Contributed By King & Spalding
While the cloud services market is relatively established in Russia, with numerous references to cloud computing and cloud data storage in lower-level regulatory acts, as well as in court cases, Russia still has no dedicated regulation or requirements that apply specifically to cloud services. Thus, the normal provision of cloud services is framed contractually within the existing regulation as a service contract or lease of data space, sometimes combined with software licensing.
The use of cloud technology may also fall within the scope of a number of Russian laws and regulations, including the following:
While there are no express restrictions or prohibitions for the use of cloud technology in Russian legislation, certain limitations may apply in specific cases; the one of a particular impact on the market is the rule imposing an obligation on personal data operators to store and perform certain types of processing of personal data of Russian citizens only in the territory of the Russian Federation.
The banking industry has the strictest regulation, including in respect of data security and threat prevention. The Central Bank of Russia, the competent regulator for the banking industry in Russia, may form additional requirements for data protection and operation of electronic document flow and specific IT products in the banking industry.
Cloud services may also become subject to more extensive regulation under the new Federal Law No 187-FZ 'On safety of critical information infrastructure' (in force since 1 January 2018). While the law itself is mostly depictive of the so-called critical infrastructure and its elements consisting of information systems, telecom networks, automatic control systems of state authorities and entities as well as private entities in the sphere of healthcare, science, transport, communications, energy, banking and finance and other selected areas, it also creates the framework for possible subsequent tightening of the regulation in the area through lower-level regulatory acts.
The Personal Data Law (Article 18) requires storage and certain types of processing (including recording, accumulation, export and other) with the use of databases located in the territory of the Russian Federation. This restriction limits the use of cloud services with servers located outside Russia considerably and, in practical terms, means that the cloud service providers engaged in such services should maintain local data space in Russia.
Another issue to bear in mind is the Russian regulation requirement (similar to the EU personal data processing regime) to have individuals’ specific written consent in place for the transfer of personal data to certain jurisdictions that are considered as not providing sufficient level of personal data protection (and the USA is one example of such jurisdiction, from the Russian regulator’s perspective). Thus, the transfer of data to the cloud at any stage of processing may require specific written consent if the cloud is based on servers in countries with insufficient level of personal data protection.
The fact that the data stored in cloud may be available for access by third parties, other than the operator, including the cloud hosting company, may raise further issues. In fact, the use of cloud for storage of information itself already affects relevant threat models that data operators are required to draw for all information systems they employ. Certain levels of potential threats and consequences to processed personal data trigger requirements for application of additional security measures under applicable regulatory acts.
Blockchain technology has been in the spotlight in Russia over the last few years and has been discussed actively by Russian business and government officials. Plans have been announced by competent governmental bodies to develop dedicated regulation for crypto assets and a wider range of technology-based projects. In January 2018 the Ministry of Finance presented the draft of a federal law 'On digital financial assets', which was later submitted to the State Duma (Russian parliament’s lower chamber) for discussions and has been adopted in the first reading in May 2018. The draft received a lot of criticism from the experts in both relevant technology and the law in general for providing an extremely narrow approach to the regulation of cryptocurrencies and tokens that could hinder the development of the new market.
The main risk of using blockchain technology is caused by the absence of regulation and the fact that Russian authorities are yet to determine their unified position on the legal qualification and use thereof. For now, there have been a few projects using blockchain technology launched in a 'test mode' in banking and financial services, but only in private transactions that allow wide discretion of the parties involved as regards the terms and the liability split.
A number of Russian banks have formed an association for the development of blockchain-powered projects in banking and financial sectors – Fintech Association – whose head of supervisory board is the deputy head of the Bank of Russia. The Association is actively involved in the development of blockchain-related projects and relevant regulation that may help determine the framework of the market, including relevant risks and liabilities.
Software with blockchain technology is regulated as any other software in Russia, and has a regime of a copyrightable literary work.
There have been broad discussions on whether intellectual property deals and registers may be moved to blockchain. There are no legal impediments for that in respect of intellectual property that does not require mandatory registration under Russian law (such as copyright and related rights; software deals fall within this category too). In terms of trademarks and patents, these are subject to mandatory registration with the Russian Patent and Trademark Office, and any use of blockchain there would require legislative changes.
