DPA Digital Digest: Russia

Russia aims to boost its digital economy through a national program that improves digital regulation and infrastructure, including RUB 216.2 billion (approx. USD 2.4 billion) of state investment in 2022. In 2018, Russian digital platforms’ revenues exceeded USD 17 billion (1 per cent of GDP), according to the World Bank. Previous estimates on the GDP share of the digital economy ranged from 2.1 per cent (Boston Consulting Group) to 3.9 per cent (McKinsey). Internationally, Russia recently raised fragmentation concerns in a call for global internet governance through the United Nations’ International Telecommunication Union.

But what do Russia’s domestic digital policies stand for? The fifteenth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Russia-specific points of emphasis.

• In data governance, Russia revamped its data protection law and data transfer regime, and focused its enforcement action on its data localisation obligation.

• In content moderation, Russia maintains strict control over online content, especially related to its invasion of Ukraine, having both fined and blocked non-compliant providers.

• In competition policy, Russia adopted rules on digital competition and pursued rigorous enforcement against self-preferencing by app store providers and other digital firms.

• Russia’s points of emphasis include local operation requirements, mandatory software installation, 'National Security'-motivated access restrictions and digital assets.

Jump directly to the section that interests you most:

Discover the details of Russia’s regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service. 

Written by Tommaso Giardini and Maria Buza. Edited by Johannes Fritz.

In September 2022, Russia significantly amended its 2007 Law on Personal Data. The Law defines personal data as information relating to an individual that enables identification, e.g. name, date of birth and profession. The Law establishes rules for “data operators” that process personal data, including organisational and technical measures for data security. The Law also outlines data subject rights, e.g. to data access, and sets conditions for the validity of consent. Explicit consent is required for the processing of special categories of data, e.g. political views. Since September 2022, data operators cannot deny services to citizens that refuse to provide personal data and cannot process the biometric data of minors. Operators must report cyber breaches to Roskomnadzor within 24 hours of detection and process complaints within 10 days. In addition, operators must notify their processing to the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor). Since March 2023, operators must notify changes to the scope, purpose, legal basis and methods of data processing to Roskomnadzor within 15 days. Currently, Russia aims to establish an individual consent registry to facilitate withdrawal. In March 2023, a proposal obliging communication network providers to share subscriber data with state agencies was rejected.

Since 2015, operators must store and process Russians’ personal data in Russia and provide Roskomnadzor with documentation, e.g. on the location of data storage facilities. Exceptions are limited to compliance with legal or international requirements, judicial purposes, public services or creative professional activities. Operators face fines of up to RUB 18 million (approx. USD 200’000) for repeated violations. 

Telecommunication providers must locally store information on electronic communications for three years, internet service providers for one year. Since March 2023, both providers must store data on user interactions, including text messages and images. Providers must share data with investigative authorities upon request.

Russia’s data transfer regime, originally enshrined in the Law on Personal Data, was significantly amended in March 2023. Operators must notify all transfers to Roskomnadzor, specifying the categories of data, destination and purpose of the transfer. Russia allows data transfers to foreign states that provide an adequate level of personal data protection, outlined in Roskomnadzor’s adequacy list (currently 89 countries). In the absence of adequacy, transfers must be approved by Roskomnadzor within 10 days. Roskomnadzor can restrict transfers to protect the morality, health, rights and interests of citizens as well as national security.

Roskomnadzor has focused its enforcement primarily on data localisation, following a special procedure which allows it to block non-compliant websites following a court ruling. In 2022, the Tagansky District Court of Moscow issued fines for repeated violations to WhatsApp (RUB 18 million, approx. USD 199’000), Twitter (RUB 17 million, approx. USD 188’000), as well as Facebook and Google (RUB 15 million, approx. USD 166’000). The court also issued minor fines to Apple, Airbnb, Match, Pinterest, Twitch, Likeme, Hotels.com, Ookla, Snap, UPS, Zoom and Spotify. 

Russia has implemented several policies regarding online content on its invasion of Ukraine in February 2022. In March 2022, Russia introduced criminal and administrative liability for spreading information on the Russian armed forces that the government classified as false. Subsequently, new laws expanded the criminal and administrative liability to false information regarding the work of all Russian state bodies operating abroad. In March 2023, another amendment expanded the criminal and administrative liability to false information regarding volunteer formations, individuals and organisations providing assistance to the armed forces.

