New stricter liability measures apply to data controllers and processors, platforms with user-to-user communication functionality, instant messaging services, search engines and audiovisual services.

1. Personal data localization

Russia introduced administrative fines for citizens, officers and companies for violation of the obligation to initially record and store personal data of Russian citizens in Russia. Previously, Roskomnadzor, the Russian data protection authority and Internet watchdog, enforced the localization rules through minor administrative fines (of approx. USD 500 – 800) 2 or website blocking. The new law increases administrative fines for the first violation by legal entities to ~ USD 15,000 – 100,0003 Fines for repeat violations are within the range of ~ USD 100,000 – 300,0004

2. Online communication services

In Russia providers of online communication services with user-to-user communication functionality (for example, social networks, instant messaging programs, websites with user-generated content) must:

  1. register with Roskomnadzor,
  2. store certain information on users, user activities and user communications in Russia, including copies of the relevant textual, audio and video communications,
  3. provide law enforcement agencies with decryption keys for encrypted user communications, and
  4. install surveillance hardware and software for law enforcement purposes.

Roskomnadzor and the Federal Security Service previously had the right to impose fines and to block non-compliant services for violation of these obligations.

The law introduces new fines for repeated violation of these obligations:

a. for repeated refusal of companies that operate online communication services to register in Russia – in the range ~ USD 7,500 – 15,0005

b. for repeated refusal to locally store in Russia certain information on users, user activities and user communications, including copies of relevant textual, audio and video communications, and to provide law enforcement agencies with the above data or decryption keys – in the range ~ USD 30,000 – 100,0006

c. for repeated violation of the duty to install surveillance hardware and software for law enforcement purposes – in the range ~ USD 30,000 – 100,0007

The law also establishes administrative fines for repeat violations of requirements by search engines, audiovisual services and instant messaging providers.