Broadly written rules would allow the Russian government greater central control over content and data flows, and greater access to users’ information.
On May 1, 2019, the Russian President signed draft law No. 608767-7, commonly referred to as the Russian Internet Law, or “RuNet Law” (Federal Law No. 90-FZ “On Amending Federal Law ‘On Communications’ and Federal Law ‘On Information, Information Technology and Information Protection’”). The majority of RuNet Law amendments will come into effect on November 1, 2019.
The RuNet Law’s principal provisions include:
- Introducing rules for the centralization and control of data traffic (g., the RuNet Law establishes a centralised Russian Internet data traffic routing system)
- Requiring entities involved in the transfer of data to install additional equipment and comply with new obligations that aim to ensure such centralization
The RuNet Law is one in a series of Russian laws regulating the use of technologies and the Internet. Previous laws include: the Yarovaya laws, the data localization rules, and the laws imposing new obligations on messaging apps and audiovisual services’ owners. However, the RuNet Law is broadly drafted and extends beyond the scope of the other technology-focused laws.
The Parliamentary documents accompanying the RuNet Law clarify that it aims to ensure the stable operation of the Internet in Russia and improve the trustworthiness of Russian Internet resources. The adoption of the National Cyber Strategy of the United States in September 2018 is referred to as one of the reasons for the introduction of the RuNet Law.
Scope of Amendments
The RuNet Law imposes new obligations on several different stakeholders, including:
- Telecom Operators: Telecom providers with a Russian license
- Internet Providers: Owners of autonomous system numbers (these numbers are defined as unique identifiers of the autonomous systems, or AS, which, in turn, are systems of IP-networks and routers which adhere to a common routing policy and to which several IP-addresses can be assigned)
- Internet Arrangers: Persons which qualify as the arrangers of information distribution by means of Internet under Russian law (that are defined at law as those offering or assisting in the offering of communications services via the Internet and that include applications or website which allow users to communicate with each other or publish posts) (the current register of Internet Arrangers includes both Russian and foreign entities, such as messaging service providers, and such foreign entities are not specifically carved out by the RuNet Law)
- Infrastructure Owners: Owners of infrastructure and communications networks in Russia
- Governmental authorities
The RuNet Law further defines the circumstances in which the Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roscomnadzor) is entitled to take control over the communication networks and impose rules on routing of data traffic.
The RuNet Law also aims to promote the use of Russia-based databases and technical services and establish the Russian national domain system.
Under the RuNet Law:
- Telecom Operators will be obliged to install Russian-origin equipment for countering certain cyber threats (Counter-Threat Equipment, or CTE); such CTE shall be provided by Roscomnadzor for free. The RuNet Law confirms that Telecom Operators will not be liable for any outages which may be caused by the malfunctioning of this CTE.
- Telecom Operators, Infrastructure Owners and Internet Providers will be required:
- To install certain software and hardware to determine IP addresses
- To notify Roscomnadzor of the opening of Internet exchange points (and all Internet exchange points shall be included into a register maintained by Roscomnadzor)
- If these entities have cross-border circuits, to inform Roscomnadzor about the purpose and use/users of such networks and equipment installed on such networks
- To refuse access to the Internet to those owners of communications networks that do not comply with the RuNet Law
- Telecom Operators, Infrastructure Owners, Internet Providers and Internet Arrangers are required to take part in Roscomnadzor’s practical trainings and to provide the necessary assistance to the Russian investigative authorities.
- Operators of state and municipal information systems in Russia (which include Telecom Operators) are required to ensure that foreign-based databases and technical services (such as cloud services) are not used in such Russian information systems (this provision enters into force on January 1, 2021).
Centralized Control Over Data Traffic
The RuNet Law grants power to the Roscomnadzor to take centralized control over the communication networks in the event that the Roscomnadzor determines that there is a threat to the “stability, integrity, security and functioning of the Internet in Russia” (a Cyber Threat). The criteria for such determination and the scope and rules on interaction between the relevant persons in case of a Cyber Threat are not, however, described in the RuNet Law and are to be set out in a future regulation by the Russian government.
How communications will be routed in the case of such centralized event the Roscomnadzor assumes control over a network in such event is also not addressed in the RuNet Law and will be defined in subsequent regulation from Roscomnadzor.
National Domain System and Blocking/Unblocking of Websites
The RuNet Law aims to establish a national domain system, the rules for which shall be set by Roscomnadzor and will enter into force on May 1, 2021. This would lead to the establishment of a new DNS to control access to network addresses and domain names.
The RuNet Law also sets out rules that make it easier for Roscomnadzor to block access to websites and place more stringent restrictions on unblocking them, which include, among other steps, following a specific procedure before removing a website from the blacklist.
Implications and Concerns
The full implications of the RuNet Law remain to be seen, as some of its provisions are unclear and key rules and procedures remain subject to additional regulation from the Russian government and Roscomnadzor. Also, how (and whether) the RuNet Law would apply to foreign-based technology companies with no Russian subsidiaries or branches and whether the RuNet Law would have extraterritorial application remains unclear at this stage.
Some technology observers view the RuNet Law positively and consider it a step toward independence and diversification. Others are voicing concerns. Users are worried that the RuNet Law will isolate the Russian segment of the Internet and that the new system will allow Roscomnadzor to access almost all data traffic to the detriment of users’ privacy. The market is concerned about changes in traffic speed, administrative burden, and potential costs of compliance with the new obligations. The costs of developing and acquiring new equipment (including CTE) for the government are estimated at half a billion US dollars.
The centralization of data traffic routing would be the principal short-term consequence of the RuNet Law. In the long-run, the RuNet Law aims to achieve the independence of the Russian segment of the Internet (both structurally by ensuring the creation of a new DNS for Russia, and technologically by promoting the use of Russia-origin technology).
The full scope and implications of the RuNet Law are not yet clear. However, the net effect could be to bring Russia closer to a centralized model of the Internet, similar to that currently in force in China.