On 6 July 2016 Federal Law No. 374-FZ "On the Introduction of Amendments to the Federal Law "On Combating Terrorism" and Certain Legislative Acts of the Russian Federation to Establish Additional Measures to Combat Terrorism and Ensure Public Safety" (also known as the 'Anti-Terror Law' or 'Yarovaya’s Law') was adopted.
The new law stipulates rather severe obligations (mostly, for communication service providers) and extends the powers of law-enforcement authorities. Most of its provisions enters into force on 20 July 2016, but certain data retention obligations will only become effective from 1 July 2018.
The key provisions of the new law are:
- new data retention obligations
- obligations to provide state authorities with decoding information (to decrypt internet communications)
- certification of encryption technology
- new obligations for mail service operators and shipping companies, and
- regulation of missionary work (миссионерская дея-тельность).
The provisions related to data retention have received a great deal of attention but the new rules related to the regulation of encryption technology also signal important changes to the regulatory environment.
The new obligations for mail service providers and the regulation for missionary activities, although important, are very specialised, therefore this alert will focus on the data retention and encryption issues.
This new law is a another step toward greater state control over internet communications and activities. As is often the case, the rules under this new law are broadly written with little guidance on how they will be applied. The new data retention requirements appear to impose an enormous new burden on communications services providers and others (as outlined below), however, some commentators have suggested that these requirements may be softened by amendment or in regulations. These new rules and their application therefore warrant continued consideration and monitoring.
The new law imposes significant new data retention requirements on Communications Services Providers (Операторы связи) (Communications Providers) and Organisers of the Dissemination of Information on the Inter-net (Организатор Распространения Информации в Сети Интернет) (Internet Organisers).1
Who is affected?
The data retention rules apply to Communications Providers and Internet Organisers. While the definition of what is a Communications Provider is narrow, the definition of an Internet Organiser is rather broad. The new law does not change the definitions, but given the expanded obligations under the law, it is useful to consider for whom these new rules are applicable.
Communications Providers are defined under the law as those who provide communications services under an appropriate licence. These new rules do not change the licence requirement nor do they expand the range of parties to be construed as Communications Providers. Therefore, for nearly all Communications Providers, their status should be clear. However, it may not be so clear as to whether an entity could be deemed an Internet Organiser.
The definition of Internet Organisers is written broadly and covers any entity which ensures the functionality of information systems and/or software aimed at the receipt, transfer, delivery and/or processing of electronic communications of internet users. Many parties can fall under this definition even when they do not expect to.
Unfortunately, there is little guidance on how this broad definition should be applied. Commentators only repeat that the definition is overly broad and court practice has not provided useful guidelines.
Under the existing law, Internet Organisers are listed in a special register maintained by the Federal Service for the Supervision of Information Technologies and Communications (Roskomnadzor). There are two ways to be included on the register: Internet Organisers can self-identify and apply to Roskomnadzor to be included, or Roskomnadzor may initiate the inclusion on the register upon its own initiative (usually upon the request of another government agency). With these new data retention rules, it is possible that Roskomnadzor (and other agencies) may take a more active position on placing parties on this register.
As it is not entirely clear, we suggest anyone operating communications services or resources (websites, apps, software, etc) which may, even loosely, be considered to fall within the legal definition to review their status to determine whether the Internet Organiser status is applicable and whether the new data retention rules will apply.
Data retention requirements
The existing law already features data retention requirements for both Communications Providers and Internet Organisers, but the new rules significantly expand these requirements. There are two specific changes:
- First, a Communications Provider or Internet Organiser must now collect and retain data on communications (specifically, voice data, text messages, images, audio, video or other messages of users) sent through their services for a period of three years for Communications Providers and one year for Internet Organisers. This information is essentially metadata-type information regarding the communication and does not include the substance of the communication. That is covered in the second rule.
- Secondly, a Communications Provider or Internet Organiser must maintain a copy of the communications themselves for a period of up to six months. The government is to provide regulations on how this process is to be undertaken (including the timeframe for retaining information). At present, there are no regulations or reliable guidance on how the specific timeframe will be determined in specific cases.
Clearly these new data retention requirements impose a serious compliance and cost burden upon Communications Providers and Internet Organisers. While President Putin has indicated that this is understood by the government, no details have been proposed to mitigate the burdens brought under this new law.
Providing decoding capability
The new rules now require Internet Organisers to provide decoding capabilities to state authorities to allow them to break any encryption which may have been applied to retained data (including communication content).
New encryption certification
The new law signals the introduction of a new certification requirement for encryption technology. It provides for penalties for using uncertified encryption tools for encoding (средства кодирования, a term already defined by the law). This new certification requirement is not spelled out or even established in the law, but the president has instructed the FSB to create regulations for this certification requirement. While no binding regulations or details have been issued regarding this certification requirement, on 18 July 2016 the FSB published a notice on its website indicating an opinion that this certification requirement should apply only to encryption of information containing state secrets. This notice is not, however, legally binding, so it is important to continue to watch for developments. For the time being, the procedure for certification is not established and it appears that FSB's current position is that it should be applied only to information containing state secrets.
The penalties established under the new law are administrative fines of up to RUB 30,000 for company executives and up to RUB 300,000 for the company, plus the possible confiscation of uncertified products.
These new rules impose a significant new burden, and the public outcry has been loud. Many expect the impact of these new burdens to be mitigated as regulations and practice develops (or even through a change in the law), but for the time being, it is wise to pay close attention to these new rules.