Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

The topic of cybersecurity is becoming more and more important in Russian discussions. Russia is making steady progress to protect its internet infrastructure. As a consequence, on 26 July 2017, Russia adopted Federal Law No. 187-FZ on the Security of Critical Information Infrastructure of the Russian Federation. The law sets out the basic principles for ensuring the security of critical information infrastructure, the powers of the state bodies of Russia to ensure the security of the critical information infrastructure, as well as the rights, obligations and responsibilities of persons holding rights of ownership or other legal rights to the facilities for critical information infrastructure, communications providers and information systems providing interaction with these facilities.

The elements of ‘critical information infrastructure’ are understood to be information systems, telecommunication networks of state authorities as well as such systems and networks for the management of technological processes that are used in the state defence, healthcare, transport, communication, finance, energy, fuel, nuclear, aerospace, mining, metalworking and chemical industries. All these industries are considered critical for the economy and should be protected against any cyberthreats. The law requires the implementation of protection measures, assigning the category of protection (in accordance with the by-laws) and then registering with the Federal Service for Technical and Export Control (FSTEC), which is in charge of the supervision in this field. Businesses currently have many questions for the authorities about this law, which is very broadly drafted. The most pertinent is whether the law applies to the relevant business or not, since even internal LAN networks under its general rules may be considered critical information infrastructure. However, the authorities say that this is an incorrect interpretation. The lack of enforcement practice also does not help to clarify the situation.

Another legislative initiative in Russia was the banning of virtual private network (VPN) services that do not cooperate with the government. For instance, in relation to copyright, data protection or other law infringements. With effect from 1 November 2017, Russia enacted the new bill on this subject. The main targets of the bill are obviously notorious anonymisers such as Tor. However, ordinary business can also be affected. One of the main questions yet to be clarified is whether VPNs used by businesses would also be restricted in their use. The bill contains an exemption that can be interpreted as allowing to use VPN tools if the entity needs to define the users of the tool (eg, which employees can use the tool – such as in an internal IT policy) and use it only for the purposes of its business. If this understanding is correct, then this exemption may be useful for the business community. The law has so far never been enforced in practice by the authorities and, therefore, the questions still remain.

There are also other various initiatives related to regulation of big data and even the creation of the Infocommunication Code, which would codify the relevant aspects of information law including cybersecurity issues that are currently sporadically regulated by different laws.

Quite recently on 16 April 2019, Russia adopted the Runet Isolation Law, which will come into force on 1 November 2019. Under this law, Russian authorities receive wide powers to control the internet. Furthermore, communications operators will be obliged to use traffic exchange points from a specially created registry run by the Russian data protection authority, which should be physically located only on the territory of Russia. In addition, communications operators will be obliged to provide the data protection authority with all information about their network addresses, telecommunications message routes, software and hardware tools used to resolve domain names and communications network infrastructure.

Such a closed environment would make it easier to block any prohibited or unwanted services. The general idea of this law is to keep the Russian segment of the internet technically live even if it is switched off from the rest of the worldwide web (irrespective of whoever decides to do this – an external force or the Russian government itself). The blocking part also looks fairly logical, since it is currently difficult for the authorities to enforce blocking when illegal services are hosted by foreign-based providers. In a Russia-locked environment, this would be much easier to do as all players would be only Russian companies and individuals.

It remains to be seen how this law will affect any foreign companies doing business in Russia. However, in the event of a doomsday scenario, where the Russian segment is switched off from the rest of the web, it would certainly affect everyone working with Russia. From our perspective, however, this law is a loaded gun that the authorities want to have ‘just in case’ and it does not seem likely that they would initiate the switch-off themselves.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

This is an interesting topic, since Russian data breach notification rules here differ from European rules, for instance, and sometimes it is difficult to see the logic of these rules. It is generally accepted in Russia that Russian data protection law was greatly inspired by European laws. This is obvious from a high-level reading of the Russian law on personal data. However, it appears that the concept of data breach notification was simply misunderstood by Russian lawmakers. As a result, there is no data breach notification requirement under Russian law, at least as it is understood in some other jurisdictions. As part of the Russian data protection law, there is a requirement to notify individuals and the data protection authority on the resolved breach if a breach was found by an individual, or the data protection authority, and they requested that it be resolved. Data operators must notify individuals whose data was breached or the data protection authority (if the request to resolve the breach comes from it). This means that the authority or the individual needs to know that there was a breach. In practice, the infringers would simply do nothing unless they are requested by the authority or by an individual to notify them of the resolved breach.

