Data Privacy, Putin Style

Vladimir PutinUnless you’ve been buried deep in the Siberian permafrost for the last year, you know that the Russian president is often accused of saying one thing while pursuing a very different agenda. And so it goes with recent data privacy legislation.

Two new, highly controversial laws will have far reaching effects. Critics claim that the laws, enacted under the guise of protecting the privacy of citizens, shielding children from indecency etc., are instead a way to gain more control over foreign companies and to strengthen censorship and repression.

The laws address Data Locality, and Online Content. Links at bottom will take you to additional material, but here we can take a look at some ramifications of the legislation.

Effective September 1, 2016 all personal data collected on Russian citizens must be stored and processed on hardware located in Russia. Sites found to be in violation of the law will be blocked, effectively shutting them down.

The government agency that oversees administration of the new law is Roskomnadzor, which supervises all things Telecom, Information Technology, and Mass Communications. Roskomnadzor will keep a Register of Infringers of Rights of Personal Data Subject. Roskomnadzor has the authority to tell the internet service provider that hosts an Infringing site to cut off access to it.

Every international service used by Russians will be required to have a physical presence – servers or data centers, in Russia. This would profoundly affect multi-national companies operating online, global technology, search engines, and Social media platforms. Even for the likes of Twitter and Facebook, it would be a massive, time consuming and costly undertaking to build data centers…if they were so inclined.

Other new laws have put email addresses and messages into the personal data category. So email providers too will need physical servers in Russia. They will also be required to give the location of the servers to Roskomnadzor.

Multi-national companies that currently process Russian data outside of Russia would have to separate Russian data from the rest and keep it on Russia based servers. Cloud computing would be another obvious victim, both companies that use it as well as those that offer it.

Now consider airlines, travel booking sites and other companies that handle personal information from people around the world. The Russian dude booking his Aeroflot flight online is accessing the same software system as is used by just about every airline in the world. His data has leaped across the border and is splashing around in the same pool as everyone else’s. Not compliant.

The same system is used to book flights between cities inside Russia. That means the Russian dude won’t be able to book a flight between Moscow and Saint Petersburg either.

Although the law was originally set to come into force September 1, 2016, some Russian legislators are pushing to move it up to a few months from now – January 1, 2015.

This law imposes new restrictions and obligations on entities that “facilitate the exchange of information” on the internet, such as email services, forums, social media sites and blogs. These entities are now required to register with Roskomnadzor.

They are also required to store all user data for 6 months, and hand it over to authorities upon request. This could include user contacts and their relationships, all known email addresses, specific pages visited etc.

Bloggers are subject to special control in addition to the above. Blogs with 3,000 plus viewers per day are reclassified as a Media Outlet, with added restrictions. Media Outlets are required to publish only “accurate information”, and they cannot use hate speech or obscene language. Bloggers will have to fact check all content, and delete false information promptly. There will be no anonymity, and bloggers have to fully identify themselves.

Violators are subject to fines as well as site blocking. Recently notices were sent out to the initial group of bloggers, telling them they needed to register. Among the first group were outspoken critics of the Kremlin.

It is certain that enforcement of these laws as currently written would be a logistical nightmare for companies wanting to be compliant. The cost to build required data farms, and store data for 6 months is astronomical. And if companies DID opt to follow all rules, it’s unlikely that it could be accomplished by the deadline.

More likely is that Russians would lose access to many services that originate elsewhere; monitoring and censorship would increase; and the economy would suffer dramatically.

Links for further reading: