While the cloud services market is relatively established in Russia, with numerous references to cloud computing and cloud data storage in lower-level regulatory acts, as well as in court cases, Russia still has no dedicated regulation or requirements that apply specifically to cloud services. Thus, the normal provision of cloud services is framed contractually within the existing regulation as a service contract or lease of data space, sometimes combined with software licensing.
The use of cloud technology may also fall within the scope of a number of Russian laws and regulations, including the following:
While there are no express restrictions or prohibitions for the use of cloud technology in Russian legislation, certain limitations may apply in specific cases; the one of a particular impact on the market is the rule imposing an obligation on personal data operators to store and perform certain types of processing of personal data of Russian citizens only in the territory of the Russian Federation.
The banking industry has the strictest regulation, including in respect of data security and threat prevention. The Central Bank of Russia, the competent regulator for the banking industry in Russia, may form additional requirements for data protection and operation of electronic document flow and specific IT products in the banking industry.
Cloud services may also become subject to more extensive regulation under the new Federal Law No 187-FZ 'On safety of critical information infrastructure' (in force since 1 January 2018). While the law itself is mostly depictive of the so-called critical infrastructure and its elements consisting of information systems, telecom networks, automatic control systems of state authorities and entities as well as private entities in the sphere of healthcare, science, transport, communications, energy, banking and finance and other selected areas, it also creates the framework for possible subsequent tightening of the regulation in the area through lower-level regulatory acts.
The Personal Data Law (Article 18) requires storage and certain types of processing (including recording, accumulation, export and other) with the use of databases located in the territory of the Russian Federation. This restriction limits the use of cloud services with servers located outside Russia considerably and, in practical terms, means that the cloud service providers engaged in such services should maintain local data space in Russia.
Another issue to bear in mind is the Russian regulation requirement (similar to the EU personal data processing regime) to have individuals’ specific written consent in place for the transfer of personal data to certain jurisdictions that are considered as not providing sufficient level of personal data protection (and the USA is one example of such jurisdiction, from the Russian regulator’s perspective). Thus, the transfer of data to the cloud at any stage of processing may require specific written consent if the cloud is based on servers in countries with insufficient level of personal data protection.
The fact that the data stored in cloud may be available for access by third parties, other than the operator, including the cloud hosting company, may raise further issues. In fact, the use of cloud for storage of information itself already affects relevant threat models that data operators are required to draw for all information systems they employ. Certain levels of potential threats and consequences to processed personal data trigger requirements for application of additional security measures under applicable regulatory acts.
Blockchain technology has been in the spotlight in Russia over the last few years and has been discussed actively by Russian business and government officials. Plans have been announced by competent governmental bodies to develop dedicated regulation for crypto assets and a wider range of technology-based projects. In January 2018 the Ministry of Finance presented the draft of a federal law 'On digital financial assets', which was later submitted to the State Duma (Russian parliament’s lower chamber) for discussions and has been adopted in the first reading in May 2018. The draft received a lot of criticism from the experts in both relevant technology and the law in general for providing an extremely narrow approach to the regulation of cryptocurrencies and tokens that could hinder the development of the new market.
The main risk of using blockchain technology is caused by the absence of regulation and the fact that Russian authorities are yet to determine their unified position on the legal qualification and use thereof. For now, there have been a few projects using blockchain technology launched in a 'test mode' in banking and financial services, but only in private transactions that allow wide discretion of the parties involved as regards the terms and the liability split.
A number of Russian banks have formed an association for the development of blockchain-powered projects in banking and financial sectors – Fintech Association – whose head of supervisory board is the deputy head of the Bank of Russia. The Association is actively involved in the development of blockchain-related projects and relevant regulation that may help determine the framework of the market, including relevant risks and liabilities.
Software with blockchain technology is regulated as any other software in Russia, and has a regime of a copyrightable literary work.
There have been broad discussions on whether intellectual property deals and registers may be moved to blockchain. There are no legal impediments for that in respect of intellectual property that does not require mandatory registration under Russian law (such as copyright and related rights; software deals fall within this category too). In terms of trademarks and patents, these are subject to mandatory registration with the Russian Patent and Trademark Office, and any use of blockchain there would require legislative changes.
No rules are set specifically for privacy matters in connection with the use of blockchain technology. In cases when blockchain technology is used in private commercial projects, data privacy issues are resolved contractually or addressed individually by the participant entities. Deals in cryptocurrency would be presumed to be processed via 'e-wallets', for which personal data processing and identification rules are set in the online payments and e-money regulations, and are not specific to blockchain.
There appear to be no measurable service levels for services involving blockchain technology in Russia.
The few cases that have reached Russian courts have involved disputes over assets kept in cryptocurrency, and no jurisdictional issues have been posed. In general, disputes involving blockchain technology may, depending on its subject matter, be subject to mandatory rules of Russian legislation that require certain disputes to be heard and resolved by Russian courts only, or by arbitration tribunals having a seat in Russia and meeting certain criteria.
In the absence of dedicated regulation and a unified legal approach, the courts may lack consistency in their interpretation and legal qualification of crypto assets or other issues relevant to blockchain technology.
The State Duma (lower chamber of the Russian parliament) has commissioned an updated bill of law on users’ big data. The bill of law was returned to the authors for further development in November 2018. The original document was heavily criticised for the attempt to create additional obligations for big data collectors and users in Russia, including the requirement to obtain an informed consent from each data subject (which was logically pointed out as contrary to the very nature of big data processing). If the bill of law sees no material changes, the new regulation may create substantial impediments for companies operating big data.
