Yarovaya Law and new telecoms data storage requirements8 August 2018
On 1 July 2018 new data storage rules took effect for telecoms operators in Russia. The new rules were approved for application by Government Resolution 445 of 12 April 2018.
The new data storage rules form an integral part of the ongoing reform of the legislation on the national governance of:
- internet sovereignty;
- data privacy; and
The government launched this reform through the enactment of amendments to:
- the Federal Law of 6 July 2016 on the amendment of the Federal Law on Counter-Terrorism (374-FZ);
- the Federal Law of 6 July 2016 on the amendment of the Criminal Code and the Criminal Procedure Code; and
- certain other acts with regard to the implementation of additional measures on counterterrorism and public safety.
This package of laws is called the 'Yarovaya Law' after Irina Yarovaya, a principal author of the laws and the leader of the underlying reform. Yarovaya was a member of the State Duma (the lower chamber of Parliament) and became head of the Parliamentary Committee for Security and Anticorruption in 2011.
General data storage obligations
In brief, the Yarovaya Law's key legal provisions include:
- increased competence of the national authorities with regard to counter-terrorism;
- new rules with regard to weapon exploitation and religious activities;
- new obligations for shipping agents and foreign intelligence services;
- new data storage obligations for telecoms operators; and
- new data decoding obligations for telecoms operators.
According to the modified Article 64(1) of the Federal Law on Communications of 7 July 2003 (126-FZ), which was implemented by the Yarovaya Law, telecoms operators must store the following data in Russia:
- information on the receipt, transmittal, delivery or processing of voice data, text messages, images, sounds, video or other messages of communication service users within three years from the completion of such activities (this provision took effect on 20 July 2016);
- the text messages, voice data, images, sounds, video and other messages of communication service users within six months from the completion of their receipt, transfer, delivery or processing (this provision took effect on 1 July 2018).
Further, the general obligations on data storage include an obligation to provide the national law enforcement authorities, such as the Federal Security Service (FSS), with:
- information regarding communication service users,
- information regarding the communication services which have been provided to such users; and
- other necessary information (Article 64(1.1) of the Federal Law on Communications).
Specific data storage requirements
The resolution sets out specific data storage rules for telecoms operators. More specifically, it clarifies the specific obligations, principles, terms and volume of storage for telecoms operators with regard to the following e-content relating to communication service users in Russia:
- text messages;
- voice data;
- video; and
- other messages.
The resolution outlines the following basic principles and specific obligations for telecoms operators:
- Telecoms operators must store messages using their own software and facilities.
- Telecoms operators may use, for the purpose of data storage, third-party software and facilities with the respective FSS division's authorisation.
- Telecoms operators must secure their software and facilities against unapproved access in accordance with the requirements set out by the Ministry of Communications and Mass Media (special requirements regarding the applied software and facilities are set out by the Ministry of Communications and Mass Media under the FSS's authorisation); and
- The removal (deletion) of messages from the applied software and facilities must be done automatically using special software algorithms and in accordance with the relevant requirements, by taking into account the maximum storage term for messages (ie, six months from the date of their receipt, transmittal, delivery or processing).
Both the Yarovaya Law and the new additional data storage requirements have been widely criticised in Russia. Although the abovementioned legal provisions and rules are aimed at fighting eterrorism and preserving national cybersecurity, their application and implementation will inevitably lead to substantial financial and material investments by telecoms operators. Therefore, it will be interesting to see how this legislation will be complied with in practice.