No rules are set specifically for privacy matters in connection with the use of blockchain technology. In cases when blockchain technology is used in private commercial projects, data privacy issues are resolved contractually or addressed individually by the participant entities. Deals in cryptocurrency would be presumed to be processed via 'e-wallets', for which personal data processing and identification rules are set in the online payments and e-money regulations, and are not specific to blockchain.
There appear to be no measurable service levels for services involving blockchain technology in Russia.
The few cases that have reached Russian courts have involved disputes over assets kept in cryptocurrency, and no jurisdictional issues have been posed. In general, disputes involving blockchain technology may, depending on its subject matter, be subject to mandatory rules of Russian legislation that require certain disputes to be heard and resolved by Russian courts only, or by arbitration tribunals having a seat in Russia and meeting certain criteria.
In the absence of dedicated regulation and a unified legal approach, the courts may lack consistency in their interpretation and legal qualification of crypto assets or other issues relevant to blockchain technology.
The State Duma (lower chamber of the Russian parliament) has commissioned an updated bill of law on users’ big data. The bill of law was returned to the authors for further development in November 2018. The original document was heavily criticised for the attempt to create additional obligations for big data collectors and users in Russia, including the requirement to obtain an informed consent from each data subject (which was logically pointed out as contrary to the very nature of big data processing). If the bill of law sees no material changes, the new regulation may create substantial impediments for companies operating big data.
The applicable legislation is not clear on the legal status of big data, while the authorities (eg, Roskomnadzor, the competent body in the field of privacy) have expressed the understanding that such data may be considered as personal data when collected and used in combination with other information on the data subject that may eventually lead to the identification of such data subject. However, the approach has not been confirmed in any legally binding acts or any formal guidelines or commentaries.
Another issue is related to the proprietary rights to big data. At the moment, there is an ongoing dispute being heard by a Russian court between the company that collected big data from open sources and traded in the result of their statistical analysis and the social networking platform that claims that data collected from web pages of its users should be treated as its property as the contents of database are compiled by the platform. The outcome of the case may have a market-shaping effect for big data projects.
To date, the main challenges for projects involving machine learning within the existing framework of the Russian legislation are those related to the use of big data and/or personal data. Considering the broad interpretation of the definition of personal data by the competent authority, the Federal Service for Supervision in the Sphere of Connection, Information Technologies and Mass Communications (Roskomnadzor, or RKN), there is a risk that virtually any bulk of data can be treated as capable of identifying the individual, and, hence, subject to personal data regulation. However, RKN has not yet addressed the issue specifically in connection with machine learning.
Discussions of liability issues at this point of development and use of technology in Russia are mostly speculative and have little relation to the existing regulation.
As is the case for machine learning, issues related to the use of big data and/or personal data pose the main challenges for projects involving artificial intelligence within the existing framework of the Russian legislation.
Under existing regulation, the liability issues are resolved in the manner similar to cases of liability for software malfunction, defects in hardware or operation, depending on the situation.
The national programme titled 'Digital Economy' adopted in 2017 sets the date 31 July 2019 as the deadline for adoption of a federal law on regulation of the so-called cyber-physical systems, including unmanned vehicles, IoT, smart houses and other technologies. Some of the regulatory measures suggested by various groups working on the draft of the law include establishment of state authority for control, monitoring and certification of relevant devices and systems, and mandatory insurance with the use of an industry-funded reserve. In general, this may be viewed as yet another example of the Russian government’s tendency to overregulate the market even before it develops, and to establish strict control over any technologies involving data processing.
While there are no specific restrictions, general issues related to personal data protection under Russian legislation may apply to operation of connected devices, due to the broad interpretation of what can be considered as information capable of identifying the data subject, as viewed by the Russian regulator.
Specific requirements may apply to relevant hardware; thus, late in December 2018 the State Frequencies Commission introduced a requirement for entities applying for frequencies in 868 MHz bandwidth (LPWAN) (used for the deployment of IoT networks) to use only Russia-produced base stations in construction of their networks starting from 1 December 2020.
Russian legislation contains no rules specific to IT service contracts. Such agreements are normally classified as service contracts, and may additionally contain elements of other types of contracts, such as supply and/or IP licensing.
General risks of operation in the Russian legal framework include the risk of inconsistency in interpretation of contractual provisions and statutory requirements by courts and by regulatory authorities in the absence of specific regulation or established market practices for new types of services or new technologies.