The applicable legislation is not clear on the legal status of big data, while the authorities (eg, Roskomnadzor, the competent body in the field of privacy) have expressed the understanding that such data may be considered as personal data when collected and used in combination with other information on the data subject that may eventually lead to the identification of such data subject. However, the approach has not been confirmed in any legally binding acts or any formal guidelines or commentaries.
Another issue is related to the proprietary rights to big data. At the moment, there is an ongoing dispute being heard by a Russian court between the company that collected big data from open sources and traded in the result of their statistical analysis and the social networking platform that claims that data collected from web pages of its users should be treated as its property as the contents of database are compiled by the platform. The outcome of the case may have a market-shaping effect for big data projects.
To date, the main challenges for projects involving machine learning within the existing framework of the Russian legislation are those related to the use of big data and/or personal data. Considering the broad interpretation of the definition of personal data by the competent authority, the Federal Service for Supervision in the Sphere of Connection, Information Technologies and Mass Communications (Roskomnadzor, or RKN), there is a risk that virtually any bulk of data can be treated as capable of identifying the individual, and, hence, subject to personal data regulation. However, RKN has not yet addressed the issue specifically in connection with machine learning.
Discussions of liability issues at this point of development and use of technology in Russia are mostly speculative and have little relation to the existing regulation.
As is the case for machine learning, issues related to the use of big data and/or personal data pose the main challenges for projects involving artificial intelligence within the existing framework of the Russian legislation.
Under existing regulation, the liability issues are resolved in the manner similar to cases of liability for software malfunction, defects in hardware or operation, depending on the situation.
The national programme titled 'Digital Economy' adopted in 2017 sets the date 31 July 2019 as the deadline for adoption of a federal law on regulation of the so-called cyber-physical systems, including unmanned vehicles, IoT, smart houses and other technologies. Some of the regulatory measures suggested by various groups working on the draft of the law include establishment of state authority for control, monitoring and certification of relevant devices and systems, and mandatory insurance with the use of an industry-funded reserve. In general, this may be viewed as yet another example of the Russian government’s tendency to overregulate the market even before it develops, and to establish strict control over any technologies involving data processing.
While there are no specific restrictions, general issues related to personal data protection under Russian legislation may apply to operation of connected devices, due to the broad interpretation of what can be considered as information capable of identifying the data subject, as viewed by the Russian regulator.
Specific requirements may apply to relevant hardware; thus, late in December 2018 the State Frequencies Commission introduced a requirement for entities applying for frequencies in 868 MHz bandwidth (LPWAN) (used for the deployment of IoT networks) to use only Russia-produced base stations in construction of their networks starting from 1 December 2020.
Russian legislation contains no rules specific to IT service contracts. Such agreements are normally classified as service contracts, and may additionally contain elements of other types of contracts, such as supply and/or IP licensing.
General risks of operation in the Russian legal framework include the risk of inconsistency in interpretation of contractual provisions and statutory requirements by courts and by regulatory authorities in the absence of specific regulation or established market practices for new types of services or new technologies.
Of note, there is specific tax regulation applicable to the provision of IT services by foreign companies. IT or online services provided by foreign entities that have no physical presence in Russia are subject to Russian VAT that is payable either by the foreign entity directly (which requires a registration as a Russian VAT payer), or, if agents or other intermediaries are involved that provide the IT services to Russian end users (whether corporate or individual), such intermediaries act as tax agents too, and pay the VAT.
Personal Data Law requires that storage and certain types of processing of personal data pertaining to Russian citizens is performed with the use of databases physically located in the territory of Russia.
For services acquired from Russia-based service providers it is customary for the service provider’s liability to be limited to only direct damages (an approach broadly supported by Russian courts), and to be capped at the total contract value.
Specific restrictions may apply to Russian companies owned or controlled by the state concerning their choice of IT services and products; that is, in many cases such parties are obliged to choose Russian products and services, unless they can prove that the foreign product is irreplaceable.
General Data Collection and Processing
Protection of personal data pertaining to Russian citizens is prioritised. In most cases with some exceptions, a specific and informed data subject’s written consent is required. However, in contrast to the requirements of the GDPR, Russian operators are not expressly prohibited from making the use of a service conditional upon such consent. Personal data can be processed without consent in the limited number of cases, such as performance under a contract to which the data subject is a party, performance of data operator obligations mandated by law, processing of data made public by the subject, processing for statistical purposes and others. Certain types of sensitive data, including health data, biometrical data, information on prior criminal convictions and others require express written consent for processing.
Localisation of Personal Data
The general rule is that Russian citizens’ personal data must be stored and processed with the use of databases located in Russia. There is a limited number of exemptions from this rule, such as use of data for the rendering of justice, cases where processing of personal data is necessary for professional journalistic work, lawful activities of a mass media, or for scientific, literary or other artistic work (all of which are also the exemptions from the obligation to obtain the individual’s consent, as described above). Importantly, by means of official commentary from the Ministry for Digital Development, Connection and Mass Communications it has been confirmed that providers of air transportation services (including their agents) are exempt from the application of the localisation requirement on the ground of international treaty application.
