Messaging services in Russia: the intricacies of regulation

The regulation of messaging services (messenger apps) in Russia is an example of attempts to have new technologies regulated based on approaches and rules formed long ago and to make online activities follow to a large extent the rules set for the telecommunications industry.

While the regulatory framework for telecoms, media and broadcasting was in most substantive respects already forged by the mid-noughties (including with respect to key issues of licensing terms), all online activities remained largely self-regulating. Despite numerous bills of law attempting to set forth the regulation of the internet over the last 15 years, the all-encompassing legislation is still non-existent. However, the legislative framework for new means of distribution of the information started being formed in 2006, with the implementation of the Federal Law on Information and Information Technologies No 149-FZ, which has since been extensively revised and supplemented and remains the cornerstone of the regulation of most online activities and communications.

The first addition to mention here appeared in 2014 in the form of amendments to the Law on Information No 149-FZ introducing the concept of ‘online data distribution operators’ (understood as any party operating information systems or software designed or used for electronic communications in the internet) and applicable requirements. The overly broad definition has been raising a lot of criticism as potentially applicable to virtually any web resource or platform, but the practical implementation and enforcement focused on social networking sites and e-mail services, as well as messaging services. Each such operator is required by law to store the metadata of all electronic communications (whether audio, video, pictures or any other) and the communicating parties’ details on Russia-based servers for at least six months. All such information has to be provided at request to competent state authorities in the field of investigations or national defence.

The requirement to provide access to certain details of subscribers’ communications stems in its nature from the concepts applicable to telecoms operators. Compliance with a number of measures collectively referred to as SORM (short for the ‘system of means to ensure application of active investigation measures’, in Russian), and designed to allow law enforcement authorities access to communications has been mandatory for all communications networks since the mid-nineties and is one of the licence terms for the holders of telecoms licences. Thus, SMS functions in mobile telephony networks are naturally covered by SORM rules.

Another data localisation requirement not directly targeting but eventually substantially impacting the messaging services came in 2015 as an amendment to the Personal Data Law No 152-FZ. Since then, all parties processing personal data of Russian citizens have been obliged to store and process such data in the territory of Russia. The requirement was introduced as a means of privacy protection, but raised concerns over its potential negative impact on competition and market-fragmentation effect. Importantly, the requirement also became one of the first ones to entail massive application of a penalty in the form of blocking the access to the resource in the entire territory of Russia. Thus, in November 2016 the business networking platform LinkedIn was blocked in Russia for failure to provide the data localisation, and left the market.

The General Data Protection Regulation does not consider Russia a country with adequate protection of personal data.

The access and localisation requirements mentioned above are about to be further expanded, as two federal laws (dubbed by mass media as the ‘Yarovaya Law’ after one of their authors, the State Duma deputy Irina Yarovaya) are to enter into effect in July 2018. The laws impose further obligations on all Russian operators of communication networks (including mobile operators and internet service providers) to record and store actual communications between all users for at least six months, and provide such data to the authorities upon request. Metadata of the communications has to be stored for three years.

The new regulation raises much controversy, above all, due to significant economic burden on market players who are now required not only to provide access to information, but also to store it at their own expense. According to some operators’ estimates, the costs of storing all the required data are comparable to certain national economies’ budgets, and will severely undermine the operators’ further technological development.

Besides, starting from 2018 another amendment to the Law on Information No 149-FZ directly targeting operators of online instant messaging services mandates them to identify all of their users and store such identification data, as well as to provide access to such data to the competent state authorities. As a potential further development, the Ministry for Communications has announced the intention to have online in-game chats covered by the same rules as messenger apps.

The new regulation and changes in the enforcement of rules already in existence (eg the ‘provision of access’ requirement with respect to messenger apps) is opposed by some market players. The popular messenger Telegram, with 200 million users as of February 2018, has consistently denied the requests by the regulator and state security authority to provide encryption keys that would allow the authorities to access the contents of the users’ communications. The requests are based on the described above regime set for online data distribution operators that, among others, includes the obligation of the latter to provide access not only to the stored communications, but also to encryption keys. Telegram’s founder and owner Pavel Durov claims that the end-to-end encryption employed by the platform makes it impossible to provide the authorities with encryption keys (the same concern is shared by other messenger apps, eg Viber). As of the beginning of April Telegram is within an inch of being blocked in Russia.

Apart from the question of whether the regulatory framework is ‘technologically compatible’ with the messenger apps, certain legislative novelties of the last five years raise concerns with regard to their conformity to other Russian laws and Russia’s international commitments, including, among others, adherence to principles of protection of human rights, such as privacy and the right to freely receive and disseminate information. The Telegram messenger has already reported having filed to the European Court of Human Rights on these grounds.

Further, the above mentioned personal data localisation requirement may be viewed as contrary to the obligations to allow cross-border data flow under GATS which Russia accepted in 2011 with accession to the World Trade Organization. Even more importantly, the data storing requirements of the Yarovaya Law open doors to Russian communications operators falling in breach of the new European Union General Data Protection Regulation coming in effect in May 2018. The GDPR does not consider Russia a country with adequate protection of personal data and does not allow processing of EU citizens’ data outside of the EU and without the consent of the data subject.