Yarovaya Law and new data storage requirements for online data distributors7 August 2018
On 1 July 2018 new data storage rules took effect for online data distributors (organisers) in Russia. The new rules were approved for application by Government Resolution 728 of 26 June 2018.
The new data storage rules form an integral part of the ongoing reform of the legislation on the national governance of:
- internet sovereignty;
- data privacy; and
The government launched this reform through the enactment of amendments to:
- the Federal Law of 6 July 2016 on the amendment of the Federal Law on Counter-Terrorism (374-FZ);
- the Federal Law of 6 July 2016 on the amendment of the Criminal Code and the Criminal Procedure Code; and
- certain other acts with regard to the implementation of additional measures on counterterrorism and public safety.
This package of laws is called the 'Yarovaya Law' after Irina Yarovaya, a principal author of the laws and the leader of the underlying reform. Yarovaya was a member of the State Duma (the lower chamber of Parliament) and became head of the Parliamentary Committee for Security and Anticorruption in 2011.
General data storage obligations
In brief, the Yarovaya Law's key legal provisions include:
- increased competence of the national authorities with regard to counter-terrorism;
- new rules with regard to weapon exploitation and religious activities;
- new obligations for shipping agents and foreign intelligence services;
- new obligations and related liabilities for online data distributors (eg, messenger and social media providers); and
- new data decoding obligations for online data distributors.
According to the modified Article 10.1(3) of the Federal Law on Information, Information Technologies and Data Protection of 27 July 2006 (149-FZ), which was implemented by the Yarovaya Law, online data distributors must generally store the following data in Russia:
- information on the receipt, transmittal, delivery or processing of voice data, text messages, images, sounds, video or other electronic messages of internet users, as well as information on such users, within one year from the completion of such activities (this provision took effect on 20 July 2016);
- the text messages, voice data, images, sounds, video and other electronic messages of internet users within six months from the completion of their receipt, transfer, delivery or processing (this provision took effect on 1 July 2018).
The general obligations on data storage also include an obligation to provide the national law enforcement authorities, such as the Federal Security Service, with copies of the above information on request (Article 10.1(3.1) of the Federal Law on Information, Information Technologies and Data Protection).
In addition, online data distributors must provide the national security services (on request) with any information necessary for decoding received, transmitted, delivered or processed electronic messages (ie, decoding keys) where additional coding technologies (eg, encryption) are used or provided to the respective internet users (Article 10.1(4.1) of the Federal Law on Information, Information Technologies and Data Protection).
Specific data storage requirements
The resolution sets out specific data storage rules for online data distributors. More specifically, it clarifies the specific obligations, principles, terms and volume of storage for online data distributors with regard to the following e-content of internet users in Russia:
- text messages;
- voice data;
- video; and
- other electronic messages.
The so-called 'obligation to store in Russia' principle extends to all electronic messages based on the following user criteria prescribed in the resolution:
- users that were registered with IP addresses determined by online data distributors to be located in Russia or users that were logged-in under such IP addresses;
- users that referenced their passport or another form of identification issued by the Russian authorities during registration or use of the internet communication service;
- users that accessed the internet service by using a device or software that transmits geographical data (ie, meta data) by indicating the location (or temporary location) of users in Russia;
- users that included a phone number assigned by a Russian telecoms operator in their contact information during registration or use of the internet communciation service; and
- users of whom online data distributors were notified by the law enforcement authorities as being located in Russia.
The resolution states that online data distributors must store electronic messages using their software systems in full and within six months from the completion of their receipt, transmittal, delivery or processing.
Notably, a breach of the above legal provisions may lead to different penalties as established by law. Specifically, under Section 2 of Article 13.31 of the Code of Administrative Offences, the following administrative fines will be imposed on infringing online data distributors:
- up to Rb50,000 for corporate officers; and
- up to Rb1 million for companies.
Both the Yarovaya Law and the new additional data storage requirements have been widely criticised in Russia. Although the abovementioned legal provisions and rules are aimed at fighting terrorism on the Internet and preserving national cybersecurity, their application and implementation will inevitably lead to substantial financial and material investments by messenger and social media platform operators, as well as other online data distributors. Therefore, it will be interesting to see how this legislation will be complied with in practice.