Registration of Personal Data Operators
Operators of personal data are subject to registration with the state authority, Roskomnadzor, by filing a notification prior to commencement of their activities. There are certain exemptions from the requirement to register. Importantly, the list of applicable exemptions does not exactly match the above exemptions for obtaining a data subject’s consent. Such exemptions include processing of data under labour laws, processing of a data subject’s name only, processing of data for the purposes of granting one-time access to premises, processing of personal data without the use of means of automatisation, among others.
Users’ communications data and metadata are subject to collection and storage by operators of communication services, including online data transfer services. In cases specified by law operators are required to provide state authorities with such customer data for investigative and state security purposes. Operators of various online services are also subject to a different type of registration with the same state authority, Roskomnadzor. Telecom and online service operators are required to comply with competent state authorities’ requests to block access to online resources blacklisted for distribution of prohibited information.
Company data protection is not as extensively regulated as personal data, and is usually addressed in the scope and on the terms the entity itself determines. While there are state-enforced sanctions for violation of trade secret obligations, the administrative fines are not high, and the implementation practice is considerably more limited compared with personal data compliance cases. Criminal liability can be imposed for the breach of the trade secret regime, for illegal access to protected computer (electronic) data and for mishandling means of protected computed data storage, transfer or processing. However, statistically such cases do not present any considerable volume.
Confidentiality and non-disclosure agreements are rather broadly used, but are often hard to enforce due to difficulties in proving the breach.
General requirements for protection of information and specific rules for processing of information by various service operators are set forth in the Information Law.
Specific requirements are set for operators of various online services, including operators of instant messaging services, operators of online audiovisual services, so-called organisers of online information distribution and operators of search engines or news aggregators. Some of these operators are required to store customer data and provide such data to competent state authorities for investigative and state-security purposes. Besides, operators are required to comply with requests for blocking access to certain information qualified as illegal in Russia.
Certain categories of information are restricted or prohibited from distribution, including information potentially harmful to children (within the meaning and based on criteria set forth in Federal Law No 436-FZ 'On protection of children against information harmful to their health and development', dated 29 December 2010 (as amended)); information containing calls for riots or public unrest; information distributed in violation of copyright and related rights; pornography; information on methods to commit suicide, to produce or use drugs, and other types of information considered damaging by the state. The blocking tool has been broadly used over the last years, and communications operators are subject to administrative fines for a failure to implement the blocking orders.
Processing of personal data is subject to requirements of the Personal Data Law. Personal data can be processed under the data subject’s consent unless an exemption applies. Personal data operators are required to employ organisational, technical and legal measures of data protection, and to keep certain documents and logs to evidence compliance with legal requirements. Levels of protection and employed measures vary depending on the evaluation of potential threats to the personal data processed by relevant operator. Operators of personal data are required to register with Roskomnadzor.
The practical difficulties that personal data operators face in building up their compliance policies largely result from the interpretation of the statutory requirements by the competent regulatory authority, Roskomnadzor. In the last few years the authority has demonstrated the tendency to interpret legal requirements in an overly broad and conservative way, which puts substantial burden on personal data operators.
There are no legal restrictions on monitoring or limiting the use by employees of company computer resources in the private sector. The entities are required to employ certain measures of data protection, including passwords, restricted access and other measures.
Importantly, despite the generally pro-employee character of Russian labour legislation which often makes it difficult in practice to dismiss an employee for a one-time wrongdoing, there are cases where courts have upheld the employer’s termination of employees’ contracts for a breach of restrictions concerning e-mailing of work files to private addresses outside the company (which was viewed as putting confidential files in an unsafe environment that amounted to unauthorised disclosure of information.)
Russian telecommunications regulation, essentially formed by Federal Law No 126-FZ 'On communications', dated 7 July 2003 (as amended) (the 'Communications Law') and ancillary regulatory acts, is not sufficiently technology-specific. The rules established for the licensing and operation of telecommunication services distinguish between cable, terrestrial on-air and satellite technologies for audiovisual, landline and mobile for telephony, and only a few examples of telecom services involving Internet connection, without much further categorisation. In practice, major telecom operators opt to hold a combination of all categories of available permits to make sure the services they provide are covered.
Internet service providers can choose between or obtain both telecom licences for data transmission services (without voice data) and telematic services, but there are no express legal requirements to license activities of operators providing online services with the use of existing Internet connection provided by another licensed telecom operator. Traditionally, and historically, telecom licensing obligations in Russia have been tied to network infrastructure, while for purely online services the focus is rather made on information protection measures.
Specific requirements are set forth for a limited number of specifically listed types of services in the Information Law. These services are: organisation of online distribution of information (messaging services provided by operators of websites or online applications, including any kind of chat, forum or other means allowing users to exchange comments), instant messaging, online search, online news aggregating websites or applications and online audiovisual services. Obligations of the operators of such services may include (in various combinations): requirements to register with the competent authority (Roskomnadzor), to collect and store customer data, to provide access to customer data to state authorities, to block access to certain information, to identify users, to employ measures of data protection and to review distributed content for compliance with Russia legislation.
Foreign entities are not allowed to hold more than 20% control over Russian online audiovisual services. A similar limitation for the news aggregator services is currently being considered by the legislative authority.
New network connection services on the basis of a telecom infrastructure that fall within one of the types of licensed telecom services are subject to relevant licences and permits to be obtained from Roskomnadzor and other state authorities prior to commencement of such activities in Russia, in accordance with the Communications Law and the Federal Law No 99-FZ 'On licensing of certain types of activities', dated 4 May 2011 (as amended).
