The Russian Federation signed the “Yarovaya Laws” into effect on July 6th, and this package contains several severe implications for the cyber landscape. The Yarovaya Law(s) or Yarovaya Package is comprised of two laws, 374-FZ and 375-FZ, that modify Russias criminal code and cyber landscape under the guise of dealing with terrorism. In a rather dystopian twist, the Yarovaya Law makes it a crime to fail to report a crime you know is going to happen even if that crime doesn’t actually get committed. It changes the age at which children may be charged for terroristic acts to 14 and makes other sweeping changes to the punishments for acts of terror.
The Yarovaya Law effects the cyber landscape in Russia in a huge way, and it acts as a sort of “Nega-GDPR” that strips the rights and freedoms of Russian data subjects instead of increasing them. Namely, it requires all communications providers and Internet Service Providers (ISP) to keep a complete log of the metadata of their users for three years. Additionally, these same providers must record all communications, images, videos, reports, audio, and other data sent through their services for six months. Both of these databases must be made available to the FSB and other Russian agencies and may be used in investigative work. On top of this, these providers must also provide the decryption key for any encrypted data that they send. While this won’t necessarily mean that your data is decrypted automatically if you use your own encryption scheme, but if you rely on your ISP to encrypt then your data is not secure.
These regulations apply to any company that does business in Russia or any data subjects who reside in Russia. Companies that process data in Russia must establish and maintain a database in Russia and this database must be inspected to ensure that they’re being handled correctly. The Yarovaya laws allow for widespread monitoring that isn’t normally so blatant and it’s surprising to see laws like these passed.