Of note, there is specific tax regulation applicable to the provision of IT services by foreign companies. IT or online services provided by foreign entities that have no physical presence in Russia are subject to Russian VAT that is payable either by the foreign entity directly (which requires a registration as a Russian VAT payer), or, if agents or other intermediaries are involved that provide the IT services to Russian end users (whether corporate or individual), such intermediaries act as tax agents too, and pay the VAT.
Personal Data Law requires that storage and certain types of processing of personal data pertaining to Russian citizens is performed with the use of databases physically located in the territory of Russia.
For services acquired from Russia-based service providers it is customary for the service provider’s liability to be limited to only direct damages (an approach broadly supported by Russian courts), and to be capped at the total contract value.
Specific restrictions may apply to Russian companies owned or controlled by the state concerning their choice of IT services and products; that is, in many cases such parties are obliged to choose Russian products and services, unless they can prove that the foreign product is irreplaceable.
General Data Collection and Processing
Protection of personal data pertaining to Russian citizens is prioritised. In most cases with some exceptions, a specific and informed data subject’s written consent is required. However, in contrast to the requirements of the GDPR, Russian operators are not expressly prohibited from making the use of a service conditional upon such consent. Personal data can be processed without consent in the limited number of cases, such as performance under a contract to which the data subject is a party, performance of data operator obligations mandated by law, processing of data made public by the subject, processing for statistical purposes and others. Certain types of sensitive data, including health data, biometrical data, information on prior criminal convictions and others require express written consent for processing.
Localisation of Personal Data
The general rule is that Russian citizens’ personal data must be stored and processed with the use of databases located in Russia. There is a limited number of exemptions from this rule, such as use of data for the rendering of justice, cases where processing of personal data is necessary for professional journalistic work, lawful activities of a mass media, or for scientific, literary or other artistic work (all of which are also the exemptions from the obligation to obtain the individual’s consent, as described above). Importantly, by means of official commentary from the Ministry for Digital Development, Connection and Mass Communications it has been confirmed that providers of air transportation services (including their agents) are exempt from the application of the localisation requirement on the ground of international treaty application.
Registration of Personal Data Operators
Operators of personal data are subject to registration with the state authority, Roskomnadzor, by filing a notification prior to commencement of their activities. There are certain exemptions from the requirement to register. Importantly, the list of applicable exemptions does not exactly match the above exemptions for obtaining a data subject’s consent. Such exemptions include processing of data under labour laws, processing of a data subject’s name only, processing of data for the purposes of granting one-time access to premises, processing of personal data without the use of means of automatisation, among others.
Users’ communications data and metadata are subject to collection and storage by operators of communication services, including online data transfer services. In cases specified by law operators are required to provide state authorities with such customer data for investigative and state security purposes. Operators of various online services are also subject to a different type of registration with the same state authority, Roskomnadzor. Telecom and online service operators are required to comply with competent state authorities’ requests to block access to online resources blacklisted for distribution of prohibited information.
Company data protection is not as extensively regulated as personal data, and is usually addressed in the scope and on the terms the entity itself determines. While there are state-enforced sanctions for violation of trade secret obligations, the administrative fines are not high, and the implementation practice is considerably more limited compared with personal data compliance cases. Criminal liability can be imposed for the breach of the trade secret regime, for illegal access to protected computer (electronic) data and for mishandling means of protected computed data storage, transfer or processing. However, statistically such cases do not present any considerable volume.
Confidentiality and non-disclosure agreements are rather broadly used, but are often hard to enforce due to difficulties in proving the breach.
General requirements for protection of information and specific rules for processing of information by various service operators are set forth in the Information Law.
Specific requirements are set for operators of various online services, including operators of instant messaging services, operators of online audiovisual services, so-called organisers of online information distribution and operators of search engines or news aggregators. Some of these operators are required to store customer data and provide such data to competent state authorities for investigative and state-security purposes. Besides, operators are required to comply with requests for blocking access to certain information qualified as illegal in Russia.