Operators of online messaging services and instant messengers (organisers of online information distribution in terms of the Information Law) are required to notify Roskomnadzor on the commencement of their activities either voluntarily or within five days upon receiving relevant request from the authority. News aggregating online services are required to provide relevant information for registration upon request from Roskomnadzor, if the authority considers it qualifying for state registration. Operators of online audiovisual services are required to provide information to Roskomnadzor within ten days upon receiving a relevant request for inclusion of service information in the state register.
Traditional television and radio channels are required to register as Russian mass media and can commence distribution upon obtaining relevant broadcasting licences from the competent state authority, Roskomnadzor.
In accordance with the provisions of the Law of the Russian Federation No 2124-1 'On mass media', dated 27 December 1991 (as amended) (the 'Mass Media Law'), foreign entities and citizens (including holders of dual citizenship), as well as Russian entities with more that 20% direct foreign investment in their capital are not allowed to apply for mass media registrations and broadcasting licences. Moreover, such entities and individuals are banned from owning, controlling or managing directly or indirectly more than 20% of the Russian entity applying for a mass media registration or a broadcasting licence.
The mass media registration procedure takes approximately one month upon filing of the application together with documents confirming the corporate existence and compliance with Mass Media Law requirements with respect to ownership percentage. The state fee depends on the type of mass media and the territory of distribution, with the maximum amounting to RUB10,000 (approximately USD150).
Broadcasting licences can be universal (including all means of distribution) or allow mass media distribution via any of cable, satellite or over-the-air (the latter subject to a separate frequency use permit). Licences are issued within approximately one to one-and-a-half months upon filing of relevant documents confirming compliance with the requirements of the Mass Media Law and payment of the state fee in the amount up to RUB7,500 (approximately USD112). A mass media registration and broadcasting licence are not required to be held by one entity; the functions can be distributed among contractual partners. However, universal broadcasting licences are issued only to parties also holding the relevant mass media registration.
For the carriage/distribution of the television or radio channel, a telecom operator also needs a licence covering the provision of services for television or radio broadcasting of the relevant mass media. A telecom licence for this activity is issued under the Communications Law. These licences can be issued for distribution via cable, satellite or over-the-air networks, upon provision of evidence of a contract entered with the licensed broadcaster.
Online channels can apply for registration as network mass media under similar procedures specified for the traditional mass media. However, such registration is optional under Russian law. Until the adoption of the amendment to the Information Law on online audiovisual services in 2017, online channels were largely unregulated, as very few online channels opted for registration as mass media.
Pursuant to the Information Law, a website or an application is considered as an audiovisual service if it is used to form and/or distribute online an aggregate of audiovisual works accessible for a fee and/or subject to viewing advertising aimed at a Russia-based audience, and if it is accessed by at least 100,000 Internet users based in Russian territory per day. The second characteristic is monitored by Roskomnadzor via access counters that audiovisual services are required to choose from the pre-approved list provided by the regulator and install.
Roskomnadzor monitors the market and identifies services that in its opinion meet the above criteria. If Roskomnadzor considers a service qualifying for registration, it requests relevant information for registration with the state register and monitors compliance with the requirements of the Information Law, which include, among others, full compliance with all the legal requirements set forth for the operation of a 'regular' mass media under the Mass Media Law, and the 20% foreign control limitation.
The definition and regulation for the audiovisual services were introduced with only a few technologies in mind: services designed to watch TV series and films online and on demand upon payment (the so-called online cinemas) and the online versions of channels already registered as mass media. For this reason, one of the restrictions set for the audiovisual services in the Information Law is the prohibition to distribute online mass media that are not registered as Russian mass media in accordance with the requirements of the Mass Media Law.
Organisers of online distribution of information (that definition includes operators of instant messaging services and websites and applications enabling messaging) are required by law to provide state authorities with decryption keys if they use additional encryption of messages or allow their users to do so (Article 10.1 of the Information Law). Failure to comply with this requirement was stated as the legal ground for the decision of Roskomnadzor to block popular instant messaging service Telegram. The messenger representatives claimed that the end-to-end encryption it used made it impossible to provide a fixed set of encryption keys, but the authority persisted and ordered the blocking of the service in Russia (in reality, however, Telegram still remains accessible and operational).
Encryption is required for certain information systems where the level of potential threats to personal data contained in and processed by such system is assessed as material.
Noteworthy, encryption activities in Russia, including use of relevant software, provision of services and import of devices, are subject to licensing and compliance with certain requirements, which include certification of equipment, application of a certain level of data protection measures among others. The main requirements are set forth in Governmental Decree No 313, 16 April 2012, and compliance is monitored by the Federal Security Service of Russia.
The Federal Law No 436-FZ 'On protection of children against information harmful to their health and development', dated 29 December 2010 (as amended), provides for an exemption from time limitations on distribution of certain content on television and radio channels for pay channels received with the use of a decoding device. The provision was interpreted by the market as applicable to pay-TV and radio services delivered via any set-top box device. However, the regulator has expressed a different understanding, stating that additional password encryption is required to qualify for exemption.
Mass Media and Online Cinemas Market Overview
While both private and state-owned media and broadcasting companies operate in the Russian mass media market, the government-controlled companies certainly dominate it.
