1467365353372
Data Privacy & Security

Russia to Enact Mass Internet Surveillance Laws Requiring companies to Store Online Communications Data and Make it Available to Security Agencies


Companies that enable the use of instant messaging, social networks, operators of multiplayer games and various websites enabling user-generated content or messages and other companies supporting online communications may be required from July 20, 2016 to:

  • retain and store data on users, user activity and user communications on Russian territory for one year (previously six months);
  • retain and store the contents of user communications (including text, audio and video communications) on Russian territory for up to six months (as from July 2018); and
  • enable Russian security agencies to decrypt such content.

Failure to comply with the above requirements may result in administrative fines and access to a non-compliant service being blocked in Russia.

Implications For Companies Enabling Online Communications

The extremely broad and ambiguous wording of the proposed amendments makes them potentially relevant for all types of Russian and non-Russian companies that enable their users to exchange textual, audio or video communications via the Internet. Potentially, the proposed amendments may be deemed to apply to various web forms, which may be considered as electronic messages, as well as various corporate email servers, corporate messengers etc.

Based on the previously enacted regulations to the data retention laws now in effect, the proposed law will probably apply to textual, audio or video messages sent to or from Russian residents or delivered to or from devices physically located in Russia.

Prior enforcement practice suggests that instant messengers, social networks and public email services will be affected the most. However, other types of services should also be prepared to take the necessary compliance steps, given that the remedial period may be potentially limited to fifteen calendar days following a decision in an administrative case and a notice on potential blocking of access.

Actions To Consider

Considering that the proposed amendments have already been passed by the Parliament and are very likely to be signed by the President and come into effect on July 20, 2016, we suggest that companies enabling online communications with or for their users closely monitor the status of this draft law and assess the potential impact of this law on their business.

Developing a compliance plan or at least a plan for emergency action would be advisable in order to be prepared should these amendments be enacted in law.

 

Contributors: Edward Bekeschenko, Alexander Monin and Vadim Perevalov