However, recently Russia signed the Protocol to the Council of Europe Convention No. 108. Therefore, we expect new amendments to the personal data law that would harmonise the law with Convention No. 108. In particular, we expect the breach notification rules to be introduced.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

The biggest issues are not fines or other regulatory consequences, as some might assume. Dealing with the Russian data protection authority in the event of a data security incident may be cumbersome and result in fines (which are fairly small – up to approximately US$1,000), but not more than that. Obviously, the biggest threat is a potential damage to reputation. On the other hand, it is obvious that in the modern world it is practically impossible to stay 100 per cent protected from any cybersecurity threats. Even companies that consider cybersecurity of THE utmost importance are still vulnerable to cybersecurity attacks merely because they use information technology in their daily business.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

As a rule, Russian companies need to ensure that their systems in Russia are compliant with the technical requirements of the Federal Security Service of Russia (FSB) and the FSTEC. Normally, it is advisable that the formation of a Russian IT environment and related IT compliance procedures be implemented with the assistance of a Russian company specialising in IT security and with an FSTEC licence to perform works related to data security (protection of confidential information). An IT security company can also assist with preparing a set of internal documentation: internal documents on technical issues of personal data protection, description of the IT security infrastructure and the measures to be taken by the company to prevent data breaches (eg, threat models, technical assignments). They could also advise on which hardware and software needs to be installed to ensure data security. Obviously, at this stage of development of IT technology, it is highly advisable not to rely on one’s own IT resources, but rather call in an outsourced provider of IT security services and let professionals build the company’s data security ‘walls’.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

The main concern is the infamous data localisation. Owing to the recent data localisation law, the collection of personal data from Russians and further direct storage in a cloud located abroad is no longer permitted.

The law created a new procedure restricting access to websites violating Russian laws on personal data and imposed a requirement to store the personal data of Russian citizens on servers located in Russia (this obviously gives a huge boost to the development of the Russian data centre industry).

The personal data of Russian citizens must be stored and processed using databases located in Russia. The requirement can be complied with by placing the website database with the personal data of Russians in a Russia-based data centre or server. This Russian database must be primary and the foreign cloud has to be the ‘secondary’ database (ie, only a partial or full (mirroring) copy of the primary Russian database). This essentially means that the initial hosting must be located in Russia. For some time the data localisation requirements were barely enforced. However, in 2016, a major case involving LinkedIn attracted a great deal of public attention. A Russian district court upheld a claim by the Russian data protection authority (The Federal Service for Supervision of Communications, Information Technology and Mass Media (Roscomnadzor)) seeking the restriction of access to LinkedIn in Russian territory. The court found LinkedIn was storing and processing the personal data of Russian citizens on servers located outside Russia. On this basis, the court declared LinkedIn to be in violation of the personal data laws and ordered Roscomnadzor to take steps to restrict access to LinkedIn. Currently, LinkedIn remains blocked in Russia.

One other topic for concerns are the amendments to the Russian Information Law, which finally came into force on 1 July 2018. The amendments directly affect Russia’s telecom and internet industries. In particular, mobile operators need to store recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs, while internet companies (eg, messengers) need to store the recordings of all phone calls and the content of all text messages for six months and the related metadata for one year. In addition, the amendments require any such communications to be provided to Russian police and intelligence at their request and the installation of special systems used for investigation purposes or to ‘reconcile the use of software and hardware with the authorities’ as well as to provide the security authorities with decryption keys if the messages are encrypted.

The amendments have already resulted in occasional blockings (such as BlackBerry Messenger). However, owing to the limited popularity of such messengers, the enforcement cases did not attract much attention. Everything then changed with a case regarding one of the most popular messengers in Russia – Telegram.

Telegram has frequently commented in the press that it is unable to provide decryption keys because of the nature of end-to-end encryption technology, while the FSB believed this is technically possible. Telegram refused to provide the FSB with any decryption keys and, therefore, on 13 April 2018, the Taganskyi District Court of Moscow upheld Roscomnadzor’s request to block access to Telegram. On 16 April 2018, Roscomnadzor reached out to telecoms operators, requesting that they commence blocking the messenger. All Russian telecoms operators are obliged to block access to the relevant resources.