The Russian government owns and controls the major Russian television channels. For example, government-owned VGTRK (All-Russia State Television and Radio Company), produces Russia-1 (Rossiya-1), Russia’s most popular television channel in 2018. VGTRK also owns and produces several other national channels such as Russia-2 (Rossiya-2), Russia-24 (Rossiya-24) and Russia-Culture (Rossiya-Kultura). The Russian government also owns 51% of Channel One, Russia’s second most popular channel.
Other big players in the Russian television industry are Gazprom-Media Holding which produces NTV, the third most popular channel, and National Media Group (NMG) which produces several popular television channels such as Channel Five (Pyatiy Kanal) and Ren TV. While privately owned, NMG is a media group having close governmental connections. At the end of 2018 NMG and VTB Bank, a government-controlled bank, acquired CTC Media, then the largest-by-audience privately owned broadcaster producing several mainstream television entertainment channels. NMG’s and CTC Media’s channels together constitute 24% of all Russian audiences. Recently, NMG has significantly expanded its reach over the mass media following the introduction of a 20% foreign ownership limitation for Russian media companies - thus, forcing foreign media companies to establish joint ventures with Russian players, including NMG, in order to maintain their presence in the Russian market (see section 2 below).
Privately owned National Satellite Company (Tricolor) is the largest digital television broadcasting operator. Other digital television operators include ER-Telecom, Orion Express and State-owned Rostelecom.
As with the Russian television industry, State-owned and private radio coexist in Russia. The major players are Gazprom-Media Radio (a subsidiary of Gazprom-Media Holding), European Media Group and VGTRK.
The Russian film and digital media market, in particular the online-cinema theatre market, is rapidly gaining a market share and is currently dominated by private companies. Ivi.ru, Megogo, Okko.tv and Tvigle.tv are active players providing OTT and SVOD services to Russian citizens.
Foreign Ownership Restrictions in Mass Media
The Russian Mass Media Law is the main law regulating the Russian media industry. Adopted in 1991, it did not provide for any restrictions as to foreign ownership or control in Russian media business. However, during the last 18 years the Russian media legislation has been undergoing significant changes gradually limiting foreign ownership and control of the Russian media industry. Between 2001 and 2018, numerous laws increasing the regulation and control of the Russian media industry were adopted. The goal of Russian lawmakers has been to limit foreign influence over Russian media companies.
Initially, in 2001, the Russian Mass Media Law was amended to forbid foreign governments, international organisations, entities controlled by foreign governments or international organisations, foreign legal entities, foreign citizens, stateless persons, Russian citizens having dual (triple, etc) citizenship (each a 'foreign person') from owning 50% or more in the share capital of a founder of a television channel or a mass media and of a broadcasting company operating in more than half of the Russian territorial subdivisions or covering the territory where more than half of the country’s population resides. The restriction did not apply to printed media or radio channels and radio programmes.
Then in 2008, the Russian Foreign Investment Law was amended to require prior approval by a special governmental commission for any transaction resulting in acquisition (directly or indirectly) by a foreign government, by an international organisation (ie, public foreign investors) or by a legal entity under the control of a foreign government or an international organisation of more than 25% of share capital of any Russian legal entity or of negative control rights in respect of any Russian legal entity. This restriction applies across all industries, not just media.
Further, under the Russian Foreign Strategic Investment Law also adopted in 2008, any transaction resulting in 'control' over any Russian legal entity which is qualified to have strategic importance for national defence and security is subject to prior approval by a special governmental commission. The criteria for a company to qualify as having strategic importance for national defence and security (a so-called strategic entity) have changed over time. Today, among others, companies engaged in television or radio broadcasting over the territory where 50% or more of the population of any constituent entity of the Russian Federation resides, as well as in printed press publication with circulation exceeding certain thresholds set out by the law, are deemed to be strategic entities. Control is defined by the law and includes, inter alia, the ownership by a private foreign investor of more than 50% of voting shares in the share capital in a strategic entity, the right to appoint a CEO or more than 50% of board members of a strategic entity or the right (on the basis of an agreement or otherwise) to manage or otherwise determine decisions of a strategic entity.
In 2011, the Russian Mass Media Law was amended to apply the foreign ownership restrictions adopted in 2001 for television mass media to radio channels and radio programmes.
In 2014, the Russian Mass Media Law was amended (and became effective in 2016) to limit not only direct participation, but also any type of foreign ownership (whether direct or indirect) in Russian mass media and broadcasters to 20% and to prohibit any forms of foreign control over any Russian mass media and broadcasters. Although the new rules came into force in 2016, certain media owners were given a transition until 1 February 2017 to bring their holdings into compliance with the new requirements.
Pursuant to the current Russian Mass Media Law, a foreign person or a Russian legal entity with foreign participation cannot be a founder of or an editor of mass media or a broadcasting company. Further, a foreign person or a Russian legal entity with foreign participation exceeding 20%, is prohibited to own, manage or control (whether directly or indirectly, through any persons under control or by means of holding in aggregate more than 20% of shares in any person) more than 20% of shares in the share capital of a shareholder of a founder or of an editor of any mass media or of any broadcasting company.
Moreover, currently the Russian Mass Media Law prohibits any other form of control by a foreign person, or by a Russian legal entity with any foreign participation, over a founder of or editor of mass media, broadcasting company or their respective shareholders, if such control results in acquiring the opportunity to directly or indirectly own or manage the respective mass media or a broadcasting company, control them or de facto determine the decisions they take.
