HomeAnalyticsAlertsData Protection Enforcement in Russia: Recent Regulatory Actions

Data Protection Enforcement in Russia: Recent Regulatory Actions

Russia's data protection regulator, Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media), has substantially intensified enforcement activity against international businesses. Companies that collect, process, or transfer the personal data of Russian residents are now facing higher scrutiny, steeper penalties, and compressed timelines to demonstrate compliance with Russian data protection legislation.

Russia's data protection legislation imposes localisation obligations on any data controller or data processor handling personal data of Russian residents, requiring that such data be stored on servers physically located within Russia. Enforcement activity has escalated sharply, with the regulator conducting proactive audits and issuing formal warnings and fines to both domestic and foreign entities. International companies with active operations, digital platforms, or customer-facing services directed at Russian users must assess their compliance position without delay.

This alert explains what has changed, which businesses are in scope, and the concrete steps required to reduce enforcement exposure.

What has changed and when it takes effect

Russian data protection legislation has required localisation of personal data for a number of years. However, the current enforcement cycle reflects a material shift in regulatory posture. Roskomnadzor has moved from reactive complaint-handling to proactive, targeted inspections across multiple industry sectors simultaneously.

Key developments effective from 2025 include the following. First, administrative penalties under Russia's administrative offences legislation have been substantially increased. The maximum financial sanctions for repeated or aggravated violations now reach levels that represent a meaningful commercial risk for mid-size and large enterprises. Second, the regulator has introduced a system of scheduled and unscheduled inspections specifically targeting foreign-linked entities and digital service providers. Third, the consent mechanism requirements have been tightened: consent obtained through pre-ticked boxes, bundled agreements, or ambiguous language is no longer treated as valid by enforcement authorities.

The regulator has also clarified its position on cross-border data transfer. Any transfer of Russian residents' personal data to servers located outside Russia – even for processing purposes that are incidental or temporary – requires a documented legal basis. Reliance on GDPR compliance programmes as a substitute for local Russian requirements is explicitly rejected by the regulator. The two regimes operate independently.

Companies that relied on transitional or informal arrangements to defer localisation should treat those arrangements as no longer viable. Enforcement timelines are now measured in weeks, not months.

Who is affected and what thresholds apply

The localisation and consent obligations apply to any legal entity or individual entrepreneur that processes personal data of Russian residents, regardless of where the data controller or data processor is incorporated. Foreign companies with no legal presence in Russia are not exempt if their services are directed at Russian users.

The following business categories face the highest immediate exposure.

  • Digital platforms and e-commerce operators with Russian-language interfaces or Russian-resident customer bases
  • Financial services providers, payment processors, and fintech companies handling Russian user data
  • HR and payroll service providers processing employee data for businesses with Russian operations
  • Healthcare and insurance platforms collecting health-related personal data of Russian residents
  • Software-as-a-service vendors whose products are used by Russian corporate clients

There is no minimum-volume threshold below which localisation obligations do not apply. Even companies with a small number of Russian users are technically within scope. In practice, Roskomnadzor prioritises entities with a visible market presence or those that have received user complaints. However, the absence of prior regulatory contact should not be interpreted as implicit approval.

Companies that have undergone corporate restructuring, changed their data hosting arrangements, or launched new products since their last compliance review should treat this alert as a trigger for a full reassessment. The risk of inaction is not theoretical – the regulator has demonstrated a willingness to block access to non-compliant platforms within Russian territory, which produces immediate commercial consequences.

For international companies also operating AI-driven data processing tools in Russia, related obligations under Russia's evolving AI and technology regulation regime may compound the data protection exposure. See our overview of AI and technology law in Russia for a parallel assessment of those requirements.

To receive an expert assessment of your data protection compliance position in Russia, contact us at info@ferrazwhitmore.com.

Immediate actions for international companies

The following five steps represent the minimum response required for companies that process Russian residents' personal data.

  • Map your data flows: Identify every category of personal data collected from Russian residents. Document where that data is stored, who processes it, and whether it is transferred outside Russia. This data mapping exercise is the foundation of any defensible compliance position.
  • Audit your localisation arrangements: Confirm that primary storage of Russian residents' personal data occurs on infrastructure physically located within Russia. Hosting data on foreign cloud servers – even with Russian-based mirrors – may not satisfy the regulator's current interpretation of the localisation requirement.
  • Review your consent mechanism: Audit every consent form, privacy notice, and data collection interface directed at Russian users. Consent must be freely given, specific, informed, and unambiguous. Withdraw and reissue any consent obtained through bundled or pre-ticked mechanisms.
  • Register as a data operator: Entities that have not yet notified Roskomnadzor of their status as a data operator should do so immediately. Failure to notify is itself an administrative offence and will aggravate any subsequent penalty calculation.
  • Document your cross-border data transfer legal basis: For every data transfer outside Russia, identify and record the applicable legal basis under Russian data protection legislation. Relying on standard contractual clauses derived from EU or other foreign regimes is insufficient without a parallel Russian-law analysis.

The compliance review process for a mid-size international operation typically takes four to eight weeks. Companies that are already under inquiry or that have received a Roskomnadzor notice have considerably less time to act. Companies operating across multiple CIS jurisdictions should also review our alert on data protection enforcement in Kazakhstan, where parallel regulatory tightening is underway.

For a full review of your data protection obligations under Russian law, including localisation, consent, and transfer requirements, see our dedicated page on data protection law in Russia.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice covers cross-border personal data compliance, regulatory investigations, and DPA engagement across CIS, European, and Asian markets. We combine Portuguese civil law expertise with English common law tradition to deliver practical, results-oriented advice for international companies operating in complex regulatory environments. Our team includes practitioners with direct experience advising on data transfer and localisation matters in Russia and neighbouring CIS jurisdictions. As an international law firm working with businesses requiring a lawyer in Russia with cross-border data protection experience, we bridge the gap between local regulatory requirements and global compliance programmes. For a preliminary review of your data protection exposure in Russia, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.