Case Study: Data Localization: Russia's Sovereign Internet

"Russia's internet was built as part of the global internet. Russia's government is rebuilding it as an instrument of the state." — Andrei Soldatov and Irina Borogan, The Red Web

Overview

In 2015, Russia enacted Federal Law 242-FZ, requiring that the personal data of Russian citizens be stored on servers physically located within Russia. In 2019, Russia went further: the "Sovereign Internet" law (Federal Law 90-FZ) gave the government the technical ability to disconnect the Russian internet from the global network and to route all domestic internet traffic through government-controlled exchange points.

Together, these laws represent the most aggressive data localization and digital sovereignty program in any major economy outside China. They provide a case study in the extreme end of the localization spectrum — and a warning about how data governance frameworks can be deployed in service of state control rather than citizen protection.

Skills Applied: - Analyzing data localization as a governance tool and a control mechanism - Distinguishing between privacy-protective and surveillance-enabling localization - Evaluating the technical and economic costs of data localization - Understanding the geopolitical dimensions of digital sovereignty

The Legal Framework

Federal Law 242-FZ: Data Localization (2015)

Effective September 1, 2015, Federal Law 242-FZ requires that:

• Operators processing the personal data of Russian citizens must ensure that the recording, systematization, accumulation, storage, amendment, and extraction of such data is performed using databases located within the Russian Federation.
• Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media) is authorized to maintain a register of violators and to restrict access to websites and services that fail to comply.

The law applies to a broad definition of "personal data" — essentially any information relating to an identified or identifiable individual. Exceptions exist for certain cross-border transfers necessary for contractual performance, international treaty obligations, and certain legal proceedings — but these exceptions are narrow and have been interpreted restrictively.

The Sovereign Internet Law (2019)

Federal Law 90-FZ, enacted in November 2019, established the technical infrastructure for what the government termed "RuNet sovereignty":

• All Russian internet service providers must install government-provided "technical means for counteracting threats" (TSPU) — deep packet inspection equipment that allows Roskomnadzor to monitor, filter, and throttle internet traffic.
• All internet traffic must be routed through government-controlled internet exchange points (IXPs), enabling the government to inspect and control data flows between Russia and the global internet.
• The government gained the authority to isolate the Russian internet from the global network entirely in the event of a "threat" — defined broadly enough to include political unrest.

The Sovereign Internet law went beyond data localization: it gave the government the technical capability to control not just where data is stored but how data moves within and across Russia's borders.

Implementation and Enforcement

The LinkedIn Precedent

The first high-profile enforcement action under 242-FZ came against LinkedIn in 2016. Roskomnadzor determined that LinkedIn stored the personal data of Russian users on servers outside Russia (in the United States) and demanded compliance. LinkedIn did not comply. In November 2016, a Moscow court ordered LinkedIn blocked in Russia, making it the first major Western social media platform banned in the country.

The LinkedIn ban served multiple purposes: it demonstrated that the government was willing to enforce the localization requirement against even large Western companies, it tested the technical infrastructure for blocking websites (which would be needed for the Sovereign Internet program), and it sent a signal to other foreign companies operating in Russia.

Selective Enforcement

The government's enforcement of 242-FZ has been notably selective. While LinkedIn was blocked, other major Western platforms — Facebook, Instagram, Twitter — continued operating in Russia for years despite apparent non-compliance. This selective enforcement appeared strategic: blocking all major platforms simultaneously would have provoked public backlash, while selective enforcement created leverage for other negotiations (content moderation demands, cooperation with law enforcement, etc.).

The calculus changed dramatically after Russia's invasion of Ukraine in February 2022. Instagram and Facebook were blocked in March 2022 after Meta allowed posts calling for violence against Russian soldiers. Twitter was throttled and eventually blocked. Google faced escalating fines. The invasion provided the political context for enforcement actions that the data localization law had made technically possible.

