On 1 July 2021,[1] Federal Law No. 236-FZ on the Internet Activities of Foreign Entities in the Russian Federation (the “Law”)[2] came into force, requiring establishment of local presence, such as a branch, a representative office, or a subsidiary, for foreign Internet companies whose activities are focused on Russian users.  The Law supplements the personal data localisation requirements under the Personal Data Law,[3] in effect since 1 September 2015.  Those earlier localisation obligations have run into enforcement challenges, and the Law is intended to facilitate interaction between foreign Internet companies and Russian authorities and users and, in turn, improve compliance.

Applicability.  The Law defines “foreign Internet companies” as companies that own a website, information system, or software (“information resource”) which is accessed daily by more than 500,000 users residing in Russia.  The Law applies if one of the following conditions is met:

  • the information resource contains or disseminates information in Russian or languages of Russia’s constituent republics or nationalities;
  • the information resource contains advertisements targeting Russian users;
  • the foreign Internet company processes data relating to Russian users; or
  • the foreign Internet company receives payments from Russian individuals or legal entities.

Federal Service for Oversight of Communications, Information Technologies and Mass Media (“Roskomnadzor”) determines which foreign Internet companies are subject to the Law and will make their list available on its website.[4]  A foreign Internet company can be removed from Roskomnadzor’s list (1) pursuant to its application, if its information resource has been accessed by fewer than 500,000 Russian users daily for 3 months; or (2) on Roskomnadzor’s initiative, if the information resource has been accessed by fewer than 500,000 Russian users daily for 6 months.

Legal Requirements.  A foreign Internet company subject to the Law must:

  • place an electronic contact form for Russian users on its information resource;[5]
  • register a user account on Roskomnadzor’s website and use it to communicate with Russian authorities;
  • beginning on 1 January 2022, establish and maintain local presence in Russia through a branch, a representative office, or a Russian legal entity.

That local establishment must accept and consider inquiries from Russian users, represent the foreign Internet company in courts, comply with court judgments and decisions of authorities issued in respect of the foreign Internet company, and limit or remove access from Russia to information that is contrary to Russian law.

Enforcement. If a foreign Internet company fails to comply with the Law or other Russian law requirements, Roskomnadzor may:

  • take measures that the Russian users of the information resource are informed that the company is in breach of Russian law;
  • prohibit advertising of and by the company in Russia;
  • restrict money transfers by and payments to the company via Russian lending institutions and mobile and postal service operators;
  • restrict search results relating to the information resource of the foreign Internet company on search engines focused on Russian users;
  • prohibit collection and cross-border transfer of personal data of Russian citizens; or
  • partially or fully limit access from Russia to the information resource of the foreign Internet company.

These enforcement measures can be taken for the breach for the Law or other Russian legal requirements by foreign Internet companies.  Specific measures to be implemented would depend on the severity of the breach, with the more severe measures limited to circumstances where the company does not initially comply with Roskomnadzor’s rulings.  In particular, failure to localise Russian personal data, as required by the Personal Data Law, can give rise to the most severe measures described above, in addition to the measures already envisioned for the breach of the Personal Data Law.

* * *

We would be happy to answer any questions you may have.

To subscribe to the Data Blog, please click here.

 

[1]       Certain provisions will enter into force on 1 January and 1 September 2022.

[2]       The Law’s electronic docket can be accessed by following this link: https://sozd.duma.gov.ru/bill/1176731-7.

[3]       The obligation to ensure that the recording, systematisation, accumulation, storage, specification (updating, amendment), and extraction of personal data of Russian nationals are performed through databases located in the Russian Federation as required by Article 18(5) of Federal Law No. 152-FZ on the Personal Data dated 27 July 2006.

[4]       Roskomnadzor Order on the Procedure for the Placement of the List became effective on 2 August 2021, however, the list is not available on Roskomnadzor’s website.

[5]     The requirements for such form will be established by Roskomnadzor.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Jane Shvets is a Debevoise partner in the firm’s White Collar & Regulatory Defense Group, focusing on white collar defense and internal investigations, in particular regarding compliance with corrupt practices legislation, as well as compliance assessments. Ms. Shvets also advises multinational clients on data protection and cybersecurity matters as well as a wide range of sanctions issues. She can be reached at jshvets@debevoise.com.

Author

Anna Maximenko is an international counsel in Debevoise's Moscow office and a member of the Corporate Department and the FinTech Practice Group. She leads the Russian Regulatory Practice. Her practice focuses on antitrust, data protection, contentious and non-contentious employment, including benefits and compensation, regulatory and compliance matters and FinTech. Ms. Maximenko also advises on M&A and general corporate matters in heavily regulated industries such as financial services healthcare and pharmaceuticals. In the FinTech space, she advises on regulatory matters, project structuring and choice of jurisdiction. She can be reached at avmaximenko@debevoise.com.

Author

Nikolay Kiselev is an associate in Debevoise's Moscow office and a member of the firm’s Corporate Department and Finance Group. He can be reached at nskiselev@debevoise.com.

Author

Elena Klutchareva is an associate in Debevoise's Moscow office and a member of the Corporate Department and Blockchain Practice. Her practice focuses on mergers & acquisitions, general corporate advice and employment, antitrust and regulatory issues, including healthcare and blockchain. Within the blockchain practice, Ms. Klutchareva advises on regulatory matters, project structuring and choice of jurisdiction. She can be reached at emklutchareva@debevoise.com.