A Moscow court on Tuesday fined Google for failing to store personal data on its Russian users, the latest in a series of fines on the U.S. tech giant amid tensions between the Kremlin and the West over the fighting in Ukraine.
A magistrate at Moscow’s Tagansky district court fined Google 15 million rubles (about $164,200) after the company repeatedly refused to store personal data on Russian citizens inside the country. Google was previously fined over the same charges in August 2021 and June 2022.
Google also was ordered to pay a 3 million ruble (about $32,800) fine in August for failing to delete allegedly false information about the conflict in Ukraine.
Russia can do little to collect the fine, however, as Google’s Russia business was effectively shut down last year after Moscow sent troops into Ukraine. The company has said it filed for bankruptcy in Russia after its bank account was seized by the authorities, leaving it unable to pay staff and suppliers.
The headlines misleading. They have to store any data they store on Russian inside Russia. Not in a foreign (to Russia) server. If they stored no data they would be okay.
This type of policy is generally good for privacy. If a company is limited to storing users data in the user’s country, that country can enforce their privacy laws.
Imagine a Chinese company that operates in the EU. GDPR provides citizens in the EU protections on how they data can be handled and the right to have it deleted. So this Chinese company can’t sell or misuse customer data without the users permission. However, if the company has no assets in the EU then EU courts have no real remedy to GDPR abuses. The Chinese company with EU citizens data in Chinese servers will tell the court to ‘jog on’. However, if the company has to use EU servers then there are assets to target and in extreme cases data to be wiped manually.
Whilst this type of law can protect users privacy when organisation are abusing data (which is the usual situation in liberal countries). It can also aid governments in abusing their citizens data. A company can’t protect their customers from the state the data is stored in very well (if the courts are complicit in the privacy invasion).
If Russia wants access to a Google’s users data their only option is a strongly worded letter, if the data is stored in the US. If the data is stored in Russia the threat of violence or imprisonment can be used.