Certain categories of information are restricted or prohibited from distribution, including information potentially harmful to children (within the meaning and based on criteria set forth in Federal Law No 436-FZ 'On protection of children against information harmful to their health and development', dated 29 December 2010 (as amended)); information containing calls for riots or public unrest; information distributed in violation of copyright and related rights; pornography; information on methods to commit suicide, to produce or use drugs, and other types of information considered damaging by the state. The blocking tool has been broadly used over the last years, and communications operators are subject to administrative fines for a failure to implement the blocking orders.
Processing of personal data is subject to requirements of the Personal Data Law. Personal data can be processed under the data subject’s consent unless an exemption applies. Personal data operators are required to employ organisational, technical and legal measures of data protection, and to keep certain documents and logs to evidence compliance with legal requirements. Levels of protection and employed measures vary depending on the evaluation of potential threats to the personal data processed by relevant operator. Operators of personal data are required to register with Roskomnadzor.
The practical difficulties that personal data operators face in building up their compliance policies largely result from the interpretation of the statutory requirements by the competent regulatory authority, Roskomnadzor. In the last few years the authority has demonstrated the tendency to interpret legal requirements in an overly broad and conservative way, which puts substantial burden on personal data operators.
There are no legal restrictions on monitoring or limiting the use by employees of company computer resources in the private sector. The entities are required to employ certain measures of data protection, including passwords, restricted access and other measures.
Importantly, despite the generally pro-employee character of Russian labour legislation which often makes it difficult in practice to dismiss an employee for a one-time wrongdoing, there are cases where courts have upheld the employer’s termination of employees’ contracts for a breach of restrictions concerning e-mailing of work files to private addresses outside the company (which was viewed as putting confidential files in an unsafe environment that amounted to unauthorised disclosure of information.)
Russian telecommunications regulation, essentially formed by Federal Law No 126-FZ 'On communications', dated 7 July 2003 (as amended) (the 'Communications Law') and ancillary regulatory acts, is not sufficiently technology-specific. The rules established for the licensing and operation of telecommunication services distinguish between cable, terrestrial on-air and satellite technologies for audiovisual, landline and mobile for telephony, and only a few examples of telecom services involving Internet connection, without much further categorisation. In practice, major telecom operators opt to hold a combination of all categories of available permits to make sure the services they provide are covered.
Internet service providers can choose between or obtain both telecom licences for data transmission services (without voice data) and telematic services, but there are no express legal requirements to license activities of operators providing online services with the use of existing Internet connection provided by another licensed telecom operator. Traditionally, and historically, telecom licensing obligations in Russia have been tied to network infrastructure, while for purely online services the focus is rather made on information protection measures.
Specific requirements are set forth for a limited number of specifically listed types of services in the Information Law. These services are: organisation of online distribution of information (messaging services provided by operators of websites or online applications, including any kind of chat, forum or other means allowing users to exchange comments), instant messaging, online search, online news aggregating websites or applications and online audiovisual services. Obligations of the operators of such services may include (in various combinations): requirements to register with the competent authority (Roskomnadzor), to collect and store customer data, to provide access to customer data to state authorities, to block access to certain information, to identify users, to employ measures of data protection and to review distributed content for compliance with Russia legislation.
Foreign entities are not allowed to hold more than 20% control over Russian online audiovisual services. A similar limitation for the news aggregator services is currently being considered by the legislative authority.
New network connection services on the basis of a telecom infrastructure that fall within one of the types of licensed telecom services are subject to relevant licences and permits to be obtained from Roskomnadzor and other state authorities prior to commencement of such activities in Russia, in accordance with the Communications Law and the Federal Law No 99-FZ 'On licensing of certain types of activities', dated 4 May 2011 (as amended).
Operators of online messaging services and instant messengers (organisers of online information distribution in terms of the Information Law) are required to notify Roskomnadzor on the commencement of their activities either voluntarily or within five days upon receiving relevant request from the authority. News aggregating online services are required to provide relevant information for registration upon request from Roskomnadzor, if the authority considers it qualifying for state registration. Operators of online audiovisual services are required to provide information to Roskomnadzor within ten days upon receiving a relevant request for inclusion of service information in the state register.
Traditional television and radio channels are required to register as Russian mass media and can commence distribution upon obtaining relevant broadcasting licences from the competent state authority, Roskomnadzor.