Any transaction violating the above foreign control restrictions is deemed to be null and void and the foreign person violating these restrictions is deprived of its voting and other rights as a shareholder of the relevant entity.
On 17 January 2019 the Constitutional Court of the Russian Federation ruled that the 20% foreign ownership restriction threshold established by the Russian Mass Media Law is legal and “is designed to prevent the strategic influence and control over the media.” At the same time, the Constitutional Court ordered the Russian Parliament to adopt amendments to the Russian Mass Media Law clarifying a number of matters that contradict the Russian Constitution, including the use of the terms 'a founder of mass media' and 'a participant of a founder of a mass media' and the vague rules concerning a foreign person’s right to exercise its corporate rights in respect of 20% shares in a mass media. The new amendments to the Russian Mass Media Law ordered by the Constitutional Court have not yet been adopted.
Needless to say, the amendment to the Russian Mass Media Law that became effective in 2016 affected a wide variety of mass media in Russia, including the country’s leading business daily newspaper, Vedomosti (the Russian versions of glossy magazines such as Vogue, Elle, Tatler, Glamour, Esquire, GQ and Cosmopolitan), and television channels such as Disney, Discovery Channel, Animal Planet and Eurosport. The new restriction resulted in massive restructuring of TV broadcasting and mass media businesses in the Russian market, with some international media companies withdrawing from Russia in early 2016. For example, the new law led to the sale of a number of foreign-owned media outlets that were established in the 1990s and 2000s, including by Germany’s Axel Springer and Finland’s Sanoma media groups. The law has also limited the remaining foreign-owned media from influencing content because of their minority stakes.
Finally, according to the 2015 amendment to the Russian Mass Media Law, if the editor of mass media, a broadcasting company or a publisher receives any monetary funds from a foreign person or from a Russian legal entity with foreign participation, the editor of the mass media, broadcasting entity or publisher must report the receipt of such monetary funds to the Russian TMT regulator (Roskomnadzor). Further, in 2017-18 the Russian lawmakers adopted new rules affecting foreign agent mass media (ie, foreign media that receives funding from foreign persons or Russian legal entities which receive funding from foreign persons). The new rules require them, inter alia, to include a disclaimer in every publication or post identifying their status as foreign agent mass media. The rules also require such mass media to audit their accounts, submit quarterly reports on funding received and publish an activity report twice a year.
Foreign Ownership Restriction in the Online Cinema Industry
The Russian Law on Information, Information Technologies and Protection of Information adopted in 2006 (the 'Russian Information Law') is the main law that regulates the Russian online cinema industry. Until 2017, ownership of the companies providing OTT and SVOD services in Russia, including online cinemas, remained unregulated.
Under Russian law, an online cinema may be deemed to be a so-called audio-video service (an “AVS”). Under the Russian Information Law, an AVS is a website, web page, information system and/or software that is used to make and/or distribute audio-video content that is:
If all these criteria are met, an online cinema is deemed to be an AVS and will be subject to certain foreign ownership restrictions.
Websites registered as mass media (eg, the popular channel Rain), web search engines (eg, Google Search) and information resources where the audio-video content is mainly posted by the users (eg, YouTube) are specifically excluded from application of the legal rules relating to AVS.
In accordance with the recent changes of 2017 to the Russian Information Law, only Russian legal entities and Russian citizens not having any other citizenship may be owners of an AVS. It is widely believed that these restrictions are possibly aimed at preventing world giants such as Netflix and Amazon from entering the Russian online cinema market.
A foreign person and a Russian legal entity with foreign participation exceeding 20% may own, exercise management or control (directly or indirectly) in respect of up to 20% of shares in the share capital of the AVS owner without any restrictions. However, an acquisition by such foreign person or entity holding more than 20% of shares in the share capital of an AVS owner is subject to a preliminary approval by a special governmental commission. The commission will grant such approval only if the foreign participation contributes to development of the AVS market in Russia. However, the commission has not yet been established and at this point there is no information as to when this will be happen. Due to this uncertainty, foreign audio-video content providers have no clarity as to how to operate in the Russian AVS market if they want to acquire more than 20% of AVS owner shares. Additionally, the Russian regulatory body is to maintain an AVS register containing information about the owners but such register has not been yet established either.
The foregoing foreign ownership control restrictions of AVS apply to foreign persons and Russian legal entities with foreign participation exceeding 20% that own an information resource distributing audio-video content if less than 50% of its users are located in Russia. If more than 50% of the users are located in Russia, the regulations are not clear. According to unofficial comments from the Russian regulator, such persons and entities cannot own shares in an AVS owner or exercise management or control (directly or indirectly) over any shares in an AVS owner at all.
Unlike the similar restrictions applicable to the Russian media sector, the Russian Information Law does not prohibit other forms of control (eg, programming, editorial control, economic control, etc) by a foreign person over an AVS.
Failure to comply with the foreign control restrictions may result in an AVS being blocked in Russia and/or in an administrative fine or administrative suspension of the Russian business operations.