The Compliance Response

Major Russian technology companies — Yandex, Mail.ru (VK), and others — had always stored Russian user data domestically. The localization requirement primarily affected foreign companies. Their responses varied:

• Apple and Google: Complied by establishing or leasing data center capacity in Russia for app store and service data.
• Booking.com and other e-commerce platforms: Established Russian data storage for Russian customer data while maintaining global infrastructure for other operations.
• Many smaller companies: Simply ignored the requirement, operating under the assumption that enforcement would not target them. This proved correct for most — Roskomnadzor lacked the resources for comprehensive enforcement.

The Technical Architecture of Control

Deep Packet Inspection

The TSPU equipment mandated by the Sovereign Internet law gives the government unprecedented visibility into Russian internet traffic. Deep packet inspection (DPI) technology can:

• Identify the type of traffic (web browsing, messaging, video streaming, VPN connections)
• Filter specific services or protocols (enabling targeted blocking of VPNs, Tor, and encrypted messaging apps)
• Throttle bandwidth to specific services (making them functionally unusable without formally blocking them)
• Inspect unencrypted traffic content and identify encrypted traffic patterns

Russian authorities have used this infrastructure to throttle Twitter (making the platform load slowly to discourage use), block VPN services (limiting citizens' ability to circumvent censorship), and slow or disrupt independent news websites during politically sensitive periods.

Centralized Routing

By routing all internet traffic through government-controlled exchange points, the Sovereign Internet law created a chokepoint architecture. In normal operation, this architecture enables monitoring and filtering. In crisis, it enables disconnection — the ability to sever Russia's internet from the global network entirely.

Russia has conducted "disconnection tests" to verify the technical feasibility of operating the Russian internet independently. While full disconnection has not been implemented (the economic costs would be enormous), the tests demonstrate that the technical capability exists.

Assessment: Localization as Control

The Privacy Argument

The Russian government justified data localization using language borrowed from European data protection discourse: protecting Russian citizens' personal data from foreign government access, ensuring data security, and asserting national sovereignty over citizens' information.

These justifications contain a kernel of validity. Russian citizens' data stored on US servers is indeed accessible to US intelligence agencies under FISA Section 702. Data localization does, in a narrow technical sense, reduce foreign government access.

But the privacy argument is fundamentally undermined by the domestic context. Russia's SORM (System of Operative-Investigative Measures) program requires all Russian telecommunications providers to install surveillance equipment that gives the FSB (Federal Security Service) direct, real-time access to all communications data — without judicial authorization in practice. Data localization does not protect Russian citizens from surveillance; it ensures that surveillance is conducted by the Russian government rather than foreign governments.

The Sovereignty Argument

Russia's data localization and Sovereign Internet programs are most accurately understood as sovereignty assertions — claims that the state has the right and the capacity to control the information environment within its borders. This is consistent with Russia's broader information control strategy, which includes: restrictive media laws, criminal penalties for "discrediting" the military, the designation of independent media outlets as "foreign agents," and the systematic suppression of opposition voices online.

In this context, data localization is not a data protection measure. It is a component of an authoritarian information control architecture that also includes censorship, surveillance, and propaganda.

The Economic Costs

Data localization imposes significant economic costs:

• Infrastructure costs: Building or leasing data center capacity in Russia for every foreign company that processes Russian citizens' data is expensive, particularly for smaller companies that may exit the Russian market rather than comply.
• Reduced foreign investment: The localization requirement, combined with the broader regulatory environment, has deterred foreign technology companies from investing in Russia.
• Innovation costs: The Sovereign Internet infrastructure adds latency to international communications and limits access to global cloud services, reducing the productivity of Russian technology workers and businesses.
• Brain drain: Restrictive internet policies have contributed to the emigration of Russian technology professionals, particularly after the 2022 invasion of Ukraine.

Lessons for Global Data Governance

Localization Is Not Neutral

Russia's experience demonstrates that data localization is not a neutral governance tool. The same mechanism — requiring data to be stored within national borders — can serve fundamentally different purposes depending on the political context. In a democracy with strong rule of law and independent judiciary, localization may genuinely protect citizens from foreign surveillance. In an authoritarian system without independent oversight, localization ensures that the state has unimpeded access to citizens' data.

