Privacy and data security
What is your jurisdiction’s regulatory stance on net neutrality?
Russian legislation contains no statutory requirements for net neutrality. However, the idea has been broadly discussed and is actively supported by the Federal Anti-monopoly Service. In 2016 the Federal Anti-monopoly Service published a basic document on net neutrality on its website, explaining the main principles and goals therein. All major mobile operators (ie, MTS, Vimpelcom (Beeline) and MegaFon) have expressed their support for the principle of net neutrality.
Are there regulations or restrictions on encryption of communications?
Russian legislation contains requirements for operators of information systems, including those that process personal data, to use data protection tools. Depending on the level of significance of information and the analysis of potential threats, some systems may require only simple measures, such as password protection, while others may have to be protected with encryption (cryptography), among other means. The use of encryption (cryptographic) software and hardware and the performance of other encryption-related activities is subject to licensing under Government Decree 313 of April 16 2012.
Licensees must also apply for the certification of information security systems using encryption. Such certification involves the technical analysis of relevant systems (devices) by authorised laboratories for compliance with relevant requirements for certain types of system (specific requirements are set out in regulatory and methodological documents mainly adopted by the Federal Service for Technical and Export Control). Notably, Russian regulation is insufficiently specific on distinctions between cryptography and encoding, which can lead to confusion with regard to the scope of application of the above licensing and certification requirements.
Pursuant to Federal Law 149-FZ (the Information Law), a party that qualifies as organising the distribution of information online for the reception, transmission, processing or delivery of electronic communications must provide the Federal Security Service with the means of decryption of such communications. This rule applies specifically to email and messaging services.
Are telecoms operators bound by any rules or requirements on the retention of consumer communications data? If so, for how long must data be retained?
A number of data retention requirements apply to telecoms operators, including:
- general accounting and tax reporting obligations;
- information storage obligations in compliance with investigative activities requirements (ie, the maintenance of subscriber and service databases for three years and the provision of access to the Federal Security Service, where required);
- requirements under certain types of licence – for example, operators of universal services, operators of data transfer and operators of telematics services, when providing internet access at collective access points (eg, public Wi-Fi) must identify customers by their full name via valid identification or other means that allow secure identification, including mobile network subscriber numbers. Such data must be kept for at least six months; and
- obligations under the Yarovaya Law – a federal law named after one of its authors, Russian Parliamentary Deputy Irina Yarovaya – which will introduce an obligation that all Russian communications operators must store records of voice messages and any other type of data (including videos and pictures) exchanged, downloaded, shared or uploaded by users of Russian telecom networks.
In addition to the above, Article 10.1 of the Information Law sets out similar requirements for parties that organise the online distribution of information. Such entities must store the metadata of user communications and information for one year and the messages themselves for six months. From January 1 2018, these provisions will be amended to extend storage requirements to the operators of online messaging services. Stored information must be provided to investigative authorities on request.
As of September 1 2015, Russian legislation has required the data localisation of Russian citizens’ personal data. This requirement implies that Russian citizens’ personal data can be processed only with the use of databases physically located in Russia (which, however, does not limit the parallel use of foreign databases and servers).
What rules and procedures govern the authorities’ interception of communications and access to consumer communications data?
Under Russian regulations, enforcement authorities must be provided with direct access to telecoms networks. The relevant rules are set out in Government Decree 538, dated August 27 2005. The Federal Security Service is responsible for cooperation with operators to ensure compliance and the proper installation of technical means to ensure network access.
Details of the technical requirements for the provision of access are specified in separate orders issued by the Ministry for Connection and Mass Communications (eg, Order 73 for data transfer networks, dated May 27 2010).
Once a direct connection has been established, Russian investigative authorities can request relevant information or immediately access records and correspondence by the telecoms operator’s subscribers when such actions are approved in accordance with Federal Law 144-FZ on investigative activities, dated August 12 1995 (as amended). By way of a general rule, any limitation of constitutional rights to privacy and secret correspondence is subject to a court order, with the exception of special urgent cases, when relevant orders or approvals can be obtained post factum.
Data security obligations
What are telecoms operators’ general data security obligations to consumers?
Pursuant to Article 63 of Federal Law 126-FZ (the Communications Law), privacy of correspondence is guaranteed in Russia and therefore telecoms operators must maintain compliance with the requirements for the privacy of communications. Specific rules for the provision of different types of telecoms service also require that operators maintain the secrecy of information transmitted via their networks. Certain exceptions exist, as provided in various federal laws (eg, military situations, counter-terrorist operations and the performance of investigative activities).
Under the rules on the provision of services, information on subscribers that becomes available to the operator in the course of the provision of services can be used by the operator only for the provision of information services; the disclosure or transfer of such information to third parties is allowed only on obtaining the subscriber’s written consent, subject to the exemptions set out in various federal laws.
Operators are also bound by Personal Data Law 152-FZ, dated July 27 2006 (as amended), which requires the application of the legal, administrative and technical means of protection of personal data collected and processed in the course of business operations.
Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.