Technology and Telecom Market Overview
The IT and telecom sectors are publicly recognised among the main priorities of Russia’s integration into the digital economy. Accordingly, the Scientific and Technology Development Strategy of Russia until 2035 highlights the following prioritised directions of the Russian State scientific and technological development:
While the above concept is ambitious, we have to accept that the vast worldwide growth of technologies and their simultaneous functional depreciation rarely go hand in hand with the appropriate legal framework. As an example, many new technologies either remain under-regulated or come under certain, sometimes extensive, legislative restrictions, such as social networking, instant messaging, personal data, etc. Some of these technologies, such as telemedicine services, have been regulated only recently, and the relevant law de facto imposes more restrictions than clarifications. Certain other areas, like big data, are suffering in the absence of comprehensive regulation and have to develop within the framework of ad hoc court and administrative decisions.
Additionally, some legislative initiatives aimed at expansion of governmental control over the media and Internet have resulted in certain restrictions on technology and telecom sectors in recent years, such as requirements on Internet user traffic storage and personal data localisation. The main legislative acts regulating Russian technology, telecom and privacy spheres, which have undergone significant amendments over the last decade, are the Russian Communication Law adopted in 2003, the Russian Information Law adopted in 2006 and the Russian Personal Data Law adopted in 2006.
However, despite various restrictions implied by the amendments to these laws, together with the respective regulations adopted by the Russian authorities, both foreign and local companies are widely operating in the Russian technology and telecom markets, such as international giants like Alphabet (Google), Alibaba, Apple, Facebook (including Instagram and WhatsApp), IBM, Microsoft, SAP, Samsung, Twitter, among others, as well as Russia-originated conglomerates like Mail.ru Group (including its social networks VKontakte and Odnoklassniki), MegaFon, MTS, Rambler, Rostelecom (together with its co-owned operator Tele2 Russia), VimpelCom (d.b.a. Beeline), and, of course, Yandex. Certain other players like LinkedIn social network and Telegram messenger have eventually been blocked by Roskomnadzor in 2016 and 2018, respectively, due to non-compliance with the newly adopted rules, yet they still remain rather popular.
IT Resources Blocking; Data Localisation and Storage Requirements
Under Russian law, distribution of certain types of content via the Internet, including, for example, extremist material, calls for riots, calls for suicide, illegal information on gambling, certain types of adult content, illegally distributed intellectual property, etc, as well as violation of information security and privacy protection requirements may, inter alia, lead to temporary or even permanent blocking of the respective website. Russian authorities tend to consider blocking as an instrument of pressure on law-breakers and a measure to eliminate unlawful information distribution, so blocking alone does not replace civil, administrative or criminal liability for the violation of laws which would lead to such measures.
The 'Personal Data Localisation Law'
In 2014, the Russian Parliament adopted the so-called 'Personal Data Localisation Law' amending the Russian Information Law, the Russian Personal Data Law and some other legal acts, and requiring that, starting from 1 September 2015, personal data operators, while collecting personal data of Russian citizens, must ensure recordal, systematisation, accumulation, storage, clarification and retrieval of such data in the databases located in Russia prior to transferring the data elsewhere abroad, with certain limited exceptions.
The Personal Data Localisation Law did not specify directly whether it should apply to foreign persons. The Russian Federal Ministry of Digital Development, Communications, and Mass Media then published non-binding recommendations clarifying that, because of the Internet’s cross-border nature, certain Internet activity may be considered as conducted in Russia, and, therefore, is subject to the personal data localisation requirements. For example, a website may be deemed subject to the localisation requirements if it includes a Russian language option or uses a Russian top-level domain name like .ru, and there is additional evidence confirming that the website targets Russia (eg, advertisement aimed at Russian consumers).
Failure to comply with the personal data localisation requirements may lead to various negative consequences, from administrative liability to permanent blocking of the website. This is what happened to LinkedIn, which was found violating the Russian Personal Data Law requirements under the federal court’s decision and the access to the social network was officially restricted in November 2016 by Roskomnadzor.
Some IT giants like Microsoft, Samsung and many others took a safe approach and complied with the requirements of the Personal Data Localisation Law. With respect to other major players, Roskomnadzor has announced inspections to be conducted in 2019, so we should witness further law enforcement actions in this sector shortly.
The 'Yarovaya Package'
In 2016, another restrictive set of laws, the so-called 'Yarovaya Package', passed. Two federal laws of this package amended the pre-existing counter-terrorist legislation, criminal material and procedural codes, as well as the Russian Communication Law and the Russian Information Law and certain other laws. The package was named after one of its authors, Mrs Irina Yarovaya, a member of the Russian Parliament, who was joined by several other members to develop and introduce the bills into the Russian Parliament.
The most controversial part of the Yarovaya Package is the requirement that telecom and Internet service providers must store in Russia all content of voice calls, data, images and text messages for up to six months, and the metadata on them, such as time, location, senders and recipients of messages information, for one year. Further, online services such as messaging services, e-mail and social networks that use encrypted data are required to allow the Federal Security Service (FSS) to access and read their encrypted communications, and Internet and telecom companies are required to disclose these communications and metadata, as well as “all other information necessary,” to the FSS upon request and without a court order.
The Yarovaya Package received significant criticism from telecom operators, Internet companies, non-governmental organisations and ordinary users. However, despite various estimates of monetary burden of compliance (more than USD70 billion), the laws eventually became effective 1 July 2018.
Telegram messenger, co-founded by Russia-born Pavel Durov (the previous owner of the Russian largest social network VKontakte), was among the first of those who refused to co-operate with the FSS back in 2017 to grant access to the users’ communications. This led to a series of legal actions and, as a result, in April 2018 Telegram was officially blocked in Russia. However, due to the specific technologies used by the messenger, it is still available in Russia, though with certain interruptions.