Russia already imposed strict content moderation requirements before the invasion. In February 2021, the Information Law was amended to regulate social networks that, in Russia, provide or distribute content, display advertising and have more 500’000 daily users. Roskomnadzor maintains a register of covered social networks to which it added Zen, Rutube and Twitch in March 2023. Providers must autonomously detect and prevent the dissemination of illegal content, e.g. terrorist acts or the promotion violence. In addition, providers must implement a complaint mechanism for users and authorities to report illegal content. Non-compliance is punished with fines of up to 20% of annual revenue for repeated violations. Beyond social networks, since December 2022, Roskomnadzor can restrict access to content without notifying the platform or media organisation. Also in December 2022, Russia implemented a law prohibiting online content on non-traditional sexual relations.

Russia also requires user speech rights to be respected in content moderation decisions. The abovementioned amendment to the Information Law requires covered social networks to notify users of content or account restrictions with justification. Users must be enabled to appeal decisions and complain to Roskomnadzor, which can order access restoration. Since January 2021, online platforms, defined as owners of internet-based information resources, cannot moderate “socially significant information”. In addition, Roskomnadzor can restrict access to platforms that violate users’ right to freedom of information, following judicial approval.

Roskomndazor maintains registries to monitor compliance. Advertising data operators must register to comply with the amended Advertising Law, requiring information on the objects, means and costs of advertising. Since 2017, Roskomnadzor lists providers of "audiovisual services" with over 100’000 daily users in Russia, including Netflix, which must incorporate in Russia and stream 20 major Russian state television channels. 

Roskomnadzor rigorously enforces rules on both content moderation and user speech rights. Regarding content on the invasion of Ukraine, Roskomnadzor temporarily restricted access to last.fm and Zello and issued a major fine to YouTube for repeated violations (RUB 21.1 billion, approx. USD 233.1 million) as well as minor fines to Wikimedia, Twitch and Viber. Beyond the Ukraine invasion, in March 2022, Roskomnadzor started restricting access to Instagram due to content calling for violence against Russians. Simultaneously, the Prosecutor General filed a lawsuit designating Meta as a terrorist and extremist organisation, additionally restricting access to Facebook. In February 2022, Roskomnadzor began restricting access to Twitter for content inciting extremist activities and riots. Previously, Roskomnadzor refrained from banning but throttled Twitter due to insufficient content moderation. In August 2022, Roskomnadzor flagged the presence of illegal content in the search results linking to TikTok, Telegram, Zoom, Discord and Pinterest. In 2021, the Tagansky District Court of Moscow fined Google RUB 7.22 billion (approx. USD 79.8 million) and Meta RUB 1.99 billion (approx. USD 21.9 million) for failing to remove unlawful content from YouTube and Facebook, respectively.

Enforcement of user speech rights caused access restrictions on Facebook due to the blocking of Russian media content, including of Sputnik and Russia Today, in March 2022. In November 2022, the Moscow Arbitration Court fined Google RUB 1 billion (approx. USD 11 million) and ordered the restoration of the Duma TV YouTube channel. Throughout 2022, Roskomnadzor demanded Google to restore access to search results to government websites, e.g. the Ministry of Defense and the Ministry of Internal Affairs, and to YouTube TV channels, e.g. Krasnodar. 

In July 2023, Russia adopted amendments to the Federal Law on the Protection of Competition, including unilateral conduct rules for digital platforms. The rules apply to dominant entities that own a digital platform, determined by 1) yearly local revenues exceeding RUB 2 billion (approx. USD 22.1 million), 2) the hosting of over 35% of transactions in their market and 3) a significant impact on related markets through network effects. The amendments prohibit such entities from abusing their dominant position without specifying illegal behaviours. Regarding mergers, the amendments extend the criteria for notification thresholds (beyond parties’ assets and revenues), requiring the Federal Antimonopoly Service to approve any acquisition worth more than RUB 7 billion (approx. USD 77.3 million).

