Russian Cyber Law
Federal Law No. 152-FZ on Personal Data
Federal Law No. 152-FZ of 27 July 2006 on Personal Data serves as the foundational data protection statute in the Russian Federation. The Law defines personal data as any information relating directly or indirectly to a specific or identifiable individual (Article 3(1)), establishes principles for data processing including lawfulness, fairness, purpose limitation, data minimisation, and accuracy, and grants data subjects rights of access, rectification, erasure, and restriction of processing. The Law requires data controllers to notify Roskomnadzor, the Federal Service for Supervision of Communications, Information Technology and Mass Media, before commencing personal data processing operations (Article 22), with exceptions for processing relating to employment, civil contracts, religious and public organisations, and certain other categories. The Law establishes the Legal Registers of Personal Data and imposes obligations on operators to ensure the confidentiality of personal data and to implement technical and organisational measures to protect it from unauthorised or accidental access, destruction, modification, blocking, copying, and dissemination. Violations of 152-FZ carry administrative penalties under the Code of Administrative Offences, including fines for legal entities of up to 75,000 roubles for processing in violation of the Law, increased to up to 500,000 roubles for failure to comply with the data subject access obligations. Criminal liability under Article 137 of the Criminal Code applies for unlawful collection or dissemination of personal data without consent.
Federal Law No. 242-FZ on Data Localisation
Federal Law No. 242-FZ of 21 July 2014, which amended 152-FZ, introduced mandatory data localisation requirements for personal data processors operating in Russia. The Law requires that when collecting personal data of Russian citizens, operators must ensure that processing of such data is carried out using databases physically located in the Russian Federation (Article 18(5) of 152-FZ as amended). The term processing for this purpose has been interpreted to encompass all operations or sets of operations performed on personal data, including collection, recording, systematisation, accumulation, storage, clarification (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalisation, blocking, deletion, and destruction. Roskomnadzor is empowered to conduct inspections to verify compliance with the data localisation requirement and to maintain a Register of Personal Data Operators. Enforcement has been active: Roskomnadzor has brought administrative proceedings against major technology companies, including Twitter, Facebook (Meta Platforms), LinkedIn, and Telegram, for alleged violations of the data localisation requirement. LinkedIn was blocked in Russia in 2016 following a court order based on data localisation non-compliance in Roskomnadzor v LinkedIn Corporation (Moscow City Court, Case No. 3a-1876/2016). The data localisation requirement has been criticised by international business organisations and foreign governments as a barrier to trade and as inconsistent with the free flow of data across borders.
The Sovereign Internet Law
Federal Law No. 90-FZ of 1 May 2019 on Ensuring the Stable Operation of the Russian Internet, commonly referred to as the Sovereign Internet Law, establishes a comprehensive legal framework for the centralised management and potential isolation of the Russian segment of the internet. The Law requires telecommunications operators to install Technical Means of Counteracting Threats (TSPU) — deep packet inspection equipment — on their networks to enable centralised traffic filtering, blocking of prohibited content, and, in the event of threats to the stable operation of the internet in Russia, centralised traffic management and rerouting through state-controlled infrastructure. The Law establishes the Domain Name System filtering requirements, requiring internet service providers to use a national DNS system controlled by Roskomnadzor rather than foreign DNS resolvers. The legislation also requires the establishment of a national traffic exchange infrastructure through state-controlled exchange points, creating the technical capacity for the Russian internet segment to function independently of the global internet in the event of what the Law describes as threats to its stable operation. The Law empowers Roskomnadzor to exercise centralised control over routing and traffic management and imposes liability on telecommunications operators for non-compliance with its technical and administrative requirements, including administrative fines of up to 700,000 roubles for failure to install TSPU equipment. The Sovereign Internet Law entered into force on 1 November 2019, with the centralised traffic management provisions becoming operational following a series of testing exercises conducted between 2019 and 2024.
The Yarovaya Law Package
Federal Law No. 374-FZ and No. 375-FZ of 6 July 2016, collectively known as the Yarovaya Law package (named after the legislation’s sponsor, Irina Yarovaya), introduced extensive counterterrorism-related amendments to the Federal Law on Communications, the Federal Law on Information, Information Technologies and Information Protection, the Code of Administrative Offences, and the Criminal Code. The communications provisions require telecommunications operators to store the content of voice calls, text messages, and data transmissions for up to six months and metadata for up to three years, and to make this information available to the Federal Security Service (FSB) upon request. The information provisions require organisers of information dissemination — a broad category encompassing social media platforms, messaging services, and any online service enabling communication between users — to store users’ text, audio, video, and other communications on servers located in Russia for up to six months and to provide the FSB with decryption keys to encrypted communications where necessary for counterterrorism investigations. The Yarovaya Law amendments to the Criminal Code introduced criminal liability for the failure to decrypt user communications by organisers of information dissemination and for participation in groups designated as terrorist organisations. The implementation of the Yarovaya Law’s data storage and decryption requirements has been repeatedly deferred due to technical and economic challenges, with the most recent deferral extending the compliance deadline to 2026.
FSB Encryption Requirements and Restrictions
The Federal Security Service exercises significant authority over encryption in Russia pursuant to Federal Law No. 63-FZ of 6 April 2011 on Electronic Signatures, the Federal Law on Communications, and related regulatory acts. The FSB operates the national certification system for cryptographic means — systems for ensuring the confidentiality of information through encryption — and requires the use of FSB-approved cryptographic algorithms in any government information systems and in certain private sector contexts. The FSB’s authority to demand decryption keys from organisers of information dissemination under the Yarovaya Law amendments has been the subject of legal challenges and international human rights scrutiny, with critics arguing that the provisions effectively require the installation of backdoors into encrypted communications services. The FSB has also issued regulations requiring internet service providers and telecommunications operators to implement technical means for interception of communications pursuant to the Operational-Investigative Activities Law (Federal Law No. 144-FZ of 12 August 1995). Messaging services that have refused to comply with the FSB’s key disclosure requirements, including Telegram, have been subject to administrative blocking orders, though the actual blocking has been technically inconsistent.
The Code of Administrative Offences and Criminal Code
Russian law establishes extensive administrative and criminal liability for cyber-related offences. The Code of Administrative Offences addresses violations of data protection legislation, telecommunications regulation, and information technology requirements, with fines for legal entities ranging from tens of thousands to millions of roubles depending on the nature and repetition of the violation. The Criminal Code addresses computer-related crimes in Chapter 28 (Articles 272–274), inserted by Federal Law No. 63-FZ of 13 June 1996 and subsequently amended. Article 272 criminalises unauthorised access to legally protected computer information resulting in destruction, blocking, modification, or copying of information — with penalties of up to seven years’ imprisonment where the offence is committed by an organised group or causes serious damage. Article 273 criminalises the creation, use, and distribution of malicious software programmes, with penalties of up to seven years’ imprisonment and fines of up to two million roubles. Article 274 criminalises violations of the rules for the operation of information storage, processing, or transmission systems where such violations result in damage. Article 274.1, added in 2017, specifically criminalises cyber attacks against critical information infrastructure of the Russian Federation, with penalties of up to ten years’ imprisonment. The Criminal Code also addresses the use of information and communication networks for extremist activities (Article 280), public calls for terrorism (Article 205.2), and the dissemination of prohibited information.