Other Internet companies and messengers, such as WhatsApp, WeChat and Viber, continue to operate in Russia without restrictions.
Big Data Collection and Use
Big data still lacks clear legal definition but the worldwide big data market is already expected to surpass USD200 billion in 2020. Although search engines and social networks initially based their services on big data collection and analysis, more traditional businesses have recently turned to this effective instrument. Thus, in Russia, the major big data users tend to be large financial institutions such as telecom operators, major retail market players as well as certain public authorities.
Although big data is among the prioritised technologies mentioned in the Digital Economy Programme adopted by the Russian federal government in 2017, collection and use of big data, unsurprisingly, raises certain legal and ethical issues associated with individual privacy and personal data protection. Big data about individuals represents significant commercial value for businesses helping to predict consumers’ behaviour, personalise and offer the consumers the most suitable goods and services. Consequently, big data algorithms are always at risk of becoming manipulative (and even discriminative) tools affecting fundamental human rights to personal privacy and freedom from discrimination.
These big data risks emerge at every stage of big data collection, systematisation, transfer, analysis and further application. For instance, data may leak when control over its use has been lost and data may be disclosed to unintended recipients, which may lead to fraudulent actions against the data subject. Further, personalisation based on big data may potentially lead to discrimination of certain types of consumers; for example, resulting in offering different conditions to different groups of consumers for similar goods and services, based on the consumers’ nationality, gender, age, political or religious views, etc.
Usually big data comes from Internet services (such as search engines, social networks, forums, blogs, mass media, entertainment and other websites), various professional data providers, and operators of various counter and sensor readings. While there are major players that offer complex big data analytics services, database management systems, respective infrastructure, hardware, software and other big data-related solutions in Russia, there are also certain Russia-based start-ups providing niche big data instruments. One of them is Double Data service that offers big data solutions for financial institutions. By way of collecting and analysing big data about individuals from open Internet sources like social networks and other websites, Double Data offers to assist banks with attracting new clients, verifying identity of potential borrowers, estimating their credit quality and to liaise with unscrupulous debtors.
Double Data’s methods of collecting open user data from their profiles published on VKontakte social network has led to one the most remarkable cases on big data use in Russia. In 2017, VKontakte sued Double Data seeking to ban it from extracting and using publicly available user data from the social network, which data the users themselves had made open to the entire Internet by selecting the appropriate profile settings. According to VKontakte’s position, Double Data’s activities violated VKontakte’s exclusive neighbouring rights to their user database.
Double Data argued that the software it developed operated on the principles of universal search engines (such as Google, Yandex, etc), with the only difference that it searched for information limited to people and did it with greater accuracy. Further, Double Data claimed it did not create any of its own databases based on VKontakte’s data, but rather installed its own software to its customers, with which software the customers could themselves search for open data on the Internet.
The court of first instance dismissed the claim of VKontakte, the court of appeal allowed the lawsuit to proceed, and in 2018 the case was considered by the Russian Intellectual Property Court and sent for a new trial to the court of first instance. Thus, the matter remains undecided.
Despite the civil law nature of the above court case (potential violation of intellectual property rights to a database), the practice of collecting personal data from open sources with its further transfer without the personal data subjects’ express written consent has, as a separate matter, been considered by Roskomnadzor and the courts of all instances (including the Russian Supreme Court) as violating the Russian Personal Data Law.
Telemedicine: New Legislation, New Issues
The World Health Organisation (WHO) defines telemedicine or health telematics as a composite term for health-related activities, services and systems carried out over a distance by means of information and communications technologies for the purposes of global health promotion, disease control and health care, as well as education, management and research for health. Such a concept would be particularly important for Russia given the country’s extensive territory, uneven population distribution and a shortage of medical professionals and institutions.
On 1 January 2018, the amendments to the Russian Law on Fundamentals of Citizens’ Health Protection were enacted to legalise the use of telemedicine technologies (the 'Russian Telemedicine Law'). However, instead of providing a clear definition of telemedicine or health telematics, the new law only defines telemedicine technologies as information technologies that provide for remote interaction of medical professionals among themselves, with patients and/or their legal representatives, identification and authentication of these persons, documentation of their actions during conciliums, consultations and remote medical monitoring of the patient’s health.
This concept establishes only two spheres of telemedicine application: remote interaction of medical professionals between themselves, and professionals with patients and/or their legal representatives. However, unlike the WHO definition, it does not provide for the use of such technologies for continuing education of medical professionals (eg, in the form of lectures, seminars, etc), which significantly limits the use of these technologies.
The procedure for providing medical care using telemedicine technologies is established under regulations, the implementation of which raises a number of practical issues. For example, the literal interpretation of the Russian Telemedicine Law and the respective regulations suggests that a medical consultation via telemedicine technologies does not cover examination and diagnosis. Further, the law does not provide for carrying out a distant medical consultation by a medical professional located outside a medical institution, which, given the level of technical progress, may also significantly limit the practical use of telemedicine technologies.
Finally, some experts note that excessive regulation and increased requirements for the following actions may increase the costs in the field of telemedicine, which, in turn, would increase the final cost of telemedicine services for consumers; identification, authentication, certification, connecting certain information systems to the unified State information system in the health sector and the unified system of identification and authentication of the public services portal of Russia, and the use of enhanced qualified electronic signatures.