Database

The Minsvyazi (Russian Ministry of Communications) drafted an order which forces telecom and internet providers to install equipment allowing data collection and retention on their servers for a minimum of 12 hours. This provides the Russian Federal Security Service (FSB) with direct access to a wider range of data - which include users’ phone numbers, account details on popular domestic and overseas online resources (like Gmail, Yandex, Mail.ru etc), IP addresses and location data - without a court order, for the purposes of national anti-terrorist investigations.

Data processors are required to notify both the subject and Roskomnadzor in case of a data breach.

The data operator must take necessary and sufficient protective measures to comply with the data protection legislation, including appointing a data protection officer.

The data operator must take necessary and sufficient protective measures to comply with the data protection legislation, including:
- performing internal control and/or audit to ensure data processing compliance with the data protection legislation and the data operator's policy/documents/local rules;
- evaluating the damages that may be caused to data subjects in the event of a breach of data protection legislation;
- disclosing the relevant provisions of the data protection legislation and data protection requirements that define the policy/documents/local rules of the data operator to the employees.

Russia passed a law on the right to be forgotten, which appears to set a regime which is more stringent than the European one. The main differences with the ECJ ruling on the right to be forgotten are that people that wish to have their name deleted will not have to provide a specific hyperlink, but they will only need to say which information they woud like to be deleted. Furthermore, contrary to the ECJ decision, public figures also can have their personal information deleted.

The Russian Labor Code stipulates that employers must have the written permission of employees to share their data with third parties.

Russian news aggregators are required to store the news disseminated, information about the news source, as well as information about the terms of its dissemination for six months, and to provide access to such information to the Roskomnadzor.

Federal Law No 374-FZ, signed in July 2016, requires local storage of information confirming the fact of receipt, transmission, delivery and/or processing of voice data, text messages, pictures, sounds, video or other communications (i.e., metadata reflecting these communications). The storage period is of three years (with respect to telecom providers) or one year (with respect to ISPs and message exchange services). In addition, local storage for a period of six months is required for the content of communications, including voice data, text messages, pictures, sounds, video or other communications. While the first requirement entered into force in July 2016, the second requirement came into force starting from July 2018.

The Russian Government has given instructions to require public Wi-Fi user identification. The government decrees require that:
- ISPs should identify Internet users, by means of identity documents (such as passport);
- ISPs should identify terminal equipment by determining the unique hardware identifier of the data network;
- all legal entities in Russia are required to provide ISPs monthly with the list of the individuals that connected to the Internet using their network.

The data should be stored locally for a period of at least six months.

Later in 2015, the authorities have proposed the following levels of fines for non-compliance:
- 5,000-50,000 rubles (approx. 60-140 USD) for individual entrepreneurs; and
- 100,000-200,000 rubles (approx. 1,400-2,600 USD) for legal entities.
The fines would be higher for repeating offenders.

The Minsvyazi (Russian Ministry of Communications) drafted an order which forces telecom and internet providers to install equipment allowing data collection and retention on their servers for a minimum of 12 hours. This provides the Russian Federal Security Service (FSB) with direct access to a wider range of data - which include users’ phone numbers, account details on popular domestic and overseas online resources (like Gmail, Yandex, Mail.ru etc), IP addresses and location data - without a court order, for the purposes of national anti-terrorist investigations.

According to the Federal Law no. 152-FZ “On Personal Data” (OPD-Law) the transfer of data outside Russia does not require additional consent from the data subject only if the jurisdiction that the personal data is transferred to ensures adequate protection of personal data. Those jurisditctions are the parties to the Convention 108 and other countries approved by the Russian Federal Service for Supervision in the sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor). Roskomnadzor's official list of countries includes Australia, Argentina, Canada, Israel, Mexico and New Zealand.

Federal Law No 374-FZ, signed in July 2016, requires local storage of information confirming the fact of receipt, transmission, delivery and/or processing of voice data, text messages, pictures, sounds, video or other communications (i.e., metadata reflecting these communications). The storage period is of three years (with respect to telecom providers) or one year (with respect to ISPs and message exchange services). In addition, local storage for a period of six months is required for the content of communications, including voice data, text messages, pictures, sounds, video or other communications. While the first requirement entered into force in July 2016, the second requirement came into force starting from July 2018.

The Russian Government has given instructions to require public Wi-Fi user identification. The government decrees require that:
- ISPs should identify Internet users, by means of identity documents (such as passport);
- ISPs should identify terminal equipment by determining the unique hardware identifier of the data network;
- all legal entities in Russia are required to provide ISPs monthly with the list of the individuals that connected to the Internet using their network.

The data should be stored locally for a period of at least six months.

Later in 2015, the authorities have proposed the following levels of fines for non-compliance:
- 5,000-50,000 rubles (approx. 60-140 USD) for individual entrepreneurs; and
- 100,000-200,000 rubles (approx. 1,400-2,600 USD) for legal entities.
The fines would be higher for repeating offenders.

The “Blogger’s law” was repealed in in July 2017 by the Federal Law No. 276-FZ. It required "organizers of information distribution in the Internet" (it is not clear which operators fall under this definition) to store on Russian territory information on facts of receiving, transfer, delivery and/or processing of voice information, texts, images, sounds and other electronic messages and information about users during six months from the end of these actions.

Blogs with more than 3,000 readers were required to register as "organizers of information distribution" and were therefore subject to this requirement. Platforms that did not comply with these requirements upon a second notice faced a fine of 500,000 rubles and could be blocked in Russia by Roscomnadzor. Russian services such as VKontakte, Yandex and Mail.Ru registered their activities.

The amendments to the National Payment System Law require international payment cards to be processed locally. The law requires international payment systems to transfer their processing capabilities with respect to Russian domestic operations to the local state-owned operator (National Payment Card System) by 31 March 2015.

The amendments are reported to be a response to the international political sanctions which prohibited certain international payment systems (e.g., Visa and MasterCard) from servicing payments on cards issued by sanctioned Russian banks.