The legislation adopted last year in Russia to strengthen state control over digital communications is not fully compatible with the new EU regulation in the field of personal data protection, believe Russian experts interviewed by the business daily Vedomosti and East-West Digital News.
Such a contradiction, if confirmed, would expose Russian mobile operators to considerable fines, and complicate significantly their cooperation with EU operators while data exchange flows between Russia and Europe would be put in question.
EU citizens’ consent required
Authored by conservative lawmaker Irina Yarovaya and nicknamed by Edward Snowden “Big Brother law,” the Russian “anti-terrorist” legislation passed last summer will affect directly Russia’s telecom and Internet industries. In particular, mobile operators will need to store the recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs.
Meanwhile, Internet companies (including instant messengers) will need to store the recordings of all phone calls for a period of six months and the content of all text messages for a period of one year, notes Vyacheslav Khayryuzov, Counsel at the Noerr international law firm (1).
Thus a Russian company will violate the EU regulations by storing the EU citizens’ data without their consent, without a court order or in other specific cases, since Russian law does not restrict the storage of foreign citizens’ data.
The contradiction is obvious, believes Karen Kazaryan, an analyst from the RAEC industry association, since all the EU citizens currently residing in Russia use local telecom services. In addition, Russian citizens targeted by Russian secret service or law enforcement agencies may exchange messages or have a phone conversation with EU nationals, exposing them, too, to their surveillance.
The EU regulation does allow to store user data to ensure national security and public order, but only in a selective way and under certain conditions. By contrast, the Yarovaya amendments require all users’ data to be stored, notes Irina Levova, a researcher at the Moscow-based Internet Research Institute.
FIFA World Cup under surveillance
How strictly the new Russian legal requirements will apply to foreign nationals’ data will remain unknown until the first cases arise.
Russian telecom operators have less than one year to prepare for two non-harmonized legislations of two different jurisdictions. The new EU regulation is set to apply from May 25, 2018, while Yarovaya’s amendments will take effect on July 1, 2018. The existing law on information, which was amended by Yarovaya (1), has been in force since 2006.
The matter will be especially sensitive in the summer of 2018, when Russia will host the 2018 FIFA World Cup, with considerable numbers of EU citizens expected to visit Russia from June 14 to July 15.
The Yarovaya amendments might lead to excluding Russia from the list of countries which the EU considers having an appropriate level of personal data protection. In such case, Russian companies would no longer be allowed to process data of the EU users. However, it is yet unclear how such restrictions can be imposed in practice, wonders Khayryuzov.
Such exclusion would also significantly complicate cooperations between local and EU telecom operators, as well as the whole mechanism of information exchange between Russia and the EU.
The Russian Ministry of Foreign Affairs does not seem not to have noted these risks yet, the legal experts say.
(1) Yarovaya’s amendments strengthen earlier amendments to a 2006 law “On Information, Information Technologies and Protection of Information” (No. 149-FZ), which were adopted in May 2014 and are currently in force. These 2014 amendments introduced the definition of “organizer of dissemination of information” on the Internet. Such “organizers” (individuals or legal entities) operate information systems and/or computer software intended and/or used to receive, transmit, deliver and/or process electronic messages via the Internet. These are any mobile messengers like WhatsApp, Viber, WeChat, Telegram or similar.
“Organizers” must register in a special register run by Roskomnadzor, the telecom regulator, and store in Russia messaging metadata during one year. They are also required to cooperate with Russian law enforcement bodies and provide such data at their request (see detailed analysis by EWDN). These provisions are being actively enforced by Roskomnadzor, which has blocked access to several instant messengers, including Blackberry Messenger, IMO and Vchat. Recently Roskomnadzor also blocked WeChat until they formally registered, and threatened to block Telegram, which however ultimately took the decision to comply with the registration requirement.
