Russian Federation: Privacy And Cybersecurity In Russia

Last Updated: 31 October 2018
Article by Vyacheslav Khayryuzov

Getting The Deal Through (GTDT), UK online research platform for law professionals, turned to Noerr Moscow for advice regarding Data Privacy, a rather topical issue nowadays in view of the recent changes in Russian and European law. Vyacheslav Khayryuzov, Head of the Data Privacy practice in Russia, answered the journalists' questions.

GTDT: What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

Vyacheslav Khayryuzov: The topic of cybersecurity is becoming more and more important in Russian discussions. The first issue that comes to mind is the alleged Russian hacking of the US presidential elections. The US media reported that the US administration contemplated an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election. According to the media at least, the CIA has been asked to deliver options to the White House for a cyber operation designed to harass and 'embarrass' the Kremlin leadership.

Other infamous cybersecurity issues were the WannaCry and Petrwrap/Petya ransomware attacks. Major Russian and Western companies working in Russia were paralysed by the attacks for several days.

All these security issues have supported calls for Russia's internet infrastructure to be protected. As a consequence, on 26 July 2017, Russia adopted Federal Law No. 187-FZ 'On the Security of Critical Information Infrastructure of the Russian Federation'. The law sets out the basic principles for ensuring the security of critical information infrastructure, the related powers of the Russian state bodies, as well as the rights, obligations and responsibilities of persons owning facilities with critical information infrastructure, communications providers and information systems providing interaction with these facilities.

The elements of the critical information infrastructure are understood to be information systems, telecommunication networks of state authorities as well as such systems and networks for the management of technological processes that are used in the state defence, healthcare, transport, communication, finance, energy, fuel, nuclear, aerospace, mining, metalworking and chemical industries. All these industries are considered critical for the economy and should be protected against any cyberthreats. The law requires the implementation of protection measures, assigning the category of protection (in accordance with the by-laws) and then registering with the Federal Service for Technical and Export Control, which will be in charge of the supervision in this field. Businesses currently have many questions for the authorities about this law, which is very broadly drafted. The most pertinent is whether the law applies to the relevant business or not, since even internal LAN networks under its general rules may be considered critical information infrastructure. However, the authorities say that this is an incorrect interpretation. The lack of enforcement practice also does not help clarify the situation.

Another legislative initiative in Russia was the banning of virtual private network (VPN) services that do not cooperate with the government, for instance, in relation to copyright, data protection or other law infringements. With effect from 1 November 2017, Russia enacted the new bill on this subject. The main targets of the bill are obviously notorious anonymisers such as Tor. However, the ordinary business can also be affected. One of the main questions yet to be clarified is whether VPNs used by businesses would also be restricted in their use. The bill contains an exemption that can be interpreted as being that if an entity uses a VPN tool, the entity needs to define the users of the tool (eg, which employees can use the tool – such as in an internal IT policy) and use it only for the purposes of its business. If this understanding is correct, then this exemption may be useful for the business community. The law has so far never been enforced in practice by the authorities and, therefore, the questions still remain.

There are also other various initiatives related to regulation of big data and even the creation of the Infocommunication Code, which would codify the relevant aspects of information law including cybersecurity issues that are currently sporadically regulated by different laws.

GTDT: When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

VK: This is an interesting topic, since Russian data breach notification rules here differ from European rules, for instance, and sometimes it is difficult to see the logic of these rules. It is generally accepted in Russia that Russian data protection law was greatly inspired by European laws. This is obvious from a high-level reading of the Russian law on personal data. However, it appears that the concept of data breach notification was simply misunderstood by Russian lawmakers. As a result, there is no data breach notification requirement under Russian law, at least as it is understood in some other jurisdictions. As part of the Russian data protection law, there is a requirement to notify individuals and the data protection authority on the resolved breach if a breach was found by an individual or the data protection authority and they requested that it be resolved. Data operators must notify individuals whose data was breached or the data protection authority (if the request to resolve the breach comes from it). This means that the authority or the individual needs to know that there was a breach. And what happens if they do not know? Practically speaking, this means that companies can relax and do nothing – at least in this respect, as other Russian rules on data protection are fairly burdensome – unless they are requested by the authority or by an individual to notify them of the resolved breach.

GTDT: What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

VK: The biggest issues are not fines or other regulatory consequences, as some might assume. Dealing with the Russian data protection authority in the event of a data security incident may be cumbersome and result in fines (which are fairly small – up to approximately US$1,000), but not more than that. Obviously, the biggest threat is a potential damage to reputation. In May, the WannaCry attack infected thousands of computers worldwide, and some law firms started to share their expertise in cybersecurity compliance, offering solutions for affected companies. After the mentioned attack of Petya on a major US law firm it may well be that clients in future will think twice before asking it for cybersecurity advice. The damage to the firm's reputation is obviously considerable and yet be quantified. On the other hand, it is obvious that in the modern world it is practically impossible to stay 100 per cent protected from any cybersecurity threats. Even companies that consider cybersecurity of utmost importance are still vulnerable to cybersecurity attacks merely because they use information technology in their daily business.

GTDT: What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

VK:As a rule, Russian companies need to ensure that their systems in Russia are compliant with the technical requirements of the Federal Security Service of Russia (FSB) and the Federal Service for Technical and Export Control of Russia (FSTEC). Normally, it is advisable that the formation of a Russian IT environment and related IT compliance procedures be implemented with the assistance of a Russian company specialising in IT security and with an FSTEC licence to perform works related to data security (protection of confidential information). An IT security company can also assist with preparing a set of internal documentation: internal documents on technical issues of personal data protection, description of the IT security infrastructure and the measures to be taken by the company to prevent data breaches (eg, threat models, technical assignments). They could also advise on which hardware and software needs to be installed to ensure data security. Obviously, at this stage of development of IT technology it is highly advisable not to rely on one's own IT resources, but rather call in an outsourced provider of IT security services and let professionals build the company's data security 'walls'.

