Privacy and cybersecurity in Russia
Getting The Deal Through (GTDT), UK online research platform for law professionals, turned to Noerr Moscow for advice regarding Data Privacy, a rather topical issue nowadays in view of the recent changes in Russian and European law. Vyacheslav Khayryuzov, Head of the Data Privacy practice in Russia, answered the journalists' questions.
GTDT: What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?
Vyacheslav Khayryuzov: The topic of cybersecurity is becoming more and more important in Russian discussions. The first issue that comes to mind is the alleged Russian hacking of the US presidential elections. The US media reported that the US administration contemplated an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election. According to the media at least, the CIA has been asked to deliver options to the White House for a cyber operation designed to harass and ‘embarrass’ the Kremlin leadership.
Other infamous cybersecurity issues were the WannaCry and Petrwrap/Petya ransomware attacks. Major Russian and Western companies working in Russia were paralysed by the attacks for several days.
All these security issues have supported calls for Russia’s internet infrastructure to be protected. As a consequence, on 26 July 2017, Russia adopted Federal Law No. 187-FZ ‘On the Security of Critical Information Infrastructure of the Russian Federation’. The law sets out the basic principles for ensuring the security of critical information infrastructure, the related powers of the Russian state bodies, as well as the rights, obligations and responsibilities of persons owning facilities with critical information infrastructure, communications providers and information systems providing interaction with these facilities.
The elements of the critical information infrastructure are understood to be information systems, telecommunication networks of state authorities as well as such systems and networks for the management of technological processes that are used in the state defence, healthcare, transport, communication, finance, energy, fuel, nuclear, aerospace, mining, metalworking and chemical industries. All these industries are considered critical for the economy and should be protected against any cyberthreats. The law requires the implementation of protection measures, assigning the category of protection (in accordance with the by-laws) and then registering with the Federal Service for Technical and Export Control, which will be in charge of the supervision in this field. Businesses currently have many questions for the authorities about this law, which is very broadly drafted. The most pertinent is whether the law applies to the relevant business or not, since even internal LAN networks under its general rules may be considered critical information infrastructure. However, the authorities say that this is an incorrect interpretation. The lack of enforcement practice also does not help clarify the situation.
Another legislative initiative in Russia was the banning of virtual private network (VPN) services that do not cooperate with the government, for instance, in relation to copyright, data protection or other law infringements. With effect from 1 November 2017, Russia enacted the new bill on this subject. The main targets of the bill are obviously notorious anonymisers such as Tor. However, the ordinary business can also be affected. One of the main questions yet to be clarified is whether VPNs used by businesses would also be restricted in their use. The bill contains an exemption that can be interpreted as being that if an entity uses a VPN tool, the entity needs to define the users of the tool (eg, which employees can use the tool – such as in an internal IT policy) and use it only for the purposes of its business. If this understanding is correct, then this exemption may be useful for the business community. The law has so far never been enforced in practice by the authorities and, therefore, the questions still remain.
There are also other various initiatives related to regulation of big data and even the creation of the Infocommunication Code, which would codify the relevant aspects of information law including cybersecurity issues that are currently sporadically regulated by different laws.
GTDT: When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?
VK: This is an interesting topic, since Russian data breach notification rules here differ from European rules, for instance, and sometimes it is difficult to see the logic of these rules. It is generally accepted in Russia that Russian data protection law was greatly inspired by European laws. This is obvious from a high-level reading of the Russian law on personal data. However, it appears that the concept of data breach notification was simply misunderstood by Russian lawmakers. As a result, there is no data breach notification requirement under Russian law, at least as it is understood in some other jurisdictions. As part of the Russian data protection law, there is a requirement to notify individuals and the data protection authority on the resolved breach if a breach was found by an individual or the data protection authority and they requested that it be resolved. Data operators must notify individuals whose data was breached or the data protection authority (if the request to resolve the breach comes from it). This means that the authority or the individual needs to know that there was a breach. And what happens if they do not know? Practically speaking, this means that companies can relax and do nothing – at least in this respect, as other Russian rules on data protection are fairly burdensome – unless they are requested by the authority or by an individual to notify them of the resolved breach.
GTDT: What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?
VK: The biggest issues are not fines or other regulatory consequences, as some might assume. Dealing with the Russian data protection authority in the event of a data security incident may be cumbersome and result in fines (which are fairly small – up to approximately US$1,000), but not more than that. Obviously, the biggest threat is a potential damage to reputation. In May, the WannaCry attack infected thousands of computers worldwide, and some law firms started to share their expertise in cybersecurity compliance, offering solutions for affected companies. After the mentioned attack of Petya on a major US law firm it may well be that clients in future will think twice before asking it for cybersecurity advice. The damage to the firm’s reputation is obviously considerable and yet be quantified. On the other hand, it is obvious that in the modern world it is practically impossible to stay 100 per cent protected from any cybersecurity threats. Even companies that consider cybersecurity of utmost importance are still vulnerable to cybersecurity attacks merely because they use information technology in their daily business.
GTDT: What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?
VK: As a rule, Russian companies need to ensure that their systems in Russia are compliant with the technical requirements of the Federal Security Service of Russia (FSB) and the Federal Service for Technical and Export Control of Russia (FSTEC). Normally, it is advisable that the formation of a Russian IT environment and related IT compliance procedures be implemented with the assistance of a Russian company specialising in IT security and with an FSTEC licence to perform works related to data security (protection of confidential information). An IT security company can also assist with preparing a set of internal documentation: internal documents on technical issues of personal data protection, description of the IT security infrastructure and the measures to be taken by the company to prevent data breaches (eg, threat models, technical assignments). They could also advise on which hardware and software needs to be installed to ensure data security. Obviously, at this stage of development of IT technology it is highly advisable not to rely on one’s own IT resources, but rather call in an outsourced provider of IT security services and let professionals build the company’s data security ‘walls’.
