On paper, Russia’s new laws on data storage seem to make business impossible for big internet companies like Google, Facebook, Twitter, and a wider range of online businesses.
Following their summer break, Duma Deputies are back at work, busy drafting new laws concerning Russia’s internet (often called the RuNet). Federal Law 242-FЗ ‘On the introduction of amendments into separate legal acts of the Russian Federation defining the order of personal data processing in the information and telecommunication networks’ (Federal Law 152-FЗ), which restricts to the territory of the Russian Federation, the collection, retention, processing, and storage of Russian citizens’ personal data by internet operators, has been signed off. Similarly, Federal Law 97-FЗ, (known as the ‘law on bloggers’) requires that ‘operators of information dissemination’ store user data for at least six months and provide law enforcement agencies with information on user metadata. This law in particular presents quite a challenge for internet giants like Google, Facebook, and Twitter.
Key Russian players like Yandex, VKontakte, Mail.ru, and services like Wamba and HabraHabr.ru have already been listed on the communication watchdog Roskomnadzor’s ‘registry of operators of information dissemination.’ Foreign companies have been notified that they could have to be registered as soon as a request is filed by law enforcement agencies. Last month, the State Duma rushed an amendment through the first and second readings, speeding up the transition period from the initial deadline of 1 September 2016 to 1 January 2015. This spread panic among local and foreign businesses alike as the timeline was next to impossible to comply with. On 9 October, however, it was unexpectedly announced that the 3rd reading would be put on hold indefinitely.
Hitting the kill switch
At the same time, rumours about an internet ‘kill switch’ have added to the general picture of a ‘tightening of the screws’ on the internet in Russia. Reportedly, the first ever cyber drill this summer has revealed vulnerabilities in Russian internet (RuNet) security infrastructure preparedness against potential external aggression. The conclusion was made that Russia needs to create a self-contained system duplicating root DNS architecture; to keep the RuNet running in case of emergency – either external (which is no longer regarded as purely hypothetical after the sanctions that followed the Ukrainian conflict) or internal in the event of civil unrest and/or extremist actions. President Putin reassured the public at a special Security Council meeting that no ‘internet switch off’ or state take-over is on the cards. He did, however, maintain that the Russian internet needs to be protected against potential threats, and that the fight against extremism online (through filtering and blocking) would continue. On 28 October, the Minister of Communications confirmed that a defence plan for the RuNet is now ready, but it is not clear yet who will implement it.
The transition would be effected with the oversight of the Internet Corporation for Assigned Names and Numbers (ICANN), which ironically is now devising a plan to pass over the control of the IANA (The Internet Assigned Numbers Authority) functions running the internet backbone systems from the US NTIA (The National Telecommunications and Information Administration) to a wider range of internet governance stakeholders – a move seen by some in the West as a potential surrender of the internet to China, Russia, and other states.
But reading all of the above as purely political pressure or a clampdown on free speech would be to oversimplify things.
But reading all of the above as purely political pressure or a clampdown on free speech would be to oversimplify things. These are only the most recent pieces of a puzzle the authorities started putting together long ago, dating back to the original Doctrine of Information Security (2000). Consecutive documents on state and information security have identified the Information and Communication Technology (ICT) industry as a potential tool for outside actors to interference in a state’s domestic affairs. Russia’s current stand-off with the West merely provides an opportune moment for a long-term strategy. While Edward Snowden’s revelations gave a pretext for demanding the storage of Russian citizens’ data in Russia to shield it from foreign intelligence services, creating a national internet backup enjoys genuine support among the Russian public, in the present geopolitical context. Thanks to the distributed structure of the internet core architecture, however, which is devised in such a way precisely to ensure its stability and continuity, there is no ‘red button,’ and it is not that easy to ‘switch off’ the Russian segment of the Internet quickly, without affecting its neighbours.
Creating a national internet backup enjoys genuine support among the Russian public.
Given the above circumstances, it is worth considering the unwanted economic effects of the usual tactics and strategy of lawmakers, especially when the Russian economy is being hit by sanctions, a weak rouble, and low oil prices.
Trial and error
According to the RosComSvoboda activist group, 32 bills restricting the online space, have been submitted to the State Duma since June 2012; 8 have been passed, 6 rejected, and 18 are yet to be considered. There is no official report on the efficacy of the laws that have been adopted. According to some sources, the share capital losses suffered by the publicly listed Russian internet companies Yandex and Mail.ru (43% and 41% respectively since the start of the year) are partially caused by the scaling up of the RuNet regulation. And user identification flaws in Qiwi, one of the leading Russian electronic payment systems, revealed by Goldman Sachs, led to a 10% fall in its share price last week; and might be a risk to its business in the long run if problems continue with data processing compliance required by the new anti-terrorist legislation passed in July 2014.