GTDT: Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud-hosting environment?

VK:The main concern is the infamous data localisation. Owing to the recent data localisation law, the collection of personal data from Russians and further direct storage in a cloud located abroad is no longer permitted.

The law created a new procedure restricting access to websites violating Russian laws on personal data and imposed a requirement to store the personal data of Russian citizens on servers located in Russia (this obviously gives a huge boost to the development of the Russian data centre industry).

The personal data of Russian citizens must be stored and processed using databases located in Russia. The requirement can be complied with by placing the website database with the personal data of Russians in a Russia-based data centre or server. This Russian database must be primary, and the foreign cloud has to be the 'secondary' database (ie, only a partial or full (mirroring) copy of the primary Russian database). This essentially means that the initial hosting must be located in Russia. For some time the data localisation requirements were barely enforced. However, in 2016, a major case involving LinkedIn attracted a great deal of public attention. A Russian district court upheld a claim by the Russian data protection authority (Roscomnadzor) seeking restriction of access to LinkedIn in Russian territory. The court found LinkedIn was storing and processing the personal data of Russian citizens on servers located outside Russia. On this basis, the court declared LinkedIn to be in violation of the personal data laws and ordered Roscomnadzor to take steps to restrict access to LinkedIn. Currently, LinkedIn remains blocked in Russia.

One other topic for concerns are the amendments to the Russian Information Law, which finally came into force on 1 July 2018. The amendments directly affect Russia's telecom and internet industries. In particular, mobile operators need to store recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs, while internet companies (eg, messengers) need to store the recordings of all phone calls and the content of all text messages for six months and the related metadata for one year. In addition, the amendments require any such communications to be provided to Russian police and intelligence at their request and the installation of special systems used for investigation purposes or to 'reconcile the use of software and hardware with the authorities' as well as to provide the security authorities with decryption keys if the messages are encrypted.

The amendments have already resulted in occasional blockings (such as BlackBerry Messenger); however, owing to the limited popularity of such messengers, the enforcement cases did not attract much attention. Everything then changed with a case regarding one of the most popular messengers in Russia – Telegram.

Telegram has frequently commented in the press that it is unable to provide decryption keys because of the nature of end-to-end encryption technology, while the FSB believed this is technically possible. Telegram refused to provide the FSB with any decryption keys and, therefore, on 13 April 2018, the Taganskyi District Court of Moscow upheld Roscomnadzor's request to block access to Telegram. On 16 April 2018, Roscomnadzor reached out to telecoms operators, requesting that they commence blocking the messenger. All Russian telecoms operators are obliged to block access to the relevant resources.

Telegram's lawyers appealed this decision without success. As of April 2018, Roscomnadzor has been trying to block Telegram using its IP address, which seems to be an ineffectual strategy. Telegram decided to disobey the court decision and defy Roscomnadzor (luckily, it has no actual presence in Russia) and started jumping from one IP address to another. At one time, Roscomnadzor was blocking millions of IP addresses, which caused interruptions to many internet services (including those hosted on the Amazon and Google networks) and caused negative critics of Roscomnadzor by other authorities, the internet ombudsman and businesses. The case is ongoing and Telegram is still available despite Roscomnadzor's actions.

GTDT: How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

VK: The Russian government is very keen to combat cybercrime and is even imposing various rules in the laws aimed at increasing the cybersecurity of businesses. For instance, all companies dealing with personal data must apply certain technical and organisational measures aimed at protecting data and also use software certified by Russian authorities.

Any computer fraud, unauthorised data accesses or creation of malicious software may result in criminal liability. However, the number of real cases of hackers being convicted is fairly low. The reason for this is unclear and certainly gives rise to speculation.

Russia refused to ratify the Council of Europe's Convention on Cybercrime and, based on the discussions within the Russian government, it appears that the convention will not be ratified by Russia. The Russian government's officials claimed that they do not agree with the convention's provisions providing for the sanctioned access of one member state to computer data stored on the territory of another member state without the prior consent of the latter. The officials justify this on grounds of national security.

State officials have said that Russia's approach to combating cybercrime consists of 'the prompt and adequate cooperation of law enforcement authorities of different countries, as well as of the non-admission of investigations on a foreign territory without the notification of the law enforcement authorities of the state concerned'. Moreover, the authorities believe that Russia is considering promoting an approach that provides for the development of a global convention on combating crimes in the information sphere instead of the Budapest Convention, which only applies regionally and will not be fully effective. Following a proposal put forward by Russia, in May 2010 the UN Commission on Crime Prevention and Criminal Justice established an intergovernmental expert group to draft proposals to improve the international legal framework in this sphere.

GTDT: When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

VK: Apart from standard confidentiality and privacy precautions such as encrypted data rooms and non-disclosure agreements, companies entering into M&A deals in Russia should consider personal data transfer issues before starting the due diligence process. As mentioned, owing to the recent data localisation law, the collection of personal data of Russian citizens and further direct storage in a cloud located abroad is no longer permitted. Therefore, a potential foreign purchaser should double check whether personal data (for instance, of the employees of the target company) is stored in a Russian primary database and whether the relevant consent given by such employees to the seller allows for the transfer of their data to the purchaser. Violation of these rules may result in fairly negative consequences for the purchaser, since in certain circumstances Russian data protection authorities can even block access to the purchaser's website as a part of their enforcement actions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions