All personal data on Russian citizens must be stored on servers physically located in Russia — where the FSB can reach it.
Federal Law No. 242-FZ requires any company processing Russian citizens' personal data to store and process it on servers located within the Russian Federation.
Enacted in 2015, the law requires primary storage and processing of Russian personal data on Russian soil. Roskomnadzor (the federal communications regulator) enforces compliance. Companies that refuse are blocked — LinkedIn was banned in Russia in 2016 for non-compliance. The law works in tandem with SORM: data must be stored where the FSB already has direct wiretap access.
The combination is deliberate. Data localisation ensures the data is physically accessible to Russian intelligence. SORM ensures they can access it without the company's knowledge. For any product with Russian users — VK, Yandex, Telegram (contested), Kaspersky — user data sits on servers where the FSB has unfettered access. Telegram was blocked for 2 years (2018-2020) for refusing to hand over encryption keys, though the block was largely ineffective.
Any company doing business with Russian citizens. VK (100M+ users), Yandex (search, email, maps), Mail.ru, Kaspersky. Foreign companies either comply (Apple reportedly moved some iCloud data to Russian servers before 2022) or get blocked. Since the 2022 invasion of Ukraine, many Western companies have withdrawn, but Russian users on domestic platforms remain fully exposed.
Aleksei Navalny's associates had their communications intercepted via SORM-accessible infrastructure. Journalists, opposition figures, and LGBT activists have been identified and targeted using data stored under localisation requirements. In 2019, a leaked database of 20 million Russian tax records appeared online — data that was required to be stored domestically.