Data protection & privacy laws in Russia (2026)

Amendments to Article 18 of Federal Law 152-FZ (introduced by Law 420-FZ, Nov 2024) impose an outright ban on collecting Russian citizens' personal data via databases located outside Russia, closing a loophole that had permitted initial collection abroad before transfer to Russian servers. Popular third-party tools such as Google Analytics, Google Forms, and any scripts routing data to foreign servers are now facially non-compliant.

Federal Law No. 420-FZ tiered penalties take effect: fines of RUB 3M–15M scaled to the number of data subjects affected, and repeat offenders face revenue-based fines of 1–3% of annual turnover (floor RUB 20M, ceiling RUB 500M). Breaches involving biometric data attract first-offense fines up to RUB 20M. This replaces the prior nominal penalty cap of RUB 75,000.

Russia enacted Federal Law No. 421-FZ, introducing criminal sanctions for illegal collection, transfer, and use of personal data — including fines, forced labor, and imprisonment up to four years (stricter for children's or biometric data); simultaneously Law 420-FZ sharply raised administrative penalties. This marks Russia's first criminalisation of personal data violations.

The cross-border transfer provisions of Federal Law 266-FZ became effective: operators must notify Roskomnadzor before any cross-border personal data transfer, and transfers to countries without adequate protection now require prior Roskomnadzor approval (10-day statutory review). This systematised and tightened Russia's previously informal international transfer rules.

The most significant revision of 152-FZ since 2014 (signed July 14, 2022) took effect: operators must notify Roskomnadzor of breaches within 24 hours (preliminary notice) and 72 hours (investigation results); consent must be specific and unambiguous; new contractual obligations govern processors; and pre-notification to Roskomnadzor is required for cross-border transfers. International businesses treating Russia as a low-enforcement jurisdiction had to substantially revise compliance programs.

Roskomnadzor blocked LinkedIn across Russia after a Moscow appellate court upheld a lower ruling that LinkedIn violated Law 242-FZ by storing Russian users' data on servers abroad. The first instance of a major foreign platform being blocked for data-localization non-compliance, it served as the definitive enforcement signal to all international technology companies operating in Russia.

Federal Law No. 242-FZ came into effect, accelerated from its original January 2016 date by a 2014 amendment (Law 526-FZ). All operators must now store and process personal data of Russian citizens on servers physically located in Russia; non-compliant sites are eligible for addition to Roskomnadzor's banned-resource registry.

Russia enacted Federal Law No. 242-FZ amending 152-FZ to require that personal data of Russian citizens be collected, stored, and processed exclusively within Russia. One of the earliest and most sweeping data localization mandates among major economies, it established the template later emulated by other jurisdictions and fundamentally altered global cloud-service deployment strategies.

Russia's ratification of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108, signed 2001, ratified May 2013) took effect, making Russia the 46th State Party. The Convention embedded international data-protection principles — purpose limitation, data quality, sensitive-data safeguards — as binding international obligations.

Russia's foundational personal data statute established core definitions, data-subject rights (access, rectification, erasure), operator consent and security obligations, and assigned supervisory authority to Roskomnadzor. Enacted a full decade before the GDPR, 152-FZ remains the backbone of Russia's privacy framework and has been amended more than a dozen times since.