In June 2016, the Russian Parliament adopted Federal Law "On Amendment of the Federal Law 'On Counterterrorism' and Related Laws of the Russian Federation Establishing Additional Counterterrorism and Public Security Measures" ("Amendments"). These Amendments have a number of provisions affecting the technology sector.
The Amendments also introduce changes to Russian legislation related to telecommunications and the internet—specifically, Federal Law No 126-FZ "On Telecommunications" dated July 7, 2003 ("Telecom Law") and Federal Law No 149-FZ "On Information, Informational Technologies and Protection of Information" dated July 27, 2006 ("Information Law"). Changes in the legislation proposed by the Amendments for the Telecom Law and Information Law require Russian communications service providers ("CSP") and "facilitators of information dissemination on the Internet" ("FIDI") to store in Russia all information on their customers' and internet users' communications and messages for specified periods. Article 10.1(1) of the Information Law defines "FIDI" as "a person who operates information systems and/or computer software designed or used for receiving, transmitting, delivering and/or processing of Internet users' electronic messages." The definition of FIDI in the Information Law includes messaging service providers, public email service providers, social media, blogging, news and other platforms, and IP-telephony providers. The Russian Federal Service for Supervision of Communications, Information Technology and Mass Media maintains a register of FIDIs.
The Amendments require CSPs to keep all metadata information on customers' communications and messages (i.e., "information on receipt, transmittance, delivery and/or processing of voice data, texts, pictures, sounds, video- or other types of messages") for three years. FIDIs are mandated to maintain an archive data on internet users and their communications and messages for one year. Article 10.1(3) of the Information Law prescribes FIDIs to keep archived data for a six-month period, while CSPs do not have this obligation. Article 64(1) of the Telecom Law imposes a general obligation on CSPs to disclose any data to Russian law enforcement authorities upon their request.
The Amendments impose an additional obligation on CSPs and FIDIs to retain the content of customers' and internet users' communications and messages (in addition to metadata) for up to six months. The procedure, retention periods, and scope of the retained content are not specified and are to be further determined by the Russian government in special regulations.
The Amendments also require FIDIs that use encryption for electronic messaging services and/or provide encryption functionality to internet users to disclose relevant decryption tools to the Russian Federal Security Service. Failure to comply with these requirements may lead to administrative fines of up to 1 million rubles (approximately US$15,500).
CSPs and FIDIs will thus experience significant financial and organizational burdens, and compliance risks, under the Amendments. It is expected that both the scope of data archiving and mandatory retention periods for CSPs and FIDIs would increase dramatically. In addition, the Amendments prohibit encryption unless decryption tools are provided to the Russian Federal Security Service, thus potentially affecting adoption of these services by the public.
The Amendments were approved by the Duma (the lower chamber of the Russian Parliament) as well as by the Federation Counsel in late June 2016 and signed by President Putin on July 7, 2016. The current timeline for implementation is from July 2016 through July 2018.