Copyright © Media Law International 2018. All Rights Reserved.
Specialist Guide to the
Global Leaders in Media Law Practice
The New Strategy’s Priorities Include:
Among other tendencies, the Strategy indicates control over information dissemination and protection of rights and interests of citizens and the state as critical issues. These ideas have already been reflected in Russian laws.
Below is a summary of the most important developments in the area of information laws for 2017.
Increased Control Over Digital Services
Several important amendments, aimed at regulating digital services, have been made to the Russian Federal Law On Information, Information Technologies and Protection of Information dated 27 July, 2006 No. 149-FZ in 2017. In particular, the following digital services are already targets:
Russian law provides for a specific procedure to block websites (e.g. where personal data processing does not meet the requirements of Russian law, etc.).
The most well-known case is LinkedIn, which has been unavailable for Russian users since November 2016 on account of failure to comply with certain Russian data protection requirements. Blocking, however, could be easily bypassed with the use of tools called “anonymisers”. The amendments were introduced to address this problem.
In particular, anonymisers’ owners and providers are prohibited from providing any technical opportunities to access the blocked information. In the case of non-compliance, anonymisers will be blocked and therefore unavailable in Russia.
Since 01 January 2018, new regulations primarily targeting such services as WhatsApp, Viber, Skype, Facebook messenger and Telegram Messenger came into force.
The main result of the newly-adopted regulations is that ‘messengers’ are officially recognised as moderators of dissemination of information and, for this reason, are already obliged to retain information on facts of users’ electronic communications (for one year), to ensure users’ identification, and to provide access to the retained data to the Russian state authorities upon legitimate requests.
Moreover, from 01 July 2018, they will also have to retain content of such communications for a period of six months (based on well-known “Yarovaya Law’’ of July 2016).
Audiovisual Services / Video-on-Demand Services
New rules came into force on 01 July 2017 and apply to the internet services designed for distribution of audiovisual works through the internet that meet certain additional criteria. They, however, do not apply to search engines, registered online mass media and services where the content is generated by users.
The amendments have introduced a number of restrictions of foreign capital in the above video services and imposed a number of obligations on their owners (e.g., to publish their contact details for receipt of legal correspondence, to count number of users in Russia and to attribute the content with age rating etc.)
Critical Infrastructure: What is the Law?
The Federal Law On Security of Critical Infrastructure of the Russian Federation No. 187-FZ of 26 July 2017 provided for additional regulations. In particular, the Russian government has already adopted the Decree No. 127 On Approval of Rules on Categorising the Objects of Critical Information Infrastructure and the List of Criteria of Significance of the Objects of Critical Information Infrastructure on 08 February 2018.
The key purpose sought by the Russian legislator while adopting the law was to ensure that private and publicly-owned facilities having social, economic, political, ecological and public security importance and operated in specific industries (healthcare, science, transport, communications, defence, energy, banking and finance, fuel, etc.) are effectively protected from cyberattacks. For this reason, owners of such facilities will be subject to certain security standards and obligations to ensure lawful interception capabilities.
Separate Consent for Each Purpose
In cases where data processing requires written consent, such consent to the processing of personal data must contain the purpose of such processing. It is common practice to include all relevant purposes of processing in one consent form.
In 2017, Roskomnadzor clarified that each written consent shall be specified as much as possible and be dedicated only to one purpose of personal data processing. DPA has already commenced the practice of fining data controllers for having only one written, multi-purpose consent. Russian courts supported the position of Roskomnadzor.
As the fine for non-compliance with the requirements for written consent has been raised approximately seven times in 2017, it is expected that Roskomnadzor will actively check compliance of data controllers’ consent forms with the “1 consent per purpose” requirement. In this regard, data controllers are recommended to improve their consent forms.
More Protection for Copyright and Related Rights on the Internet
Specific forms of protection are provided for certain online infringements of IP rights. According to the amendments made to the Information Law, the owners of copyright and related rights objects have gained a new mechanism for enforcing the rights on the internet, which includes inter alia blocking websites with illegal content.
Since October 2017 the enforcement procedure was extended to so-called mirror websites, i.e. websites confusingly similar to websites that are subject to blacklisting under court decision due to illegal and repeated placement of information violating copyright and related rights (piracy website).
Should the mirror website be revealed, a right holder or state authorities will be entitled to initiate blocking proceedings against such website by filing a request to the competent authority with no need to apply to
Administrative Fines for Data Breaches Have Been Raised
Before 01 July 2017, the Russian Code of the Administrative Offences of 30 December, 2001 implied that the maximum fine imposed on legal entities for any violation of personal data laws and regulations could only be RUR 10 000. Since this date, the so-called “per breach approach” has been introduced and maximum limits of imposed fines have been raised.
At the moment, administrative fines are imposed based on the seven types of violations, and the maximum fine of RUR 75 000 may be imposed on a legal entity processing personal data without a data subject’s written consent, where such consent is however required in accordance with the law (e.g. in the case of cross-border transfer to “inadequate” jurisdiction, processing of sensitive and biometric data etc.). The fines are imposed in accordance with the per breach approach.
Media Law in Rusia: Legal Digest
Alrud Law Firm
In May 2017 the Russian President adopted the Development Strategy of Information Society in the Russian Federation for the period 2017-2030 (Decree of the President of the Russian Federation No. 203 of 9 May, 2017). The presidential decree describes current status of the information society in Russia and traces key goals for elaborating information legislation.
Maria Ostashenko is a Partner at ALRUD Law Firm, heading Commercial, Intellectual Property and Data Protection and Cybersecurity practice areas. Leading team of Commercial practice Maria advises ALRUD clients on managing credit risks of parties, on forms of legal presence and models of conducting business in Russia, supports launching start-ups and implementation of complex projects related to international contracts. In the Intellectual property area Maria renders legal support for formalizing IP rights, use, management and protection of brands and intangible assets, conducting marketing campaigns and advertising. She possesses extensive experience of resolving disputes regarding intellectual property, including alternative dispute resolution. Maria represents international clients in the matters involving data protection regulation in Russia, advises on obligations of operators related to data processing, including cross-border data transfers, structuring data flow between the members of international groups.