Key takeaways:
- In Russia, starting from January 1, 2022, foreign Internet companies whose activities are focussed on Russian users and whose information resource is accessed by more than 500,000 daily users residing in Russia, shall establish and maintain a local presence, such as a branch, a representative office, or a subsidiary.
- Russian authorities received additional powers to enforce Russian laws against foreign Internet companies whose activities are focused on Russian users including prohibition of advertising of and by the company in Russia and prohibition for collection and cross-border transfer of personal data of Russian citizens.
On 1 July 2021, Federal Law No. 236-FZ on the Internet Activities of Foreign Entities in the Russian Federation (the “Law”) came into force, requiring establishment of local presence, such as a branch, a representative office, or a subsidiary, for foreign Internet companies whose activities are focussed on Russian users. The Law supplements the personal data localisation requirements under the Personal Data Law, in effect since 1 September 2015. Those earlier localisation obligations have run into enforcement challenges, and the Law is intended to facilitate interaction between foreign Internet companies and Russian authorities and users and, in turn, improve compliance.
Applicability. The Law defines “foreign Internet companies” as companies that own a website, information system, or software (“information resource”) which is accessed daily by more than 500,000 users residing in Russia. The Law applies if one of the following conditions is met:
- the information resource contains or disseminates information in Russian or languages of Russia’s constituent republics or nationalities;
- the information resource contains advertisements targeting Russian users;
- the foreign Internet company processes data relating to Russian users; or
- the foreign Internet company receives payments from Russian individuals or legal entities.
Federal Service for Oversight of Communications, Information Technologies and Mass Media (“Roskomnadzor”) determines which foreign Internet companies are subject to the Law and will make their list available on its website. A foreign Internet company can be removed from Roskomnadzor’s list (1) pursuant to its application if its information resource has been accessed by fewer than 500,000 Russian users daily for three months; or (2) on Roskomnadzor’s initiative, if the information resource has been accessed by fewer than 500,000 Russian users daily for six months.
Legal Requirements. A foreign Internet company subject to the Law must:
- place an electronic contact form for Russian users on its information resource;
- register a user account on Roskomnadzor’s website and use it to communicate with Russian authorities; and
- beginning on 1 January 2022, establish and maintain local presence in Russia through a branch, a representative office, or a Russian legal entity.
That local establishment must accept and consider inquiries from Russian users, represent the foreign Internet company in courts, comply with court judgments and decisions of authorities issued in respect of the foreign Internet company, and limit or remove access from Russia to information that is contrary to Russian law.
Enforcement. If a foreign Internet company fails to comply with the Law or other Russian law requirements, Roskomnadzor may:
- take measures that the Russian users of the information resource are informed that the company is in breach of Russian law;
- prohibit advertising of and by the company in Russia;
- restrict money transfers by and payments to the company via Russian lending institutions and mobile and postal service operators;
- restrict search results relating to the information resource of the foreign Internet company on search engines focussed on Russian users;
- prohibit collection and cross-border transfer of personal data of Russian citizens; or
- partially or fully limit access from Russia to the information resource of the foreign Internet company.
These enforcement measures can be taken for the breach of the Law or other Russian legal requirements by foreign Internet companies. Specific measures to be implemented would depend on the severity of the breach, with the more severe measures limited to circumstances where the company does not initially comply with Roskomnadzor’s rulings. In particular, failure to localise Russian personal data, as required by the Personal Data Law, can give rise to the most severe measures described above in addition to the measures already envisioned for the breach of the Personal Data Law.