Currently, Russia is deliberating a proposal regarding administrative liability for anti-competitive agreements, namely pricing algorithms, in digital commodity markets. In November 2021, Russia rejected a proposal prohibiting providers of operating systems for devices from restricting the installation of a third-party marketplace or third-party software. The proposal further set a 20% limit on app store providers’ commissions on app purchases. 

Russia’s Federal Antimonopoly Service (FAS) focuses its enforcement on unilateral conduct, especially self-preferencing by app store providers. In June 2023, the Supreme Court upheld the FAS’s RUB 906 million (approx. USD 10 million) fine for Apple’s abuse of a dominant position in the iOS parental control app market, by rejecting third-party applications that meet requirements from the AppStore. In May 2023, the Moscow Arbitration Court rejected Apple's appeal against the FAS’s RUB 1.2 billion (approx. USD 13.3 million) fine for forcing Russian iOS application developers to use Apple’s own payment mechanisms, which charges a commission on in-app payments. In September 2022, the FAS closed a similar investigation into Google due to amendments to third-party payment conditions on Google Play, following a warning. 

The FAS investigates digital firms’ abuse of dominance beyond app stores. In July 2023, the Moscow Arbitration Court confirmed a RUB 4 billion (approx. USD 44.2 million) fine against Google for the non-transparent application of YouTube’s terms of service. Namely, the FAS found that Youtube’s rules regarding account suspension and content blocking were ‘biased’ and that users were not warned or provided justifications for blockings. In May 2022, the FAS closed its investigation into local search service provider Yandex for preferencing its own services in search results. Yandex implemented behavioural remedies, including reporting requirements and a support payment of RUB 1.5 billion (approx. USD 16.5 million) to the Russian Fund for the Development of Information Technologies. In November 2021, the Ninth Arbitration Court of Appeal dismissed a second appeal against the FAS’s RUB 1.3 billion  (approx. USD 14.4 million) fine against Booking.com, for applying unfavourable price parity obligations in contracts with hotels. 

Since January 2022, certain foreign “information providers”, including search engine, hosting and advertising providers, must set up local operations and register with Roskomnadzor. The requirements apply to information providers with over 500'000 daily users in Russia that either provide information in Russian, advertise to or process the information of users in Russia, or receive money from Russian consumers. Since July 2022, stricter penalties of up to 20% of global turnover apply. In June 2023, Roskomnadzor added 12 foreign hosting providers to its list of providers subjected to the requirement.

Since April 2021, technically complex products, personal computers, smartphones and tablets must preinstall Russian software before reaching the consumer market. The applications range from Russian government portals to local news (Mail.Ru News) and software (e.g. Yandex maps, Kaspersky Internet Security). The Ministry of Digital Development, Telecommunications and Mass Media maintains a list of applications designated for mandatory pre-installation which was most recently updated in January 2023. In September 2022, Roskomnadzor demanded Apple to explain the removal of several listed applications from its App Store. 

Since March 2023, Russian organisations, including state authorities as well as companies involved in the national payment system cannot use information exchange systems owned by foreign entities to transfer payment documents and exchange information including personal data. Roskomnadzor simultaneously published a list of banned foreign messengers, including Discord, Microsoft Teams, Telegram, WhatsApp and WeChat.

In October 2022, Russia’s financial supervisor, Rosfinmonitoring, added Meta to the list of  terrorist and extremist organisations, demanding Russian financial institutions to freeze its assets and block domestic financial transactions.

Since March 2022, the order on technological independence and security requires providers of critical information infrastructure, such as telecommunications, energy and banking, to receive approval before acquiring foreign software or hardware. From 2025, the use of foreign software in private and public critical information infrastructure is banned.

Russia is regulating digital assets and currencies under the purview of the Central Bank. Since July 2022, a law prohibits digital financial assets and utilitarian digital rights as a domestic means of payment. This prohibition builds on a 2021 rule requiring entities that partake in the emission, circulation, exchange, and trading of digital financial assets to register with the Central Bank. Individuals can transfer but not use digital currencies as a means of payment. Since November 2022, Russia is deliberating a framework for digital currency mining that would allow domestic mining and establish an experimental regime for domestic and international sales, but ban advertising for digital currencies mined outside of Russia.