Telegram’s lawyers appealed this decision without success. As of April 2018, Roscomnadzor has been trying to block Telegram using its IP address, which seems to be an ineffectual strategy. Telegram decided to disobey the court decision and defy Roscomnadzor (luckily, it has no actual presence in Russia) and started jumping from one IP address to another. At one time, Roscomnadzor was blocking millions of IP addresses, which caused interruptions to many internet services (including those hosted on the Amazon and Google networks) and caused negative critics of Roscomnadzor by other authorities, the internet ombudsman and businesses. The case is ongoing and Telegram is still available despite Roscomnadzor’s actions.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

The Russian government is very keen to combat cybercrime and is even imposing various rules in the laws aimed at increasing the cybersecurity of businesses. For instance, all companies dealing with personal data must apply certain technical and organisational measures aimed at protecting data and also use software certified by Russian authorities.

Any computer fraud, unauthorised data accesses or creation of malicious software may result in criminal liability. However, the number of real cases of hackers being convicted is fairly low. The reason for this is unclear and certainly gives rise to speculation.

Russia refused to ratify the Council of Europe’s Convention on Cybercrime and, based on the discussions within the Russian government, it appears that the convention will not be ratified by Russia. Russian government officials claim that they do not agree with the Convention’s provisions providing for the sanctioned access of one member state to computer data stored in the territory of another member state without the prior consent of the latter. The officials justify this on grounds of national security.

State officials have said that Russia’s approach to combating cybercrime consists of ‘the prompt and adequate cooperation of law enforcement authorities of different countries, as well as of the non-admission of investigations on a foreign territory without the notification of the law enforcement authorities of the state concerned’. Moreover, the authorities believe that Russia is considering promoting an approach that provides for the development of a global convention on combating crimes in the information sphere instead of the Budapest Convention, which only applies regionally and will not be fully effective. Following a proposal put forward by Russia, in May 2010 the UN Commission on Crime Prevention and Criminal Justice established an intergovernmental expert group to draft proposals to improve the international legal framework in this sphere.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

Apart from standard confidentiality and privacy precautions, such as encrypted data rooms and non-disclosure agreements, companies entering into M&A deals in Russia should consider personal data transfer issues before starting the due diligence process. As mentioned, owing to the recent data localisation law, the collection of personal data of Russian citizens and further direct storage in a cloud located abroad is no longer permitted. Therefore, a potential foreign purchaser should double check whether personal data (for instance, of the employees of the target company) is stored in a Russian primary database and whether the relevant consent given by such employees to the seller allows for the transfer of their data to the purchaser. Violation of these rules may result in fairly negative consequences for the purchaser, since in certain circumstances Russian data protection authorities can even block access to the purchaser’s website as a part of their enforcement actions.

The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

  • Russian market knowledge and close cooperation with IT security firms. Further, lawyers can only be valuable in cybersecurity practice if they cooperate with a team of IT security specialists, preferably licensed by the Russian FSTEC.
  • Look for a reliable partner who can help build cybersecurity from scratch or help fine-tune procedures to the Russian market.
  • Look at the law firm’s portfolio of completed cybersecurity risk management projects.
  • Perform a threat modelling exercise and expose the whole team (IT, PR, finance, legal) to a mock cyberattack to see how it would be dealt with in real life.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

Russia’s rapidly changing regulatory environment is a big problem for businesses since they need to adjust quickly to the unstable legal framework, but makes advising on these issue very interesting.

How is the privacy landscape changing in your jurisdiction?

The data localisation law now requires storage of Russian citizens’ personal data on servers located in Russia. In June 2016, the Russian parliament adopted introduced amendments that saw legislative changes to telecommunications and the internet. The substitution of foreign software imports is another trend.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

Cybersecurity threats in Russia are generally similar to those elsewhere. However, authorities are creating many obstacles in privacy and cybersecurity regulation and this should also be considered a point of risk for businesses. Companies coming to do business in Russia should also realise that data access requests from various state agencies (not only state security agencies) are not uncommon and the extent of the information which can be given to the authorities should always be considered carefully; this is where the advice of a competent lawyer is particularly useful.