Contributed By King & Spalding
Despite the existence of an established market for cloud services in Russia, there is no regulation specifically and exclusively dedicated to provision of such services, or technical requirements. Normally, specific terms are set in a relevant contract, framed within the existing regulation as a service contract or lease of data space, sometimes combined with software licensing.
The use of cloud technology may also fall within the scope of a number of Russian laws and regulations, including the following:
Among other limitations that may apply in certain cases, one particular provision of the Russian legislation may impact cloud storage services the most – namely, the requirement for storage and certain other types of processing of personal data of Russian citizens to be performed with the use of databases located in Russia.
The banking industry has the strictest regulation, including in respect of data security and threat prevention. The Central Bank of Russia, the competent regulator for the banking industry in Russia, may form additional requirements for data protection and operation of electronic document-flow and specific IT products in the banking industry.
Additional data security requirements are set for health data, subject to exceptions available for platforms participating in projects with an experimental regulation regime (such as under the Federal Law No 123-FZ, On AI regulation experiment, dated 24 April 2020).
The Federal Law No 187-FZ, On safety of critical information infrastructure, dated 6 July 2017 (in force since 1 January 2018) created the framework for tightening of the requirements for both state and private information systems, telecom networks, automatic control systems in the sphere of healthcare, science, transport, communications, energy, banking and finance and other selected areas. However, in the past three years this regulation has hardly developed beyond a basic requirement for data and system security.
Personal Data Issues
The Personal Data Law (Article 18) requires storage and certain types of processing (including recording, accumulation, export) with the use of databases located in the territory of the Russian Federation. This restriction considerably limits the use of cloud services with servers located outside Russia and, in practical terms, means that the cloud service providers engaged in such services should maintain local data space in Russia at the risk of paying significant fines and potential blocking of access to online resources in the territory of Russia.
Another issue to bear in mind is the Russian regulation requirement (similar to the EU personal data processing regime) to have individuals’ specific written consent in place for the transfer of personal data to certain jurisdictions that are considered as not providing sufficient level of personal data protection; the USA is one example of such a jurisdiction, from the Russian regulator’s perspective. Thus, the transfer of data to the cloud at any stage of processing may require specific written consent if the cloud is based on servers in countries with insufficient level of personal data protection.
The fact that data stored in the cloud may be available for access by third parties, other than the operator, including the cloud-hosting company, may raise further issues. In fact, the use of cloud for storage of information itself already affects relevant threat models that data operators are required to draw for all information systems they employ. Certain levels of potential threats and consequences to processed personal data trigger requirements for application of additional security measures under applicable regulatory acts.
Amendments to the Russian Civil Code, in force since 1 October 2019, introduced the definition of "digital rights", the scope and realisation of which depend on the rules set in an information system. These general provisions contain little detail and remain a declaration until the adoption of further regulation.
Following many years of discussions among Russian business and government representatives, a number of projects in development and great anticipation from the market, the Federal Law No 259-FZ, On digital financial assets, digital currency and on amending certain legislative acts of the Russian Federation, was adopted on 31 July 2020 and came into force on 1 January 2021. Despite earlier expectations and criticism of the draft of the new law, the new regulation effectively restricted turnover of cryptocurrency on the Russian market.
Risk and Liability
Use of digital currency (the term used in the new law) as payment for goods and services is prohibited in Russia, as well as advertising of any goods and services which can be paid for with digital currency. On the other hand, mining and use in other transactions are allowed subject to specific regulation that is yet to be developed. While the ancillary regulation is in development, any activities with the use of cryptocurrencies on Russia market remain at risk.
Issuance and turnover of tokens and coins – or "digital financial assets", (DFAs) – defined in the new law as digital rights “issuance, accounting and turnover of which are only possible by making amendments to the records in the distributed ledger information systems, or other information systems” – now fall under strict legal requirements, including requirements for disclosure of certain information and maintenance of elaborate and formal guidelines for all processes. Operators of information systems used for issuance of DFAs are subject to state registration which is only available to Russian companies meeting certain qualification and business reputation criteria.
