As Russia’s internet law imposes new obligations on technology and infrastructure companies, the Russian government considers subordinate legislation.

By Tim Wybitul, Ulrich Wuermeling, and Ksenia Koroleva

On November 1, 2019, the majority of provisions of Russia’s internet law (RuNet Law) entered into force. Its principal purpose is to ensure the independent operation, safety, and security of the Russian segment of the internet. However, the overall effect of the RuNet Law is expected to be similar to China’s Great Firewall, a system of legal and technical measures employed by the Chinese government to monitor and restrict the use of the internet.

The RuNet Law aims to allow the Russian authorities to control data traffic and restrict access to the global internet from Russia in case of certain threats (to be determined by the Russian authorities). While some subordinate acts have been adopted, the full implementation of the RuNet Law is not possible in the absence of certain subordinate legislation. The Russian government is considering further subordinate legislation whose contents are key for the full implementation of the RuNet Law.

Obligations

The RuNet Law imposes certain obligations on technology and infrastructure companies, in particular those through whose resources data traffic flows. The obligations apply to Russian telecom operators, owners, and holders of certain infrastructure and networks (such as cross-border technological communications networks, internet exchange points, and communication lines), and other entities or individuals having autonomous system numbers (ASN) (collectively, the Obligors). (See RuNet Law: New Russian Law Could Significantly Impact Telecom and Internet Providers and Social Media Platforms.)

Under the RuNet Law:

  • Telecom operators are obliged to install certain hardware, software, and Russian-origin equipment for countering cyber-threats (counter-threat equipment, or CTE Equipment); such equipment is to be provided by Roscomnadzor, the principal authority empowered to implement the RuNet Law.
  • Telecom operators, certain infrastructure owners, and internet providers are required to notify Roscomnadzor of existing internet exchange points (such points shall be included in a specific register, and any points which are not included shall not be used by the Obligors) and report to Roscomnadzor about the use and users of cross-border circuits.
  • Telecom operators, certain infrastructure owners, internet providers, and internet arrangers must take part in trainings arranged by Roscomnadzor and cooperate with Russian law enforcement authorities.

Although the key provisions of the RuNet Law have already entered into force and some subordinate acts have been adopted (such as the traffic routing rules), the full implementation of the RuNet Law is still unclear and, to some extent, not possible in the absence of key subordinate legislation.

In particular, the Russian government has yet to set out in a decree the definition of a “threat,” the occurrence of which allows the authorities to restrict data traffic from abroad. The Russian government has published several drafts of such a decree (the latest one is dated November 7, 2019). Pursuant to the latest draft, the notion of a threat includes:

  • Threats of cyber-attacks on certain infrastructure (such as telecom or transport)
  • Threats of outages
  • Threats of access to data prohibited for access from Russia (such as access to any resources which are blacklisted by Roscomnadzor)

The determination of threats is subject to wide discretion and shall be further detailed by Roscomnadzor, which shall maintain the register of such threats. A new monitoring center established under the auspices of Roscomnadzor would control and monitor data traffic and be allowed to impose and lift the restrictions on data traffic. Furthermore, Roscomnadzor is still testing CTE Equipment, which it will eventually provide to Russian telecom operators.

Implications

Fully assessing the practical implications of the RuNet Law is difficult. Whilst the legal obligations of Russian telecom operators are clear (given that they qualify as Obligors and the RuNet Law regulates their rights and obligations in detail), the obligations of other players which may potentially be considered as Obligors are less clear. In particular, how and to what extent the RuNet Law could apply to non-Russian entities (including those which do not have a presence in Russia, or have operating companies with limited functions) is uncertain. Although applying the RuNet Law to foreign entities would be counterintuitive, the definition of “Obligor” is broad and does not explicitly exclude foreign entities. How the authorities would implement the relevant provisions in practice is unclear.

At this stage, firms should consider if they have entities, equipment, or networks in Russia which could subject them to the RuNet Law regime and contact IT specialists and legal counsel to determine whether they may be considered Obligors.

Latham & Watkins will continue to monitor and report on developments surrounding the RuNet Law.