Russia adopts law forcing foreign IT companies to “land” in the country

Foreign online businesses with a Russian audience will need to have a physical presence in Russia. They have less than six months to make the required arrangements. Before that date, other new requirements will also apply, which could impact Russian businesses interacting with these foreign online companies.

On 1 July 2021, Federal Law No. 236-FZ* “On the Activities of Foreign Entities in the Information and Telecommunications Network “Internet” in the Russian Federation” (the “Law”) came into force (with some provisions to come into force later).

The Law follows the general trend towards localisation of online businesses and taking measures against large foreign IT companies for non-compliance with requirements to remove prohibited information and to localise the data of Russian users.

The Law affects, in particular, foreign social networks, messengers, audio-visual and gaming services, search engines, aggregators, online shops and creates a wide range of leverage for the Russian authorities on the companies concerned.

Criteria for the application of the Law

The Law applies to two groups of foreign companies:

• owners of information resources with an audience of 500,000 or more Russian users per day when any of the following criteria are met:
  • information on the internet resource is presented in Russian or the state language of the republics or peoples of Russia;
  • the resource disseminates advertising aimed at Russian consumers;
  • a foreign entity processes information about Russian users; or
  • a foreign entity receives funds from Russian individuals or companies;
• foreign entities that are intermediaries in the following categories:
  • hosting providers that provide hosting of internet resources visited by Russian users, among others;
  • administrators of internet resources designed to host advertising aimed at Russian users;
  • administrators of internet resources that provide exchange of messages between users, including users from Russia.

Roskomnadzor will determine which companies fall within the second group based on a special methodology to be subsequently approved.

A general list of foreign companies subject to the requirements of the Law will be published on Roskomnadzor’s website* (the “List”).

Requirements

Foreign companies falling under the established criteria must:

• post an online feedback form on the website for Russian users that meets the requirements of Roskomnadzor;
• register a personal account on Roskomnadzor’s website and use it to communicate with Russian state bodies;
• open a branch, representative office or an independent legal entity in Russia, which will represent the interests of the foreign party before Russian courts and other authorities, consider applications from Russian users, enforce decisions of Russian courts and state bodies, including those regarding the removal of information; and
• install one of the programmes for determining the number of users recommended by Roskomnadzor on the internet resource.

The requirements for the online form, the list of recommended audience counters and the list of state bodies with which a foreign person will be obliged to interact via its personal account, will be subsequently approved in regulations.

The Law also specifies that the list of requirements and restrictions relating to foreign IT companies is not exhaustive, and their activities are also regulated by other federal laws and regulations of the Russian Federation (particularly in the field of personal data processing and advertising).

Sanctions

In the case of non-compliance, one or more of the following measures may be imposed on a foreign person:

• informing the users of the resource that the foreign entity has violated Russian law;
• banning the distribution of advertising of a foreign entity or resource, as well as banning the distribution of advertising on such a resource;
• restricting money transfers by Russian individuals and companies to a foreign entity;
• banning search results;
• banning the collection and cross-border transfer of personal data of Russian users;
• partially restricting or blocking access to the resource.

Roskomnadzor will apply these measures depending on the nature of the violation. Information on the sanctions imposed will be recorded in the List.

Timeline

The Law came into force on 1 July 2021, except for the following provisions:

• The requirement to open a branch, representative office or Russian subsidiary of will enter into force on 1 January 2022.
• Sanctions for failing to submit information on advertisements to Roskomnadzor will apply from 1 September 2022.

Conclusions and recommendations

The Law has been adopted in the context of measures aimed at strengthening Russia’s digital sovereignty, protecting information security on the internet and tightening control over the activities of foreign companies, including limiting access to sensitive sectors and areas of Russian business (e.g. the media and telecommunications sector).

Even though when drafting the Law its authors focused primarily on the largest IT companies, the established criteria are extremely broad. This means that many more foreign companies owning internet resources could potentially fall within the scope of the Law.

At the moment, it is difficult to predict how these measures will be implemented in practice and which companies Roskomnadzor will add to the List. Nevertheless, already at this stage, foreign owners of internet resources with a Russian audience should conduct an audit of their activities aimed at the Russian market and evaluate the measures needed to ensure compliance with the Law.

In addition, advertisers and advertising distributors will have to introduce additional compliance measures when placing advertisements to ensure that they do not advertise companies against which restrictive measures have been imposed and place advertisements on the resources of these companies.

Furthermore, the Law may affect the ability of Russian personal data operators to use the services of foreign vendors. If a foreign company is banned from transferring personal data, Russian personal data operators may be forced to refuse to use certain platforms, which may have an adverse effect on their operations.

Accordingly, internal compliance procedures in the field of personal data should also be adjusted in light of the new requirements of the Law. In particular, Russian personal data operators will have to monitor whether service providers are prohibited from transferring data.

If you have any questions on this eAlert, do not hesitate to get in touch with CMS Russia experts Anton Bankovskiy, Irina Shurmina, Vladislav Eltovskiy and Alisa Mikheeva or your regular contact at CMS Russia.

* In Russian