Separate entities, the exchange operators, are responsible for exchange of DFAs for other DFAs, other digital rights, as well as exchange for DFAs issued outside of Russia. Only credit organisations, trade organisations or entities meeting certain criteria set by law – such as charter (share) capital of no less than RUB50 million – can act as DFA exchange operators. Exchange operators are subject to registration in a register maintained by the Bank of Russia.
Software with blockchain technology is regulated as any other software in Russia, and has a regime of a copyrightable literary work.
There have been broad discussions on whether intellectual property deals and registers may be moved to blockchain. There are no legal impediments for that in respect of intellectual property that does not require mandatory registration under Russian law (such as copyright and related rights, as well as software deals). In terms of trade marks and patents, these are subject to mandatory registration with the Russian Patent and Trade Mark Office, and any use of blockchain there would require legislative changes.
The new Law on Digital Financial Assets requires information system operators whose networks are used for issuance and turnover of digital financial assets (tokens) to keep registers of their users and transactions and to store such user identification data and transaction logs for no less than five years upon exclusion of each relevant user from the register.
Operators of information systems are required by law to provide data from the systems to state authorities, including courts and enforcement authorities, upon request.
Ancillary regulation to be developed may introduce specific requirements for systems’ security and data protection measures.
There appear to be no measurable service levels for services involving blockchain technology in Russia.
The Law on Digital Financial Assets extends application of prohibition to accept cryptocurrency as payment for goods and services to foreign individuals who spent no less than 183 days in 12 consecutive months in the territory of Russia, as well as to all Russia-based representative offices and branches of international organisations or foreign legal entities.
The above law applies to all issues related to issuance, turnover and records of transactions with digital financial assets in the territory of the Russian Federation, including those involving foreign citizens and entities.
The few blockchain-related cases that have reached Russian courts in the last few years have involved disputes over assets kept in cryptocurrency, and no jurisdictional issues have been flagged.
A few bills of law on regulation of big data were developed and discussed among various state authorities in 2018–20, including a bill of law developed by the Ministry for Digital Development, Connection and Mass Communications at the end of 2019. None of these projects were submitted to the State Duma (the lower chamber of the Russian Parliament). In December 2020, the Russian government announced plans to introduce in spring 2021 two bills of law concerning big data: one dedicated to experimental legal regimes in various industries, and the other to the use of data, including state-generated data, for development and introduction of artificial intelligence technologies.
In terms of the regulation, the legal status of big data is in a grey area, while the authorities (Roskomnadzor, the competent body in the field of privacy) have expressed the understanding that such data may be considered as personal data when collected and used in combination with other information on the data subject that may eventually lead to the identification of such data subject. However, the approach has not been confirmed in any legally binding acts or any formal guidelines or commentaries.
One dispute ongoing since 2017 was expected to provide some precedent value for future big data projects, depending on the court’s decision whether a company can collect big data available on a social network and trade in the result of statistical analysis or if such data should be considered the network’s property as the contents of the database compiled by the platform. The case was returned for review in first instance in summer 2018 and remains pending to this day.
To date, the main challenges for projects involving machine learning within the existing framework of the Russian legislation are those related to the use of big data and/or personal data. Considering the broad interpretation of the definition of "personal data" by the competent authority, the Federal Service for Supervision in the Sphere of Connection, Information Technologies and Mass Communications (Roskomnadzor, or RKN), there is a risk that virtually any bulk of data can be treated as capable of identifying the individual, and, hence, subject to personal data regulation. However, RKN has not yet addressed the issue specifically in connection with machine learning.
The above issue may be resolved in the upcoming bill of law on the use of data, including state-generated data, for development and introduction of artificial intelligence technologies that is expected to be introduced in spring 2021.
Machine learning is mentioned in some declarations and programmes describing future plans for development and support of new technologies in Russia, which contain very few specifics. Apart from that, there is a reference to a possible use of depersonalised medical data collected in the state-operated integrated electronic medical chart system for the purposes of development of machine learning methods and algorithms to support medical decisions.
