Russian Federation

[RU] Amendments to IT law

IRIS 2017-8:1/34

Andrei Richter

Comenius University (Bratislava)

On 29 July 2017 President Vladimir Putin signed into law two sets of amendments to the Federal Statute on information, information technologies and protection of information (the IT Law - see IRIS 2014-3/40 and IRIS 2014-6/31).

Federal Statute N 276-FZ, which enters into force on 1 November 2017, grants significant powers to Roskomnadzor, the governmental supervisory authority on media, communications and personal data traffic (see IRIS 2012-8/36), to pursue persons/entities on Russian territory that utilise or provide access to information systems and resources, such as virtual private networks (VPN) (see IRIS Extra 2015-1). These amendments add a new provision (Article 15.8) to the IT law which does not restrict the use of VPNs and similar technology per se, but rather aims to establish legal grounds for Russian authorities blocking VPNs that are used as access points to websites and resources that are otherwise restricted or prohibited. To this end, Roskomnadzor is tasked with setting up a “federal state database of telecommunication network information resources that are restricted” in Russia. Once the database is operational, Roskomnadzor will have the authority to reach out to and demand compliance from hosts of sites in respect of whose resources Roskomnadzor identifies such evasive technology. The restrictions will not apply to Russian governmental actors or to those owners or operators of VPNs who grant access to their virtual networks only to specific groups of users, provided that those VPNs are being used as technological support for their owner’s/operator’s business. Those provisions introduced in 2014 that specified certain requirements in respect of bloggers whose websites were visited by more than 3,000 users daily (see IRIS 2014-6/31) are also annulled, with immediate effect.

Federal Statute N 241-FZ, which enters into force on 1 January 2018, introduces several new provisions to Article 10.1 of the IT Law (IRIS-Extra 2015, section 3.3.2). Those provisions ascribe additional responsibilities to the hosting and service providers of electronic message exchanges.

Those responsibilities include the obligations: 1) to identify and verify the identity of messenger service users, 2) upon the demand of Roskomnadzor to block (within twenty-four hours) users’ ability to exchange information that is forbidden by Russian law, 3) enable users to stop receiving messages from other users, 4) guarantee the confidentiality of correspondence through messenger service, 5) enable the possibility for public authorities to disseminate messages on their own initiative and in accordance with the law, 6) stop the service when so determined by the Government.

Russian providers shall store identifying information of users on Russian territory and shall not provide it to third parties, unless permitted to do so by law.