On July 7, Russian President Vladimir Putin signed a law amending existing anti-terrorism legislation that could affect U.S. telecom and internet service companies operating in Russia. It will require that telecommunications operators and internet service providers (“ISPs”) retain up to 6 months of data, including personal data and communications content, as well as metadata, for periods up to 3 years. Further, if any encryption is used to protect the data, the telecommunication or internet service provider must provide the Russian authorities the decryption technology.

Russia’s largest mobile phone operators and ISPs have criticized the legislation, saying it is unreasonably costly. A similar data retention law (the EU Data Retention Directive, 2006/24/EC) was invalidated by the EU Court of Justice in April 2014 because it was held to violate privacy and data protection rights. Some EU countries subsequently annulled their national laws implementing the EU Data Retention Directive.

Another bill signed by President Putin on July 7 imposes tougher sentences for online commentary considered “an incitement to hatred or a violation of human dignity.” Critics say the laws are designed to help the Russian government monitor and crackdown on dissent online.