Artificial Intelligence (AI)
Technologies based on artificial intelligence (AI) became the new focus of Russia’s legislative and governmental initiatives in the last year following the Presidential Decree No 490, On development of artificial intelligence in the Russian Federation, dated 10 October 2019. The Federal Law No 258-FZ, On experimental regulation in the sphere of digital innovation, dated 31 July 2020, provides a framework for expedited development of technologies in such areas as speech recognition, machine support for decision making, neuro-interface, quantum technologies and others. The experiment to set specific regulations to enable necessary conditions for the development and introduction of artificial intelligence technologies is currently held in Moscow until 2025 under the terms of the Federal Law No 123-FZ, dated 24 April 2020.
Following some of the public announcements and requests made by the President, the government announced legislative plans for 2021, including specific regulation for use of data for development of AI solutions, and further regulation on experimental legal regimes in various industries.
This regulation mainly establishes terms of access for companies to participate in technology research and benefit from specific regulation. The access is controlled by the state which affects to a certain extent the shape of the Russian AI technology market at this point of time.
Under the existing framework outside of specific experimental regimes, the main challenges for projects involving artificial intelligence, as is the case for machine learning, are related to the use of big data and/or personal data.
Under existing regulation, liability issues are resolved in the manner similar to cases of liability for software malfunction, defects in hardware or operation, depending on the particular situation.
Specific requirements concerning machine-to-machine communications are set in some of the specific regulatory acts concerning relevant bandwidths and equipment used for the Internet of Things (IoT) networks. Use of all-purpose devices with maximum radiated power of 25 MW is allowed in certain bandwidths without applying for state permits to use frequencies and radio frequency channels.
Starting from 1 December 2020, one of the conditions to build IoT networks in 868 MHz bandwidth (LPWAN) is to use Russia-based stations with the status of communications equipment produced locally. A few preliminary national standards are in place since 2019–20 to provide non-mandatory guidance on basic requirements for IoT systems. A second set of national standards, including a preliminary standard for LoRaWAN (Long Range Wide Area Networks) protocol, was adopted in early February 2021. Preliminary standards are introduced to gather data on their application and may be subject to amendments or termination.
While there are no specific restrictions, general issues related to personal data protection under Russian legislation may apply to operation of connected devices, due to the broad interpretation of what can be considered as information capable of identifying the data subject, as viewed by the Russian regulator.
Specific Features of Local Legal Framework
Russian legislation contains no rules specific to IT service contracts. IT service contracts are normally classified as agreements for provision of services under Russian civil legislation, and may additionally contain elements of other types of contracts, such as supply and/or IP licensing.
General risks of operation in the Russian legal framework include the risk of inconsistency in interpretation of contractual provisions and statutory requirements by courts and by regulatory authorities in the absence of specific regulation or established market practices for new types of services or new technologies.
Specific rules apply to the form of the agreement under Russian regulation. Amendments made to the Civil Code in 2019 provided a statutory confirmation of the possibility to execute written contracts in electronic form. However, the regulation on electronic signature remains complicated, with different types of signatures and levels of binding force, all of which makes it less convenient to use and affects the prevalence of the technology on the Russian market.
Of note, there is specific tax regulation applicable to the provision of IT services by foreign companies. Foreign entities providing IT or online services in Russia are required to pay Russian VAT. Starting from 1 January 2019, the legislation was slightly amended to require that foreign entities always register as Russian taxpayers and pay the due tax directly, rather than engaging local agents and intermediaries to act as tax agents (a practice that was widespread by that time).
Following the confusion on the market and the risk of decrease in payments, the Russian Federal Tax Services published a letter in April 2019 to clarify that, in case a Russian buyer of electronic services calculates and pays the VAT itself, the foreign provider cannot be addressed with requests to pay the same amounts.
Applicable Mandatory Law
Personal Data Law requires that storage and certain types of processing of personal data pertaining to Russian citizens is performed with the use of databases physically located in the territory of Russia. Failure to do so results in considerable amounts of administrative fines.
For services acquired from Russia-based service providers, it is customary for the service provider’s liability to be limited to only direct damages (an approach broadly supported by Russian courts), and to be capped at the total contract value.
Specific restrictions may apply to Russian companies owned or controlled by the Russian state concerning their choice of IT services and products. In many cases, such parties are obliged to choose Russian products and services, unless they can prove that the foreign product is irreplaceable.
