Until recently, foreign tech companies not represented in Russia were not subject to Russian law, except the requirement to use a server located in Russia for the purposes of collecting Russian citizens’ personal data and deleting data that is prohibited for distribution in Russia.
On 1 July 2021, a new law expanding requirements for foreign tech companies’ activities in Russia was adopted. The law applies to foreign tech companies not represented in Russia if their daily audience in Russia is more than 500,000 users and they:
- distribute information in Russian or another state language of the Russian Federation; or
- provide advertising targeted at a Russian audience; or
- process the personal data of users located in Russia; or
- receive payments from Russian individuals or companies.
It also applies to hosting services providers and operators of messaging apps or services if they have Russian users.
Requirements of the new law
The law introduces new obligations for foreign tech companies that fall within its scope, which include:
- registering a branch, a representative office or a subsidiary in Russia (which shall be used to represent them in courts and to interact with Russian users);
- being included in a special register maintained by Roskomnadzor, the Russian regulator responsible for the tech sector; and
- complying with Russian legislation, in particular by deleting illegal information from their information resources.
If foreign tech companies fail to apply to be included in the register referred to above, Roskomnadzor has the power to include such foreign companies in the register.
Consequences of non-compliance and recommendations
The law sets out a list of sanctions for those who do not comply with its provisions. For instance, failure to comply with the new requirements may result in:
- users being notified that the foreign tech company has violated Russian law;
- a ban on the advertising of the foreign tech company and/or its information resources;
- a ban on payments to the foreign tech company;
- a ban on being included in search results;
- a ban on the collection and cross-border transfer of personal data; and
- full or partial blocking of the information resource for users in Russia.
Most of the new requirements come into force on 1 July 2021. However, the requirement to open a branch, a representative office or a subsidiary in Russia will apply to foreign tech companies from 1 January 2022.
Therefore, companies whose information resources target Russian users should:
- review the new requirements in more detail;
- assess options for opening a local office in Russia;
- analyse the legal and tax consequences of opening a local office;
- analyse general compliance with Russian legislation, for example, the localisation requirement applicable to the collection of Russian citizens’ personal data; and
- analyse what technical solutions are needed to meet the new requirements (including providing a feedback form for Russian users and setting up a personal account on the regulator’s website).
The explanatory note to the bill gives the impression that the law is primarily aimed at regulating the activities of large US tech companies in Russia. However, it will also apply to smaller tech companies.