FREQUENTLY ASKED QUESTIONS
Q 1. Russian encryption regulations — what is controlled?
The importation and exportation of encryption-based products in Russia is subject to import/export encryption clearance requirements set at the supranational level of the Eurasian Economic Union (EAEU).
Russian import/export encryption regulations are set by EAEU Decision No. 30 “On Measures of Non-Tariff Regulations” (“Decision No. 30”) dated 21 April 2015 and apply both to the importation and exportation of encryption-based products. Decision No. 30 established a list of encryption products classified by name and customs classification (HS) codes that covers almost all types of IT/telecom products.
The EAEU import/export encryption regulations apply with respect to all tangible (physical) cross-border shipments of goods. Intangible cross-border transfer of data (e.g., electronic downloading of software from a foreign server) is not controlled.
Q 2. What types of import/export permission documents are required?
Decision No. 30 establishes the following three types of permission documents required for the import/export encryption clearance of IT products:
(i) import/export encryption license
(ii) import/export encryption permit
(iii) registration of a notification
In order to determine the type of permission document, the following aspects should be analyzed:
Encryption functionality, including the following:
�� list of cryptographic algorithms and maximum key length (e.g., AES-256, RSA-2048, etc.)
�� list of implementing protocols (e.g., TLS, SSH, SSL, etc.) �� how the encryption is employed: at the level of software,
software operating system and/or hardware (if the hardware is used, whether the product has any TPM modules), etc.
�� what type of data is encrypted, i.e., technical/metadata, or customer/business data (e.g., media content, texts, etc.)
�� how the data is encrypted, i.e., “at rest” or “in flight”
Purpose of importation, which may include, for example:
�� local distribution �� importation for internal business needs of the importer
of record �� temporary importation, or importation for replacement of
local defective units
In addition, in the case of temporary importation, an ATA Carnet could be considered as an alternative type of import permission document. However, the use of an ATA Carnet should be discussed with the clearing customs post well in advance.
Q 3. When an import/export encryption license is required?
Generally, the import/export encryption licensing requirement applies to all types of imported IT/telecom products for B2B use with so-called strong/”heavy” encryption functionality capable of encrypting customer/business data (i.e., texts, images, video/audio files, etc.) “at rest” or “in flight” with the use of an encryption key length exceeding 56 bits for symmetric and 512 bits for asymmetric cryptographic algorithms.
Q 4. What is the procedure for obtaining an import/export encryption license?
The regulations provide that only the importer of record (i.e., a legal entity incorporated in an EAEU member state) may be an applicant for and a holder of an import/export license. There is a two-stage procedure for the issuance of import licenses:
(i) Issuance of a license approval — the applicant should apply for a license approval with the competent authority (i.e., in Russia — the Federal Security Service, “FSS”), which is a free of charge procedure taking approximately one to two months. The applicant must prepare and submit to the FSS an application form and a standard set of documents outlining all circumstances of the contemplated import/export transaction, including the purpose of end-use of the products, their encryption characteristics and the end-user details.
(ii) Issuance of an import license by the authorized state agency (i.e., in Russia — the Ministry of Industry and Trade, “MIT”), which requires preparation of a standard set of documents and payment of a state duty in the amount of RUB 7,500 (approximately USD 110) and takes 15 business days.
Q 5. Practical peculiarities of the import/export licensing procedure.
(i) The importer of record (applicant for an import/export license) must have a local encryption license as a precondition. The local encryption licensing requirements are established by separate/stand-alone set of regulations on the local manufacturing, distribution/supply and repair/maintenance of encryption-based products, as well as provision of encryption- based services. For more details, please refer to Q9 below.
(ii) Each unit of “heavy” encryption-based products must be designated for and supplied to the particular end-user. The FSS does not permit the Russian importers of record/distributors to stock “heavy” encryption-based products (e.g., for replacement purposes).
Q 6. When can an import/export permit be applied and what is the procedure?