General Data Collection and Processing
Protection of personal data pertaining to Russian citizens is prioritised. In most cases (with some exceptions), a specific and informed data subject’s written consent is required. However, in contrast to the requirements of the EU's GDPR, Russian operators are not expressly prohibited from making the use of a service conditional upon such consent. Personal data can be processed without consent in the limited number of cases, such as performance under a contract to which the data subject is a party, performance of data operator obligations mandated by law, processing of data made public by the subject, processing for statistical purposes and others. Certain types of sensitive data, including health data, biometrical data, information on prior criminal convictions and others require express written consent for processing.
Localisation of Personal Data
The general rule is that Russian citizens’ personal data must be stored and processed with the use of databases located in Russia. There are a limited number of exemptions from this rule, such as use of data for the rendering of justice, cases where processing of personal data is necessary for professional journalistic work, lawful activities of a mass media, or for scientific, literary or other artistic work (all of which are also the exemptions from the obligation to obtain the individual’s consent, as described above). Providers of air transportation services (including their agents) are exempt from the application of the localisation requirement on the ground of international treaty application.
Starting from 2 December 2019, administrative fines for non-compliance with the personal data localisation requirements amount to up to RUB6 million for the first violation and up to RUB18 million for the repeated violation.
Registration of Personal Data Operators
Operators of personal data are subject to registration with the state authority, Roskomnadzor, by filing a notification prior to commencement of their activities. There are certain exemptions from the requirement to register. Importantly, the list of applicable exemptions does not exactly match the above exemptions from the requirement for obtaining a data subject’s consent. Such exemptions include: processing of data under labour laws; processing of data subjects’ names only; processing of data for the purposes of granting one-time access to premises; and processing of personal data without the use of means of automatisation.
Users’ communications data and metadata are subject to collection and storage by operators of communication services, including online data transfer services. In certain cases specified by law, operators are required to provide state authorities with such customer data for investigative and state security purposes. Operators of various online services are also subject to a different type of registration with the same state authority, Roskomnadzor. Telecom and online service operators are required to comply with competent state authorities’ requests to block access to online resources blacklisted for distribution of prohibited information.
Distinction Between Companies/Individuals
Personal data – that is, any data that can be used for identification of individuals – is strictly protected by law with sanctions for administrative offences and criminal acts.
Company data protection is not as extensively regulated as personal data, and is usually addressed in the scope and on the terms the entity itself determines. While there are state-enforced sanctions for violation of trade secret obligations, the administrative fines are not high, and the implementation practice is considerably more limited compared with personal data compliance cases. Criminal liability can be imposed for breach of the trade secret regime, for illegal access to protected computer (electronic) data and for mishandling means of protected computed data storage, transfer or processing. However, statistically such cases do not present any considerable volume.
Basic cybersecurity expectations are laid down in Article 16 (Protection of Information) of the Information Law that provides that the protection of information should be secured via a range of measures, including prevention of unauthorised access, hacking and cyber-attacks.
Confidentiality and non-disclosure agreements are rather broadly used, but are often hard to enforce due to difficulties in proving the breach.
General Processing of Data
General requirements for protection of information and specific rules for processing of information by various service operators are set forth in the Information Law.
Specific requirements are set for operators of various online services, including operators of instant messaging services, operators of online audio-visual services, so-called organisers of online information distribution and operators of search engines or news aggregators. Some of these operators are required to store customer data and provide such data to competent state authorities for investigative and state-security purposes. Besides, operators are required to comply with requests for blocking access to certain information qualified as illegal in Russia.
Certain categories of information are restricted or prohibited from distribution, including:
The blocking tool has been broadly used over the last years, and communications operators are subject to administrative fines for a failure to implement the blocking orders.
Processing of Personal Data
Processing of personal data is subject to requirements of the Personal Data Law. Personal data can be processed under the data subject’s consent unless an exemption applies. Personal data operators are required to employ organisational, technical and legal measures of data protection, and to keep certain documents and logs to evidence compliance with legal requirements. Levels of protection and employed measures vary depending on the evaluation of potential threats to the personal data processed by the relevant operator. Operators of personal data are required to register with Roskomnadzor.