GTDT: Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud-hosting environment?
VK: The main concern is the infamous data localisation. Owing to the recent data localisation law, the collection of personal data from Russians and further direct storage in a cloud located abroad is no longer permitted.
The law created a new procedure restricting access to websites violating Russian laws on personal data and imposed a requirement to store the personal data of Russian citizens on servers located in Russia (this obviously gives a huge boost to the development of the Russian data centre industry).
The personal data of Russian citizens must be stored and processed using databases located in Russia. The requirement can be complied with by placing the website database with the personal data of Russians in a Russia-based data centre or server. This Russian database must be primary, and the foreign cloud has to be the ‘secondary’ database (ie, only a partial or full (mirroring) copy of the primary Russian database). This essentially means that the initial hosting must be located in Russia. For some time the data localisation requirements were barely enforced. However, in 2016, a major case involving LinkedIn attracted a great deal of public attention. A Russian district court upheld a claim by the Russian data protection authority (Roscomnadzor) seeking restriction of access to LinkedIn in Russian territory. The court found LinkedIn was storing and processing the personal data of Russian citizens on servers located outside Russia. On this basis, the court declared LinkedIn to be in violation of the personal data laws and ordered Roscomnadzor to take steps to restrict access to LinkedIn. Currently, LinkedIn remains blocked in Russia.
One other topic for concerns are the amendments to the Russian Information Law, which finally came into force on 1 July 2018. The amendments directly affect Russia’s telecom and internet industries. In particular, mobile operators need to store recordings of all phone calls and the content of all text messages for a period of six months, entailing huge costs, while internet companies (eg, messengers) need to store the recordings of all phone calls and the content of all text messages for six months and the related metadata for one year. In addition, the amendments require any such communications to be provided to Russian police and intelligence at their request and the installation of special systems used for investigation purposes or to ‘reconcile the use of software and hardware with the authorities’ as well as to provide the security authorities with decryption keys if the messages are encrypted.
The amendments have already resulted in occasional blockings (such as BlackBerry Messenger); however, owing to the limited popularity of such messengers, the enforcement cases did not attract much attention. Everything then changed with a case regarding one of the most popular messengers in Russia – Telegram.
Telegram has frequently commented in the press that it is unable to provide decryption keys because of the nature of end-to-end encryption technology, while the FSB believed this is technically possible. Telegram refused to provide the FSB with any decryption keys and, therefore, on 13 April 2018, the Taganskyi District Court of Moscow upheld Roscomnadzor’s request to block access to Telegram. On 16 April 2018, Roscomnadzor reached out to telecoms operators, requesting that they commence blocking the messenger. All Russian telecoms operators are obliged to block access to the relevant resources.
Telegram’s lawyers appealed this decision without success. As of April 2018, Roscomnadzor has been trying to block Telegram using its IP address, which seems to be an ineffectual strategy. Telegram decided to disobey the court decision and defy Roscomnadzor (luckily, it has no actual presence in Russia) and started jumping from one IP address to another. At one time, Roscomnadzor was blocking millions of IP addresses, which caused interruptions to many internet services (including those hosted on the Amazon and Google networks) and caused negative critics of Roscomnadzor by other authorities, the internet ombudsman and businesses. The case is ongoing and Telegram is still available despite Roscomnadzor’s actions.
GTDT: How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?
VK: The Russian government is very keen to combat cybercrime and is even imposing various rules in the laws aimed at increasing the cybersecurity of businesses. For instance, all companies dealing with personal data must apply certain technical and organisational measures aimed at protecting data and also use software certified by Russian authorities.
Any computer fraud, unauthorised data accesses or creation of malicious software may result in criminal liability. However, the number of real cases of hackers being convicted is fairly low. The reason for this is unclear and certainly gives rise to speculation.
Russia refused to ratify the Council of Europe’s Convention on Cybercrime and, based on the discussions within the Russian government, it appears that the convention will not be ratified by Russia. The Russian government’s officials claimed that they do not agree with the convention’s provisions providing for the sanctioned access of one member state to computer data stored on the territory of another member state without the prior consent of the latter. The officials justify this on grounds of national security.
State officials have said that Russia’s approach to combating cybercrime consists of ‘the prompt and adequate cooperation of law enforcement authorities of different countries, as well as of the non-admission of investigations on a foreign territory without the notification of the law enforcement authorities of the state concerned’. Moreover, the authorities believe that Russia is considering promoting an approach that provides for the development of a global convention on combating crimes in the information sphere instead of the Budapest Convention, which only applies regionally and will not be fully effective. Following a proposal put forward by Russia, in May 2010 the UN Commission on Crime Prevention and Criminal Justice established an intergovernmental expert group to draft proposals to improve the international legal framework in this sphere.
GTDT: When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?
VK: Apart from standard confidentiality and privacy precautions such as encrypted data rooms and non-disclosure agreements, companies entering into M&A deals in Russia should consider personal data transfer issues before starting the due diligence process. As mentioned, owing to the recent data localisation law, the collection of personal data of Russian citizens and further direct storage in a cloud located abroad is no longer permitted. Therefore, a potential foreign purchaser should double check whether personal data (for instance, of the employees of the target company) is stored in a Russian primary database and whether the relevant consent given by such employees to the seller allows for the transfer of their data to the purchaser. Violation of these rules may result in fairly negative consequences for the purchaser, since in certain circumstances Russian data protection authorities can even block access to the purchaser’s website as a part of their enforcement actions.