Analytics Legal analytics

On July 30^th, 2017, the Russian President signed Federal Law No. 276-FZ dated July 29^th, 2017 "On Introducing Amendments Into the Federal Law on Information, Information Technologies and Information Protection" (hereinafter the ‘Amendments[1]’). The Amendments, among other things, prohibit using technologies, information systems, and programs (hereinafter ‘anonymizers’ and ‘VPN services’[2]) that permit getting around blocked sites with banned content to which access is restricted inside Russian borders. The legislative innovation will only apply to those anonymizers, VPN services, and other programs that provide access to online resources and information and telecommunication networks to which access has been blocked by the Federal Service for Oversight in Communications, Information Technologies, and Mass Communications (hereinafter ‘Roskomnadzor’).

Who will be affected by the Amendments? These Amendments will primarily affect those who operate anonymizers and VPN services, as well as search engines, which will have to block any links to information resources or information and telecommunication networks that are banned by Roskomnadzor. The Amendments prescribe a system governing communication between Roskomnadzor, hosting providers, and website owners to ensure that access to prohibited content is blocked[3].

The question arises about how the new rules should be applied in regard to VPN services that are used for business-related purposes, and whether the Amendments are even theoretically applicable in these kinds of situations.

How should VPN be used for business-related purposes? Large companies that have offices around the world frequently set up remote access for their employees via an integrated corporate platform that uses VPN channels.

Article 17 in the Amendments specifically stipulates that the legislative innovation will not apply if certain conditions are observed: 1) if the user group for the associated hardware and software has been defined by the owners beforehand (i.e. the VPN service owners), and 2) if the hardware and software is used to provide technological support for the people using it.

In the absence of any official explanations from Roskomnadzor, we assume that the latter case specifically means the situation when a legal entity uses hardware and software to perform commercial activity. Having a limited user group use VPN connections for business-related purposes could serve as one particular example.

This all adds up to the preliminary conclusion that VPN services, just like other hardware, software, and related technologies, fall outside the scope of what is stipulated in Article 17 in the Amendments when they are used to achieve in-house goals at a company and support its commercial activities.

It is worth noting that the draft for Article 17 in the Amendments looked different. In particular, it directly states that, as required by law, there will not be cases where the owners of information and telecommunication networks, information systems, or personal computer programs will allow only those people with whom they have an employment relationship to use them[4]. However, the original version went through changes, and came out as a formulation that was expanded and less well-defined.  

It is too early to make unequivocal conclusions about the requirements in the Amendments not applying to corporate VPN services since Roskomnadzor has not given any official explanations. In addition, there is no guarantee against VPN connections being used simultaneously for business-related purposes and to receive access to resources and websites that are blocked in Russia. For example, VPN connections like HideMy.name, ExpressVPN, or PIA can be used both to secure access to a global corporate platform and to circumvent blocked access to banned information resources in Russia. In addition, it is not clear from the text of the Amendments how liability will be distributed (and whether it will be) among hardware and software owners, or among those who use these kinds of technologies to support their activities.

According to reports from the press, Internet Ombudsman D. Marinichev has already called the adopted federal law “madness,” referring to the fact that “it is impossible to separate VPN’s that are used for business-related purposes from VPN’s that are used to circumvent access that has been blocked[5].” There are concerns that when the Amendments are applied in practice it will lead to the service administrators of instruments like VPN or TOR blocking access across the board, regardless of the goals for which they are being used.

What kind of liability will there be? Liability for non-compliance with the Amendments that have been enacted has not been established for search engines, hosting providers, or Internet sites. It is possible that changes will be introduced into the Russian Federation Code of Administrative Offenses at a later date – after the Amendments have come into effect. For now, the code only establishes liability for communication service providers for not fulfilling their responsibilities in terms of restricting/reinstating access to information that was restricted/reinstated on instructions given by Roskomnadzor (Article 13.34).

[1] The amendments enter into effect on November 1st, 2017, with the exception of some of the provisions.

[2] From here on forth, the term "anonymizer" means website or browsers used by user groups to conceal their information, including their geographical location and that of the device used to make an entry, from owners of resources visited by the user. "VPN services" means applications or built-in services that are designed to perform work anonymously in the Internet, and permit encrypting all of the user's traffic.

[3] A separate memo on interaction between site owners and hosting providers will be released by the VEGAS LEX law firm in the autumn.

[4] http://asozd2.duma.gov.ru/addwork/scans.nsf/ID/F071CE249CC1BD814325813900378252/$File/195446-7_08062....

[5] https://zona.media/news/2017/06/08/marinichev.