The practical difficulties that personal data operators face in building up their compliance policies largely result from the interpretation of the statutory requirements by the competent regulatory authority, Roskomnadzor. In the last few years, the authority has demonstrated the tendency to interpret legal requirements in an overly broad and conservative way, which puts a substantial burden on personal data operators.
There are no legal restrictions on monitoring or limiting the use by employees of company computer resources in the private sector. The personal data regulation requires all companies processing personal data (including employees’ data) to employ certain measures of data protection. While the law describes these measures in more or less general terms, the specific choice and methods of enforcement are left at each operator’s discretion. Some business may be subject to more elaborate industry-specific requirements, such as banks and other financial and credit institutions, or entities processing sensitive data or large amounts of data.
Russian personal data protection regulation does not establish substantial sanctions in cases of major breaches or data loss incidents, which makes the risks for companies less direct and immediate.
Importantly, despite the generally pro-employee character of Russian labour legislation – which often makes it difficult, in practice, to dismiss an employee for a one-time wrongdoing – there are cases where courts have upheld the employer’s termination of employees’ contracts for a breach of restrictions concerning emailing of work files to private addresses outside the company (which was viewed as putting confidential files in an unsafe environment that amounted to unauthorised disclosure of information).
Technologies Falling within the Scope of Local Rules
Russian telecommunications regulation, essentially formed by Federal Law No 126-FZ, On communications, dated 7 July 2003 (as amended) (the “Communications Law”) and ancillary regulatory acts, is not sufficiently technology-specific.
The rules established for the licensing and operation of telecommunication services distinguish between cable, terrestrial on-air and satellite technologies for audio-visual, landline and mobile for telephony, and only a few examples of telecom services involving internet connection, without much further categorisation. In practice, major telecom operators opt to hold a combination of all categories of available permits to make sure the services they provide are covered.
Internet service providers can choose between or obtain both telecom licences for data transmission services (without voice data) and telematic services, but there are no express legal requirements to license activities of operators providing online services with the use of an existing internet connection provided by another licensed telecom operator. Traditionally, and historically, telecom licensing obligations in Russia have been tied to network infrastructure, while for purely online services the focus is rather made on information protection measures.
Voice-over-IP (VoIP) is generally mentioned in the regulation as allowed for the interconnection of networks. VoIP operators fall under the Communications Law requirement to keep certain information in Russia – including information about the facts of receipt, transmission, delivery and processing of voice information such as sounds – for up to three years.
Other specific requirements are set forth for a limited number of specifically listed types of services in the Information Law. These services are:
Obligations of the operators of such services may include (in various combinations):
RFID tags are not specifically regulated at the federal law level. However, these have been implemented for many years, and have been reflected in certain national standards. For example, the National Standard adopted on 8 December 2011, Information technology. Radio frequency identification for item management. Recommendations for application. Part 1. RFID-enabled labels and packaging supporting ISO/IEC 18000-6C.
A national standard is a document developed by the state agencies in the relevant industry and sets forth the technical characteristics of goods, works or services. National standards are registered by the Federal Agency for Technical Regulation and Metrology as GOSTs (gosudarstvennyy standart); this acronym standing for “state standard” has remained in use since the Soviet Union). International standards developed by the International Organization for Standardization (ISO) can also be registered and made available in Russia as GOSTs. Compliance with the characteristics specified in a GOST is not mandatory, unless it is declared or promoted by the manufacturer or provider.
Other references to RFID tags may be found in regulations addressing identification and turnover control over specific products (eg, natural fur or car tyres) at the level of Russia’s international co-operation within the Eurasian Economic Commission.
Requirements Prior to Bringing a Product/Service to the Market
New network connection services on the basis of a telecom infrastructure that fall within one of the types of licensed telecom services are subject to relevant licences and permits to be obtained from Roskomnadzor and other state authorities prior to commencement of such activities in Russia, in accordance with the Communications Law and the Federal Law No 99-FZ, On licensing of certain types of activities, dated 4 May 2011 (as amended).