An import/export permit can be applied instead of an import/ export license in the following cases of importation/exportation of “heavy” encryption-based products:
�� repair or exchange based on the contractual obligations of the company
�� import/export for internal use without distribution of imported items to third parties and without provision of encryption-related services to third parties
�� temporary import for conducting scientific-technical expertise
�� temporary import for scientific research �� temporary import for showing in exhibitions �� transit of encryption devices through the territory
of the EAEU
The procedure is very similar to the procedure established for the issuance of a license approval by the FSS. Import permits can be obtained both by Russian entities and by local branches/ representative offices of foreign companies.
Q 7. What is the notification procedure?
Decision No. 30 establishes 12 exemption categories of goods that can be subject to the notification procedure, which is an alternative to the import/export license/permit (the 12 exemption categories are provided in Annex 2).
These are generally so-called “mass market” products (i.e., B2C goods designated primarily/basically for use by individuals rather than for business), as well as goods with “light”/limited encryption functions (i.e., goods that cannot encrypt customer/ business data “at rest” or “in flight” with the use of above- mentioned encryption keys exceeding 56/512 bits).
If a product, by its characteristics, falls under the notification criteria, the foreign vendor should issue a notarized and legalized (apostilled) authorization document to its local representative (i.e., a Russian legal entity or individual). The local applicant should complete and execute a notification form together with a set of supporting documents and submit them for registration to the FSS.
The statutory term for the consideration and registration of notifications is 10 business days, plus the time needed for the delivery of documents to the FSS.
Information on all the registered notifications is publicly available on the EAEU register at www.eurasiancommission.org. After a notification has been registered and placed on the EAEU register, the products can be freely imported/exported into Russia/EAEU by any importers and exporters of record.
Q 8. Specifics of importation of encryption- based products by individuals.
Decision No. 30 establishes a list of B2C encryption products that can be freely imported by individuals for their personal needs without the import/export encryption clearance formalities. This exemption list (“List”), among others, includes (i) software, (ii) means of electronic signature, (iii) computers and their parts, and (iv) electronic cards intended for public user (e.g., bank cards, SIM cards, discount cards), etc.
The importation of encryption devices by individuals for business purposes is legally viewed as a commercial supply that should be subject to an import/export customs declaration. From the practical perspective, if the commercial gadgets imported by employees fall under the List, they can be viewed as exempt from the import/export encryption clearance procedures, regardless of the B2B status. Otherwise, the necessity to perform an import/export customs declaration of such commercial products imported by business travelers should be determined separately, based on the type of product, its designation and sphere of application.
Q 9. What are the local encryption licensing requirements?
Russian Governmental Decree No. 313 dated 16 April 2012 (“Local Encryption Regulations”) established the list of 28 types of licensed activities. Generally, any activities related to the development/production of cryptographic products, technical maintenance of cryptographic products, provision of services in the sphere of data encryption, as well as distribution of cryptographic products, are subject to the local use licenses issued by the FSS.
The Local Encryption Regulations establish a list of the types of products that should be exempt from the local encryption licensing requirements, which are very similar to the exemption categories of goods that should be subject to the notification procedure under the import/export encryption clearance requirements set by Decision No. 30. Thus, if the importation of an encryption product is subject to the notification procedure, and such a product was properly notified, a local use or supply of the product will, most likely, not require a local encryption license.
Only Russian legal entities or individual entrepreneurs may apply for a local (domestic) encryption license. Representative offices of foreign companies registered in Russia cannot apply for a local license.
In order to be eligible to apply for a local encryption license, the applicant should meet certain established requirements (i.e., establish a division and premises for the performance of licensed activity, hire specifically qualified personnel and make certain additional arrangements).
If the applicant meets the local encryption licensing requirements, the FSS will issue a license for the relevant type(s) of activity for an unlimited term. The license should normally be issued within 45 business days after the submission of all required documents, including the document confirming the payment of the license fee (i.e., state duty in the amount of RUB 7,500 or approximately USD 110).
Alexander Bychkov Partner +7 495 7872715 Alexander.Bychkov @bakermckenzie.com
Vladimir Efremov Partner +7 495 7870715 Vladimir.Efremov @bakermckenzie.com
Andrey Gavrilov Associate +7 495 787 5573 Andrey.Gavrilov @bakermckenzie.com