Reviving this thread. As of December 2019, ( https://pravo.ru/news/216269/ ) the Russian Parliament has approved updates for the Russian NR 242 Law which increase the fines for failing to meet data localization requirements (that is, storing data in Russia first) up to 18 mln RUB ($240К). As mentioned before, this change affects those Russian & international companies which collect the personal data of Russian citizens using Marketo forms. Facebook and Twitter have already been fined for failing to meet the requirements https://www.marketwatch.com/story/russian-court-fines-facebook-twitter-over-data-storage-2020-02-13 - as a warning shot, only 4 mln RUB each ($53K). We at Leadonance teamed up with leading Russian lawyers with GR experience to provide some insight. Here's a solution that we can recommend that received legal approval from our team and which implemented by two software vendors which use Marketo in Russia: 1a) Avoid using native Marketo forms on Russian websites/subdomains/webpages completely and use custom forms instead., The forms would need to - write personal data to a database located on a server in Russia and only then - send new leads to Marketo via REST API. This would require a custom-built solution and a server rented in Russia. 1b) Another solution could be to keep the native forms, but to set up a custom version of the munchkin code on RU subdomains/website pages instead. The new version of the munchkin would first write new leads with their personal data to a database located on a server in Russia, receive confirmation that the data has been stored successfully and only then send the data to Marketo. Evidently this may result in subpar user experience since the process has to go step-by-step (and some bells and whistles need to be added, e.g. if the Russian server is down, do NOT write to Marketo database either but show an error instead) but that's the price to pay if you want to keep using Marketo forms in Russia and at the same time comply with the requirements of the law. We went the other route. 2) Regardless of the technical side of the implementation, you have to get consent for transborder data transfer. Roskomnadzor (Russian federal body for media & telecommunications) didn't put it in writing, but based on the cases that have already been reviewed, it's recommended to do express consent, just like with GDPR. Bottomline: do not pre-check the checkbox with "I agree to Terms&Conditions" copy, and if you don't have one at all, you really need one. Also, the checkbox being checked should be mandatory for lead submission. 3) And of course, you need to update your terms & conditions to clearly describe where the data would be going - where Marketo servers are located.
... View more