Operators of online messaging services and instant messengers (organisers of online information distribution in terms of the Information Law) are required to notify Roskomnadzor on the commencement of their activities either voluntarily or within five days upon receiving relevant request from the authority. News-aggregating online services are required to provide relevant information for registration upon request from Roskomnadzor, if the authority considers it qualifying for state registration. Operators of online audio-visual services are required to provide information to Roskomnadzor within ten days upon receiving a relevant request for inclusion of service information in the state register.
Main Requirements for Providing an Audio-Visual Service
Traditional television and radio channels are required to register as Russian mass media and can commence distribution upon obtaining relevant broadcasting licences from the competent state authority, Roskomnadzor.
In accordance with the provisions of the Law of the Russian Federation No 2124-1, On mass media, dated 27 December 1991 (as amended) (the “Mass Media Law”), foreign entities and citizens (including holders of dual citizenship), as well as Russian entities with more that 20% direct foreign investment in their capital, are not allowed to apply for mass media registrations and broadcasting licences. Moreover, such entities and individuals are banned from owning, controlling or managing directly or indirectly more than 20% of the Russian entity applying for a mass media registration or a broadcasting licence. Documents confirming compliance with this restriction are to be submitted with the applications.
The mass media registration procedure takes approximately one month upon filing of the application, together with documents confirming the corporate existence and compliance with Mass Media Law requirements with respect to ownership percentage. The state fee depends on the type of mass media and the territory of distribution, with the standard fee for mass media distributed in the entire territory of Russia amounting to RUB8,000 and the fee for adult media distributed in the entire territory of Russia amounting to RUB80,000.
Broadcasting licences can be universal (including all of the following means of distribution: cable, satellite and over-the-air) or allow mass media distribution via cable only. Over-the-air or satellite broadcasting require obtaining state permission for use of relevant frequencies. Frequencies in cities and locations with more than 100,000 residents are distributed via state-held auctions. Licences are issued electronically (by means of updating the relevant state register and without issuance of a paper certificate); the process takes approximately one to one-and-a-half months, upon filing of relevant documents confirming compliance with the requirements of the Mass Media Law and payment of the state fee in the amount up to RUB7,500). A mass media registration and broadcasting licence are not required to be held by one entity and the functions can be distributed among contractual partners. However, universal broadcasting licences are issued only to parties also holding the relevant mass media registration.
For the carriage/distribution of the television or radio channel, a telecom operator also needs a licence covering the provision of services for television or radio broadcasting of the relevant mass media. A telecom licence for this activity is issued under the Communications Law. These licences can be issued for distribution via cable, satellite or over-the-air networks, upon provision of evidence of a contract entered with the licensed broadcaster.
Application for Online Video Channels and VOD Services
Online channels can apply for registration as network mass media under similar procedures specified for the traditional mass media. However, such registration is optional under Russian law. Until the adoption of the amendment to the Information Law on online audio-visual services in 2017, online channels were largely unregulated, as very few online channels opted for registration as mass media.
Pursuant to the Information Law, a website or an application is considered as an audio-visual (VOD) service if it is used to form and/or distribute online an aggregate of audio-visual works accessible for a fee and/or subject to viewing advertising aimed at a Russia-based audience, and if it is accessed by at least 100,000 internet users based in Russian territory per day. The second characteristic is supposed to be monitored by Roskomnadzor via access counters that audio-visual services were required to install on their own accord.
Upon adoption of the new legislation, the expectation was that Roskomnadzor would monitor the market and identify services that, in its opinion, meet the above criteria to request relevant information for registration with the state register and further monitoring of compliance with the requirements of the Information Law. However, the register of the VOD services was not formed until December 2020.
Two main ownership restrictions are set by Russian Law on VOD services. Firstly, the Russian ownership requirement: the owner of an audio-visual service must be a Russian company or a Russian individual with no dual citizenship. Secondly, the foreign ownership restriction: foreign ownership of a VOD service is limited to 20%, held individually or in aggregate and directly or indirectly, if the foreign investor operates an audio-visual service having a Russian audience of 50% or less of its worldwide audience. The shareholding or control exceeding 20% is subject to a special approval by the Governmental Commission consisting of representatives of ministries and state agencies, state and major private media companies. In reviewing the applications for the approval of larger shareholdings, the Commission is to evaluate the benefits of allowing a foreign input, including cultural and educational functions in the content on the applicant’s VOD platform.