In accordance with the provisions of the Law of the Russian Federation No 2124-1 'On mass media', dated 27 December 1991 (as amended) (the 'Mass Media Law'), foreign entities and citizens (including holders of dual citizenship), as well as Russian entities with more that 20% direct foreign investment in their capital are not allowed to apply for mass media registrations and broadcasting licences. Moreover, such entities and individuals are banned from owning, controlling or managing directly or indirectly more than 20% of the Russian entity applying for a mass media registration or a broadcasting licence.
The mass media registration procedure takes approximately one month upon filing of the application together with documents confirming the corporate existence and compliance with Mass Media Law requirements with respect to ownership percentage. The state fee depends on the type of mass media and the territory of distribution, with the maximum amounting to RUB10,000 (approximately USD150).
Broadcasting licences can be universal (including all means of distribution) or allow mass media distribution via any of cable, satellite or over-the-air (the latter subject to a separate frequency use permit). Licences are issued within approximately one to one-and-a-half months upon filing of relevant documents confirming compliance with the requirements of the Mass Media Law and payment of the state fee in the amount up to RUB7,500 (approximately USD112). A mass media registration and broadcasting licence are not required to be held by one entity; the functions can be distributed among contractual partners. However, universal broadcasting licences are issued only to parties also holding the relevant mass media registration.
For the carriage/distribution of the television or radio channel, a telecom operator also needs a licence covering the provision of services for television or radio broadcasting of the relevant mass media. A telecom licence for this activity is issued under the Communications Law. These licences can be issued for distribution via cable, satellite or over-the-air networks, upon provision of evidence of a contract entered with the licensed broadcaster.
Online channels can apply for registration as network mass media under similar procedures specified for the traditional mass media. However, such registration is optional under Russian law. Until the adoption of the amendment to the Information Law on online audiovisual services in 2017, online channels were largely unregulated, as very few online channels opted for registration as mass media.
Pursuant to the Information Law, a website or an application is considered as an audiovisual service if it is used to form and/or distribute online an aggregate of audiovisual works accessible for a fee and/or subject to viewing advertising aimed at a Russia-based audience, and if it is accessed by at least 100,000 Internet users based in Russian territory per day. The second characteristic is monitored by Roskomnadzor via access counters that audiovisual services are required to choose from the pre-approved list provided by the regulator and install.
Roskomnadzor monitors the market and identifies services that in its opinion meet the above criteria. If Roskomnadzor considers a service qualifying for registration, it requests relevant information for registration with the state register and monitors compliance with the requirements of the Information Law, which include, among others, full compliance with all the legal requirements set forth for the operation of a 'regular' mass media under the Mass Media Law, and the 20% foreign control limitation.
The definition and regulation for the audiovisual services were introduced with only a few technologies in mind: services designed to watch TV series and films online and on demand upon payment (the so-called online cinemas) and the online versions of channels already registered as mass media. For this reason, one of the restrictions set for the audiovisual services in the Information Law is the prohibition to distribute online mass media that are not registered as Russian mass media in accordance with the requirements of the Mass Media Law.
Organisers of online distribution of information (that definition includes operators of instant messaging services and websites and applications enabling messaging) are required by law to provide state authorities with decryption keys if they use additional encryption of messages or allow their users to do so (Article 10.1 of the Information Law). Failure to comply with this requirement was stated as the legal ground for the decision of Roskomnadzor to block popular instant messaging service Telegram. The messenger representatives claimed that the end-to-end encryption it used made it impossible to provide a fixed set of encryption keys, but the authority persisted and ordered the blocking of the service in Russia (in reality, however, Telegram still remains accessible and operational).
Encryption is required for certain information systems where the level of potential threats to personal data contained in and processed by such system is assessed as material.
Noteworthy, encryption activities in Russia, including use of relevant software, provision of services and import of devices, are subject to licensing and compliance with certain requirements, which include certification of equipment, application of a certain level of data protection measures among others. The main requirements are set forth in Governmental Decree No 313, 16 April 2012, and compliance is monitored by the Federal Security Service of Russia.
The Federal Law No 436-FZ 'On protection of children against information harmful to their health and development', dated 29 December 2010 (as amended), provides for an exemption from time limitations on distribution of certain content on television and radio channels for pay channels received with the use of a decoding device. The provision was interpreted by the market as applicable to pay-TV and radio services delivered via any set-top box device. However, the regulator has expressed a different understanding, stating that additional password encryption is required to qualify for exemption.