As mentioned in the introduction to our blog series on ePrivacy in the EU, the European Council has reached a compromise on its position on the new ePrivacy Regulation.

Since Russia is not an EU member state, EU legislative initiatives do not affect Russia directly. But Russian legislative developments do follow some EU trends.

Russia does not have specific regulations on electronic communications data except for rules on the storage of such data by communications services providers and organisers of information distribution, and on the use of publicly available personal data.

In 2016, the 'Yarovaya law' – named after, Irina Yarovaya, one of its principal authors – was adopted. Under the Yarovaya law, communications services providers and organisers of information distribution on the internet in Russia must store the contents and details of communications for certain periods (eg the contents of communications must be stored for up to six months). Moreover, the general obligations on data storage include providing the national law enforcement authorities, such as the Federal Security Service, with the above information on request, and disclosing information about access codes and keys to decode the messages.

Adoption of the Yarovaya law triggered public protests and objections from the business community in Russia since it restricts individuals’ right to privacy and triggers additional costs for business caused by the need to store the information. However, the law was adopted and is currently in force.

Russia has also recently adopted another piece of legislation in this area. At the end of 2020, the Russian law on personal data was amended with regard to making personal data publicly available. Under the new rules, a personal data operator needs a standalone specific consent to process an individual’s personal data that is being publicly distributed. Individuals are now permitted to limit the distribution of their personal data in such consents. For example, an individual may permit the publishing of information on one website and prohibit its further distribution.

In all other aspects, electronic communications data is subject to general rules for personal data processing. Russian law defines personal data as any information that relates directly or indirectly to an identified individual or an individual who is being identified. In accordance with current practice, IP addresses, geolocation data and mobile phone numbers are considered personal data. Personal data processing (including using cookies) normally requires an individual’s consent and compliance with a number of other requirements, such as publishing a policy on personal data processing on the operator’s website.

Other post in this series include: