal Data: (1) transfer Personal Data outside Russia; (2) retain Personal Data in Russia; or (3) delete Personal Data in Russia. Each of these approaches involves risk, but here are some initial considerations.
(1) Transfer Personal Data outside Russia. Although the specifics might vary, the idea is that the company would transfer a copy of the Personal Data outside Russia. The primary benefit of this approach is that it would preserve the integrity of such a copy of the Personal Data across a timeframe where otherwise there might be no locally-engaged employees and/or vendors to assure proper privacy and security controls for such data. The downside risks to this approach include that outbound transmission of Personal Data from Russia to third countries can attract rigorous express consent and other data transfer restrictions, which may be difficult to address in the current environment. Also, data localization requirements will still in principle require that the original version of the Personal Data must still be retained in Russia (even if a copy is transferred).
(2) Retain Personal Data in Russia. Another option would be to seek to retain the Personal Data in Russia (and not transfer such data) on the same internal servers or vendor servers where such data is currently hosted. The primary benefit of this approach is that, if such data is properly retained for the duration of the crisis, then the data should be available for the company to continue to use if/when the crisis has passed and business operations resume. The downside risks to this approach include that the company might not be able to effectuate appropriate privacy and security controls for such data during the course of the crisis, and could accumulate data breach notification and other obligations if the data is subject to hacking or other misuse/unauthorized processing.
(3) Delete Personal Data. A third option would be to delete the Personal Data held in Russia. The primary benefit of this approach is that the company would have no ongoing responsibilities to maintain the privacy and security of such Personal Data during a time when it may not have locally-employees and/or vendors that can maintain appropriate controls. The downside risks include that the company may need at least some Personal Data to wind down the business and/or to address certain tax, employment and/or record retention requirements. Also, from a business perspective, except where a copy of the Personal Data already resides abroad, the data would no longer be available for the company to continue to use once the crisis has passed and business operations resume.
Practical implications. There is no one-size-fits-all answer to these complex and rapidly developing data privacy issues. Companies may decide to take different approaches to different data sets, and may have different constraints and limitations on how they can effectuate certain options. Also, companies may have different views on the expected duration of the crisis, and differing expectations as to the value of their data over time (e.g., consumer data may become less valuable as time goes on), which could also influence the identification of the preferable (or least bad) approach for that data set for that company.