Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

Russia is planning to require foreign technology companies to set up representative offices in Russia. Currently, there is a bill under consideration in the Russian parliament and it is very likely to be adopted this year. The bill would mainly affect foreign companies who are owners of websites, information systems, software and apps with a daily audience of at least 500,000 users in Russia and who provide information in Russian, distribute advertising targeted at Russian audience, process personal data of Russian users or receive money from Russian individuals and legal entities.

Technology companies would also need to register accounts in a special system run by the Russian data protection authority and respond to queries from the authority (eg, to delete certain prohibited or unwanted content). The bill also provides for a range of sanctions for non-compliance, such as prohibitions on distributing advertising, restrictions of money transfers and prohibitions on collecting and transferring personal data. It remains to be seen how these sanctions and the law as such would be enforced.

Critical information infrastructure remains a hot topic on the Russian cybersecurity agenda. The relevant regulations apply to information systems, telecommunication networks of state authorities and systems and networks for managing technological processes that are used in the state defence, healthcare, transport, communication, finance, energy, fuel, nuclear, aerospace, mining, metalworking and chemical industries. The law requires the implementation of protection measures, assigning the category of protection (in accordance with the by-laws) and then registering with the Federal Service for Technical and Export Control (FSTEC).

Also worth mentioning are restrictions on virtual private network (VPN) services that do not cooperate with the government, for instance in relation to copyright, data protection or other legal infringements. The main targets of the restrictions are anonymisers, however ordinary businesses can also be affected. The relevant regulations contain an exemption that can be interpreted as allowing the use of VPN tools if the entity defines the users of the tool (eg, which employees can use the tool – such as in an internal IT policy) and uses it only for the purposes of its business. However, this exemption has not been clarified by the authorities or court practice.

Russia also adopted the ‘Runet Isolation Law’. Under this law, Russian authorities received wide-ranging powers to control the internet. Furthermore, communications operators are obliged to use traffic exchange points from a specially created registry run by the Russian data protection authority, which should be physically located only in the territory of Russia. In addition, communications operators are obliged to provide the data protection authority with all information about their network addresses, telecommunications message routes, software and hardware tools used to resolve domain names and communications network infrastructure. The general idea of this law is to keep the Russian segment of the internet technically live even if it is switched off from the rest of the worldwide web (irrespective of whoever decides to do this, an external force or the Russian government itself).

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

Russian data breach notification rules differ from European rules. Currently, there is no data breach notification requirement under Russian law, at least as it is understood in some other jurisdictions. As part of the Russian data protection law, there is a requirement to notify individuals and the data protection authority of the resolved breach if a breach was found by an individual or the data protection authority and they requested that it be resolved. Data operators must notify individuals whose data was breached or the data protection authority (if the request to resolve the breach comes from it). This means the authority or the individual needs to know there was a breach. But, in practice, the infringers would simply do nothing unless asked by the authority or by an individual to notify them of the resolved breach.

However, Russia signed the Protocol to the Council of Europe Convention No. 108. Therefore, we expect new amendments to the personal data law to harmonise the law with Convention No. 108. In particular, we expect breach notification rules to be introduced.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

Companies working in Russia may face high fines (up to 18 million roubles) or sanctions. In addition, under various initiatives of the Russian parliament, new laws could be adopted that would add further sanctions, including prohibitions on distributing advertising, restrictions on money transfers and prohibitions on the collection and transfer of personal data.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

As a rule, Russian companies need to ensure that their systems in Russia are compliant with the technical requirements of the Federal Security Service of Russia (FSB) and FSTEC. Normally, it is advisable that the formation of a Russian IT environment and related IT compliance procedures be implemented with the assistance of a Russian company specialising in IT security and with an FSTEC licence to perform works related to data security (protection of confidential information). An IT security company can also assist with preparing a set of internal documentation, such as internal documents on technical issues of personal data protection abd descriptions of the IT security infrastructure and the measures to be taken by the company to prevent data breaches (eg, threat models, technical assignments). They could also advise on which hardware and software needs to be installed to ensure data security.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

The main concern is the data localisation requirement. The collection of personal data from Russians and further direct storage in a cloud located abroad is no longer permitted. The personal data of Russian citizens must be stored and processed using databases located in Russia. The requirement can be complied with by placing the website database with the personal data of Russians in a Russia-based data centre or server. This Russian database must be primary and the foreign cloud has to be the ‘secondary’ database (ie, only a partial or full (mirroring) copy of the primary Russian database). This essentially means that the initial hosting must be located in Russia.

One other topic of concern is the amendments to the Russian Information Law, which affect Russia’s telecom and internet industries. In particular, mobile operators need to store recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs, while internet companies (eg, messengers) need to store the recordings of all phone calls and the content of all text messages for six months and the related metadata for one year. In addition, the amendments require any such communications to be provided to Russian police and intelligence at their request and the installation of special systems used for investigation purposes or to ‘reconcile the use of software and hardware with the authorities’, as well as to provide the security authorities with decryption keys if the messages are encrypted.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

The Russian government is very keen to combat cybercrime and is imposing various laws aimed at increasing the cybersecurity of businesses. For instance, all companies dealing with personal data must apply certain technical and organisational measures aimed at protecting data and also use software certified by Russian authorities.

Any computer fraud, unauthorised data accesses or creation of malicious software may result in criminal liability. However, the number of real cases of hackers being convicted is fairly low.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

Apart from standard confidentiality and privacy precautions, such as encrypted data rooms and non-disclosure agreements, companies entering into M&A deals in Russia should consider personal data transfer issues before starting the due diligence process. As mentioned, owing to the data localisation law, the collection of personal data of Russian citizens and further direct storage in a cloud located abroad is no longer permitted. Therefore, a potential foreign purchaser should double check whether personal data (for instance, of the employees of the target company) is stored in a Russian primary database and whether the relevant consent given by such employees to the seller allows for the transfer of their data to the purchaser. Violation of these rules may result in fairly negative consequences for the purchaser, since in certain circumstances Russian data protection authorities can even block access to the purchaser’s website or impose high fines as a part of their enforcement actions.

The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

  • Russian market knowledge and close cooperation with IT security firms, preferably licensed by the Russian FSTEC.
  • Fast response by lawyers and IT specialists.
  • The law firm’s portfolio of completed cybersecurity risk management projects.
  • Perform a threat modelling exercise and expose the whole team to a mock cyberattack to see how it would be dealt with in real life.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

Russian laws are changing rapidly. Since 2014, Russia has adopted many new privacy and cybersecurity laws, and most of these were rough and unprepared for use, with even law enforcement agencies struggling to interpret the rules. Such circumstances makes advising on privacy and cybersecurity fairly complex, but extremely interesting.

How is the privacy landscape changing in your jurisdiction?

The data localisation law now requires storage of Russian citizens’ personal data on servers located in Russia and Russian communications service providers must store all information on their customers’ and internet users’ communications in Russia for specified periods. The Russian government has also created a register of Russian software requiring state agencies to purchase Russian software instead of foreign software, unless the authorities can prove the software has no equivalent in Russia.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

DDoS attacks and ransomware attacks are very common, as elsewhere in the world. However, authorities are also creating many obstacles in the regulation of privacy and cybersecurity. Companies coming to do business in Russia should realise that data access requests from various state agencies are not uncommon and the extent of the information that can be given should always be considered carefully.