New law requiring Russian internet companies to keep records of client traffic comes into force
A Russian law requiring internet service providers to keep records of their clients’ traffic and hand them over to the state security services on demand came into force on July 1.
The controversial legislation, dubbed by the media the ‘Yarovaya Bill’ after its main sponsor – the former chair of the Lower House committee for security, MP Irina Yarovaya (United Russia) – was signed by President Vladimir Putin in early July 2016. The authors described it as a response to the 2015 bombing of a Russian passenger jet in Egypt and terrorist attacks in Paris.
Yarovaya also said the law was necessary to fight the “global information monopoly of the United States” – a term she used for the situation in which US agencies have unsanctioned and unhindered access to the personal data of any citizen in any country, while limiting the special services of other nations from accessing resources that could be used to search for criminals.
Initially, the new law required communications companies, including internet providers, to keep information about their clients’ data traffic for three years (one year for messengers and social media networks) and to keep the records of phone calls, messages, and transferred files for six months.
However, the new rules and the costs involved in implementing them led to protests from internet businesses, and earlier this year the government agreed to lower the required storage period to 30 days from the original six months. Data providers, however, must then gradually increase the period of time until it reaches six months, by July 2023.
As of the launch date, providers are only required to store client data in “zero volume,” while storage in “full volume” will be required starting October 1.
Businesses, however, continue to complain about the new measures. Soon after the data storage rules were amended, the press service of Russian state corporation Rostelecom said that it would be difficult to execute them because the market was experiencing a lack of certified hardware for data storage.
The bill also requires communications companies to hand over encryption keys to state security agencies on demand, allowing them to read encrypted data. Non-compliance could cost companies between 800,000 and one million rubles ($13,000 – $16,100) in fines.
The new rules only apply to companies that are listed on the special register of “organizers of information distribution on the internet” maintained by the state internet watchdog Roskomnadzor. Today, the register includes many Russian services, including the country’s most popular social media network, Vkontakte, and various services of internet giant Yandex, but not foreign services such as Google or Facebook.
If you like this story, share it with a friend!