The law-making and implementation process in the field of ICT regulation (and not exclusively) in Russia tends to follow the same scheme: a legislative idea leaks or a draft law gets circulated in the media, creating a bit of a panic due to its dubious implications or unclear feasibility or both. As has been pointed out many times by non-state stakeholders, such as the Russian Association for Electronic Communications (RAEC), industry and civil society experts are often invited to ‘tick the boxes’ with very few amendments and suggestions actually included in the final draft. The draft law gets a speedy reading in the Duma, and is signed off in a fairly general form. The law is then ‘customised’ in amendments, with actual implementation worked out through trial and error in court, and through private negotiations with the affected market players. Micromanagement thus makes up a very important part of the process forcing companies to establish links with the relevant officials so as to get a better idea of what to expect; and to work out what exactly they need to do to stay in business. Finally, laws are very often not intended for all the subjects they end up affecting; and broad definitions allow for infinite interpretations (e.g. the notion that ‘personal data’ includes any information related directly or indirectly to an individual’) and targeted regulation.
Broad definitions allow for infinite interpretations.
Data storage localisation
The best illustration of this, is the above-mentioned law on data storage localisation. Its most obvious immediate targets are foreign internet companies, such as Google, Facebook, and Twitter, whose Russian users’ data at the moment can only be accessed via formal applications to the legal departments in the companies. And this seems to be a procedure the Russian authorities would rather avoid, preferring to have everything of potential interest stored on Russian territory, and accessible under much more strictly defined legislation.
The amendment bringing forward the deadline by almost two years was passed in two readings; and left no doubt about the third. While the law itself leaves a lot of questions (for example, the segregation of data on social networks and identifying the citizenship of the data owner), the new deadline was clearly too short for foreign internet companies to adjust their business operations and infrastructure.
However, given the lack of official statements from the internet companies themselves, a more articulate reaction came from other affected industries, which seem to have made a more powerful case against the amendment. These are such important domestic services as online airline booking systems (reservation terminals processing personal data like Sabre or Amadeus, used by Aeroflot and Transaero are based outside Russia); hotel booking systems (and there have been already calls to create national systems equivalent to the likes of booking.com); online shops and international banking services, which most probably would not have been able to review annual budgets, and adjust their operations by the given deadline.
Some experts admit that in the long-term, putting Russians’ data under Russian jurisdiction is understandable and justifiable, and ways will be found to align business operations with the law. But in the short-term it causes unnecessary panic among both businesses and the general public about a possible impending cut off from vital services. The law has been largely dismissed as impossible to comply with in the current form by various industry communities, which are also cherishing cautious hopes that the regulator will be persuaded to back off, and give more time and room for manoeuvre.
In effect, this must have already happened because on 7 October, Minister of Communications Nikiforov admitted that Russians’ personal data could still be partially stored abroad, e.g. data on such internet services as Twitter and Facebook ‘could be qualified as “non-sensitive” for users.’ Although the sensitivity of social networks’ data is exactly the subject of many compliance problems these companies have already faced in Europe and the US, the news gave some hope to the industry. And on 9 October, the 3rd reading of the amendment was put off indefinitely, but the old deadline of 1 September 2016 still holds.
The ultimate aim
While the application of the data storage localisation law will probably be ‘manual,’ and non-compliance with it formally entails a fine, and the obligation to block the internet service by the hosting entity, it is not likely at this point that this is the ultimate goal in itself, even if applied to the ‘usual suspects’ of the internet industry; and this despite the widespread belief that the Kremlin dreams of wiping out any foreign platform managing Russians’ communication and information sources. As Mikhail Emelyannikov, an expert on data protection law, and managing partner at the Emelyannikov, Popova & Partners consulting firm, commented at a recent conference on the amended data protection legislation in Russia, that the most probable scenario with the internet giants will be similar to the negotiated settlement brokered with Visa and MasterCard earlier this year. Playing with the date of the regulation coming into force testifies to that.
Blocking is rather a lever, which potentially could be put to use as and when needed. It can be used as a targeted tool to ‘sanitise’ the public sphere from what is perceived or portrayed as extremist, terrorist, any other illegal activity. The ultimate aim is rather a total grip on the data of Russian internet users; and as soon as these are localised on the Russian territory, they are available for any law enforcement agency (keeping in mind the requirement of a minimum six-month storage of metadata by service providers) through a number of instruments ranging from Roscomnadzor queries to SORM interception.
