In June 2016, the Russian Parliament adopted Federal Law
"On Amendment of the Federal Law 'On Counterterrorism'
and Related Laws of the Russian Federation Establishing Additional
Counterterrorism and Public Security Measures"
("Amendments"). These Amendments have a number of
provisions affecting the technology sector.
The Amendments also introduce changes to Russian legislation
related to telecommunications and the internet—specifically,
Federal Law No126-FZ "On Telecommunications" dated July
7, 2003 ("Telecom Law") and Federal Law No149-FZ "On
Information, Informational Technologies and Protection of
Information" dated July 27, 2006 ("Information
Law"). Changes in the legislation proposed by the Amendments
for the Telecom Law and Information Law require Russian
communications service providers ("CSP") and
"facilitators of information dissemination on the
Internet" ("FIDI") to store in Russia all
information on their customers' and internet users'
communications and messages for specified periods. Article 10.1(1)
of the Information Law defines "FIDI" as "a person
who operates information systems and/or computer software designed
or used for receiving, transmitting, delivering and/or processing
of Internet users' electronic messages." The definition of
FIDI in the Information Law includes messaging service providers,
public email service providers, social media, blogging, news and
other platforms, and IP-telephony providers. The Russian Federal
Service for Supervision of Communications, Information Technology
and Mass Media maintains a register of FIDIs.
The Amendments require CSPs to keep all metadata information on
customers' communications and messages (i.e., "information
on receipt, transmittance, delivery and/or processing of voice
data, texts, pictures, sounds, video- or other types of
messages") for three years. FIDIs are mandated to maintain an
archive data on internet users and their communications and
messages for one year. Article 10.1(3) of the Information Law
prescribes FIDIs to keep archived data for a six-month period,
while CSPs do not have this obligation. Article 64(1) of the
Telecom Law imposes a general obligation on CSPs to disclose any
data to Russian law enforcement authorities upon their
request.
The Amendments impose an additional obligation on CSPs and FIDIs to
retain the content of customers' and internet users'
communications and messages (in addition to metadata) for up to six
months. The procedure, retention periods, and scope of the retained
content are not specified and are to be further determined by the
Russian government in special regulations.
The Amendments also require FIDIs that use encryption for
electronic messaging services and/or provide encryption
functionality to internet users to disclose relevant decryption
tools to the Russian Federal Security Service. Failure to comply
with these requirements may lead to administrative fines of up to 1
million rubles (approximately US$15,500).
CSPs and FIDIs will thus experience significant financial and
organizational burdens, and compliance risks, under the Amendments.
It is expected that both the scope of data archiving and mandatory
retention periods for CSPs and FIDIs would increase dramatically.
In addition, the Amendments prohibit encryption unless decryption
tools are provided to the Russian Federal Security Service, thus
potentially affecting adoption of these services by the
public.
The Amendments were approved by the Duma (the lower chamber of the
Russian Parliament) as well as by the Federation Counsel in late
June 2016 and signed by President Putin on July 7, 2016. The
current timeline for implementation is from July 2016 through July
2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.