This insight is critical for evaluating localization proposals in any jurisdiction. The question is not "Should data be stored domestically?" but "What governance structures exist to prevent the domestic government from abusing its access to domestically stored data?"

The Slippery Slope Is Real

Russia's data governance trajectory illustrates escalation: a data localization requirement (2015) was followed by deep packet inspection infrastructure (2019), which was followed by the technical capability for internet disconnection. Each step made the next more feasible and more politically acceptable. When the invasion of Ukraine created a perceived emergency, the government had the tools to implement sweeping internet censorship within days.

This trajectory is not inevitable in other countries. But it is a warning: governance infrastructure built for benign purposes can be repurposed for authoritarian control if institutional safeguards are absent.

The Limits of Technical Solutions

VPNs, encryption, and Tor have provided Russian citizens with some ability to circumvent censorship and surveillance. But the Sovereign Internet infrastructure's DPI capabilities have made these tools increasingly difficult to use. Technical circumvention is a temporary measure, not a governance solution. Ultimately, the protection of digital rights requires institutional safeguards — independent courts, independent regulators, free press, and democratic accountability — not just technical tools.

Discussion Questions

1. Russia justified its data localization law using privacy language similar to that used in the EU. How can we distinguish between localization motivated by genuine privacy protection and localization motivated by state control? What indicators should analysts look for?

2. The selective enforcement of 242-FZ — blocking LinkedIn while tolerating Facebook's non-compliance for years — suggests that the law was used as a political tool rather than a neutral regulatory requirement. Is selective enforcement inherently illegitimate, or can it be a rational allocation of limited enforcement resources?

3. The Sovereign Internet law gives Russia the technical capability to disconnect from the global internet. Under what circumstances, if any, might a government's ability to isolate its national internet be justified? Is the concept of "digital sovereignty" inherently problematic, or does it have legitimate applications?

4. After the 2022 invasion of Ukraine, many Western technology companies withdrew from Russia or were blocked. Russian citizens lost access to independent information sources at precisely the moment they were most needed. What responsibilities, if any, do global technology companies have to maintain service in authoritarian contexts?

Your Turn: Mini-Project

Option A: Research data localization requirements in three countries beyond Russia (e.g., China, India, Vietnam, Nigeria, Saudi Arabia). For each, identify the stated justification, the actual enforcement pattern, and whether the localization appears to serve privacy, sovereignty, economic, or control objectives. Write a comparative analysis (1,000 words).

Option B: Research the technical capabilities of Russia's TSPU (deep packet inspection) infrastructure. How does it compare to China's Great Firewall? What are its known capabilities and limitations? Write a 1,000-word technical and governance analysis.

Option C: Imagine you are advising a European company that currently has Russian customers and stores their data in Russia under 242-FZ. After the 2022 invasion, the company must decide whether to continue operating in Russia. Write a memo (1,000 words) analyzing the legal, ethical, and business considerations.

References

• Soldatov, Andrei, and Irina Borogan. The Red Web: The Kremlin's Wars on the Internet. New York: PublicAffairs, 2015.

• Ermoshina, Ksenia, and Francesca Musiani. "Migrating Servers, Elusive Users: Reconfigurations of the Russian Internet in the Post-Snowden Era." Media and Communication 5, no. 1 (2017): 42–53.

• Epifanova, Alena. "Deciphering Russia's 'Sovereign Internet Law.'" German Council on Foreign Relations (DGAP), January 2020.

• Nocetti, Julien. "Russia's 'Dictatorship-of-the-Law' Approach to Internet Policy." Internet Policy Review 4, no. 4 (2015).

• Roskomnadzor. Official registry of data localization compliance actions. Available at https://rkn.gov.ru (in Russian).

• Human Rights Watch. "Russia: Growing Internet Isolation, Control, Censorship." Report, June 2020.

• Freedom House. "Freedom on the Net 2023: Russia." Country report.