The ongoing conflict with the West over Ukraine provides the perfect context to justify such ends.
The rationale for such a close control has been analysed at length: the authorities’ desire to look in on Russians’ communications, coupled with the perceived threat of cyber-attacks against Russia, might seem paranoid to some, but the ongoing conflict with the West over Ukraine provides the perfect context to justify such ends. The sovereignty narrative, including the digital one, is more popular than ever, both with the leadership and the overwhelming majority of the public. At this point, a manageable system of unhampered access to a vast users’ data on foreign platforms, but without filing official requests to their HQs, looks more useful, both politically and economically, than the ‘Chinese’ option of creating a hermetic digital ecosystem. And the authorities fear that banning access to popular internet resources might also tip the balance of public opinion – a risk they have no desire to take.
E-commerce
Yet another way to look at this is to admit that the Russian authorities actually want some foreign companies to be better rooted in Russia, especially given the current outflow of foreign capital from the country. Investment in data centres, and for some, formal representation, is an important and long-term commitment; and a tough decision to make. At the end of the day, what matters is if it is worthwhile going against the ‘globalistic’ grain; give in to the internet balkanisation trends; learn to keep up the tug-of-war relationship with the regulators – and save one’s business. For Google, with a fully operational office in Russia, and one of its top investment areas, this might seem like a re-run of their ill-fated foray into China. Facebook and Twitter might have less to lose, with a still modest penetration of the Russian social media market compared to home-grown players like VKontakte and Odnoklassniki, but, for those with the stomach for risk, there is still much money to be made.
At the Consultative Council on Foreign Investments (CCFI) held on 20 October, businessmen and investors reportedly asked Prime Minister Dmitry Medvedev to review the recent regulations on personal data, including the deadline of its implementation. They pointed out that any use of databases or ICT systems, based on now widespread cloud computing by various companies, will at the moment violate the law in its present form; and will pose a risk of closure to a lot of otherwise law-abiding businesses.
Russia’s e-commerce market totaled 520 billion roubles (over $12 billion) in 2013 with 28% annual growth.
Russia’s digital economy is highly reliant on ICT systems, and this is largely seen as one of the sources of buoyant future growth. According to the research firm Data Insight, Russia’s e-commerce market totalled 520 billion roubles (over $12 billion) in 2013 with 28% annual growth. This included 150 billion roubles worth of online shopping (including foreign online shops), and 60 billion worth of hotel online booking; and 100 billion roubles worth of corporate purchases. A slowdown is expected in 2014 due to the general deterioration of the economic environment, and the expensive dollar but Russia is still Europe’s top market for internet users (around 70m users, and over 30m online shoppers) while 70% of new online shoppers live outside Moscow. A joint study by the RAEC and the Higher School of Economics, estimates that even with the worst-case scenario, growth in the RuNet economy will still grow at the rate of 6-10% to 2018. The stakes are high both for the domestic market to preserve any sources of potential growth, and for foreign businesses to tap into the e-commerce growth potential. The suggested data storage regulation clearly puts this growth at risk.
However, making foreign players stay, and play by the negotiated rules, also means a boost for the domestic data storage business. For instance, state telecommunications giant Rostelecom, which currently runs seven inter-regional and a few smaller data centres, is already planning more acquisitions in the near future to accommodate the needs of the businesses needing to comply with the new data storage and processing regulations. Two mobile carriers, MTS and Vimpelcom also rent out some of their local data storage facilities, which will probably be increased to meet the growing demand. The issue here is that many of the components, data centres use, are imported from outside Russia, which may be a problem due to the sanctions imposed against high-tech cooperation with Russia. The few foreign players in this industry, like Anglo-Russian IXcelerate, might benefit from this complex situation.
A hybrid approach
What we are likely to see is a hybrid approach, with more legislation – both ‘framework’ acts and amendments – plus some later fine-tuning, as well as more haggling over deadlines and exemptions. A calculation about the economic losses compared with the expected benefits will also moderate this process. Certainly, doing business in Russia will become more of a commitment for foreign companies, no matter that they choose to ignore the naysayers, and adjust to the growing number of regulations. In this difficult legislative context, complicated by Western sanctions and the new strategy of import substitution, it is going to be more challenging than ever for Russian companies to keep up with global business, or for the foreign players to stay in the Russian market.