Following almost four years of no news on any application of the VOD regulation, in September 2020 Netflix announced a deal with a Russian media holding company, NMG, that will be responsible for distribution of the Russian version of the platform in the country.
Mass media registered as online media in Russia, search engines and resources with user-generated content are expressly excluded from the application of the VOD regulation. Among the restrictions set for the operators of VOD services in Russia is the prohibition to distribute mass media that are not registered as Russian mass media in accordance with the requirements of the Mass Media Law.
Legal Requirements Governing the Use of Encryption
A number of regulatory provisions require use of certified encryption (cryptography) means, especially the provisions concerning identification for the purposes of provisions of electronic state and notarisation services, financial and medical services. Relevant provisions and requirements can be found in legislation on electronic signature, notary services, personal data protection and, most recently, the state’s unified biometric system designed to include bulk data on Russian citizens that would facilitate identification procedures in different areas of services and procedures involving the state agencies and authorities (see Federal Law No 479-FZ, dated 29 December 2020).
Encryption is required for certain information systems where the level of potential threats to personal data contained in and processed by such system is assessed as material.
When encryption is required, the legal acts refer to the use of certified cryptography, meaning the instruments that were certified by the Russian Federal Security Service. One of the requirements for such certification is to use Russian encryption algorithms.
Organisers of online distribution of information (which by definition includes operators of instant messaging services and websites and applications enabling messaging) are required by law to provide state authorities with decryption keys if they use additional encryption of messages or allow their users to do so (Article 10.1 of the Information Law). Failure to comply with this requirement was stated as the legal ground for the decision of Roskomnadzor to block the popular instant messaging service Telegram, despite the claims that the end-to-end encryption it used made it impossible to provide a fixed set of encryption keys.
Encryption activities in Russia, including use of relevant software, provision of services and import of devices, are subject to licensing and compliance with certain requirements, which include certification of equipment and application of a certain level of data protection measures. The main requirements are set forth in Governmental Decree No 313, dated 16 April 2012, and compliance is monitored by the Federal Security Service of Russia.
The Federal Law No 436-FZ, On protection of children against information harmful to their health and development, dated 29 December 2010 (as amended), provides for an exemption from time limitations on distribution of certain content on television and radio channels for pay channels received with the use of a decoding device. The provision was interpreted by the market as applicable to pay-tv and radio services delivered via any set-top box device. However, the regulator has expressed a different understanding, stating that additional password encryption is required to qualify for exemption.
Considering measures taken to limit personal interactions during the COVID-19 pandemic, the government made the decision to automatically prolong all licences expiring between 15 March 2020 and 31 December 2020 for an additional 12 months, including telecommunication and broadcasting licences. Permits to use frequencies for analogue television broadcasting were also prolonged to 19 August 2021.
Major IT and telecom companies are able to benefit from special support measures undertaken by the Russian government with respect to a number of companies considered essential for the state, especially companies forming the so-called "critical information infrastructure" under the relevant law, as mentioned in 1.1 Laws and Regulations. The selection process, however, was not entirely transparent.
Other companies can apply for the limited support available, mostly from regional governments, as well as some other support measures such as grace periods for lease and loan payments.
The government also accelerated the process for development of electronic document-flow in various areas, including employment, notary services and use of e-signature. Various initiatives have been suggested to use biometric data for simplified identification of users and clients.
However, at the same time, some of the counter-pandemic measures and protocols used by the state seem to override the privacy rights and rules of personal data protection, and may result in substantial risks related to loss of collected data. For example, numerous disputes have taken place concerning use of face-recognition and device-tracking technologies declared to be aimed at controlling the spread of the pandemic. Further, massive data leaks of personal details of patients who tested positive for COVID-19 from the governmental database were reported in December 2020, due to what the authorities called the "human factor" (ie, human error in administering the system).