Russia has introduced new legislation regulating recommender systems1. From October 1, 2023, owners of online services will have to inform users about how the service's recommender systems work and ensure that such recommender systems do not violate Russian law.
In addition, a procedure for user authorization on online services belonging to Russian owners, rules for hosting providers and a ban on foreign control over news aggregators have also been introduced. The authorization rules and requirements for hosting providers come into force on December 1, 2023. The amendments pertaining to control over news aggregators have already entered into force.
These changes were introduced in recent amendments2 to the Federal Law "On Information, Information Technologies and Information Protection" (hereinafter the "Law on Information") and the Federal Law "On Communications".
In detail
Recommender systems
New requirements
Owners of websites, website pages, information systems and software (hereinafter - “online services”) using recommender systems will be required to:
- ensure that the recommender systems do not violate the rights and interests of citizens and organizations and do not provide information violating Russian laws;
The wording of this requirement is very broad.
In our opinion, in the future, this will capture violations of all statutory requirements, as well as, for example, violations of the ethical principles of AI.
- expressly inform users that recommender systems are being used;
- publish the terms of use of recommender systems.
In the terms of use, the owner of an online service must disclose the algorithm used to process user preference data.
Scope of application
The new requirements will apply to the owners of online services that use recommender systems to analyze the preferences of users in Russia.
The new version of the Law on Information will not define when a service is viewed as analyzing the preferences of Russian users: neither by the criterion of use of the Russian language, nor by other criteria for targeting Russian users. However, there is no doubt that the requirements will apply not only to Russian, but also to foreign services popular in Russia.
The law will specifically apply to:
-
Social networks;
-
Audio and video streaming services;
-
E-commerce websites, marketplaces, online classifieds, aggregators;
-
-
Online banking, etc.
Enforcement
Roskomnadzor (Russia’s Internet watchdog) will identify online services using recommender systems on the Internet and, if it finds signs of a violation, it may request information on the use of recommender systems from the owner of the online service, as well as access to the software and hardware of the recommender systems for evaluation.
If a violation is confirmed, Roskomnadzor will request that the violation be eliminated within 10 days. If the violation is not eliminated, Roskomnadzor will send another notice, this time demanding the termination of the use of the recommender systems.
Consequences of a violation
If the owner of an online service does not stop using recommender systems within 24 hours of receiving the request, Roskomnadzor will block the online service via telecom operators.
The law also indicates the possibility of criminal, administrative and other liability for non-compliance with the new obligations, although relevant amendments to the Code of the Russian Federation on Administrative Offenses and the Criminal Code of the Russian Federation have not yet been announced.
Timelines
The amendments related to recommender systems enter into force on October 1, 2023. By that time, all online services should be brought in line with the new requirements.
User authorization on online servicesNew requirements
If access to information on an online service requires user authorization, the owner of such online service must ensure the authorization of users from Russia:
-
via a Russian mobile phone number – based on an authentication agreement between the owner of online service and telecom provider;
-
via the Unified Identification and Authentication System (account on Public Services Portal, "Gosuslugi");
-
through Unified Biometric System, or
-
using Russian information systems enabling user authorization. Such information system is recognized as Russian if it belongs to a Russian citizen who has no foreign citizenship or to a Russian entity that is directly or indirectly more than 50% controlled by Russia, a constituent entity thereof, municipal entity or a Russian citizen who has no foreign citizenship.
The above list is exhaustive.
Scope of application
The indicated limitation of options for user authorization apply only to online services owned by Russian citizens or Russian entities.
Foreign companies should take these new requirements into account if their local Russian entity is involved in maintenance of a local website or mobile app.
There is an ambiguity on the actual purpose and scope of the amendments – although only authorization is mentioned, it is unclear whether the amendments apply also to registration and / or authentication.
The legislators who authored the amendments commented that the changes apply to the procedure for user registration on Russian websites and prohibit such registration using foreign e-mail.
However, the amendments mention user authorization, but not registration.
There is a difference. The user passes registration once, when first creating a login and password for access. Authorization is access with the use of already existing registration data.
Usually, the user logs in using the login and password created during registration, but some online services allow authorization with use of a third-party service ID (i.e., without the initial registration and creation of login and password).
If the actual purpose of the amendments was to prohibit user registration in the above-defined Russian online services using foreign e-mail addresses, we can expect that there might be changes to the law in the near future. If not, it seems that the amendments will actually limit only the use of foreign authorization services.
Consequences of a violation
There is as yet no liability for owners of online services that do not limit the options for user authorization, but we expect that it will be introduced in the future.
TimelinesThe owners of online services will be obliged to ensure user authorization according to the new requirements from December 1, 2023.
The authors of the amendments commented that the rule is not retroactive, and those users who have registered earlier will retain their access.
However, it is not clear how this would actually work, given that the amendments actually refer to authorization (i.e., each access to an online-service).
Hosting providers
New requirements
Russia will have a register of hosting providers, which will be supervised by Roskomnadzor.
Hosting providers will be required to:
-
notify Roskomnadzor on the commencement of hosting activities in order to be included in the register;
-
comply with information protection requirements when providing hosting services;
-
ensure installation of technical devices for communications control needed to intercept and/or interrupt communications (known as "SORM") and cooperation with law enforcement agencies;
-
provide services only to persons who have been identified and/or authenticated;
-
fulfil the obligations under the so-called "Sovereign Internet" law.
Enforcement
If Roskomnadzor identifies a non-compliant hosting provider, it will send the hosting provider a request to eliminate violations. There will be no more than 10 working days to ensure compliance. Failure to eliminate violations will result in exclusion from the register, which means that the hosting provider will not be allowed to provide hosting services.
Timelines
The amendments introducing new obligations for hosting providers will enter into force from December 1, 2023.
Currently active hosting providers must send notification on the commencement of hosting activities in order to be included in the register by December 15, 2023.The transition period for filing the notification for the inclusion to the register of hosting providers will last until February 1, 2024. After that, the provision of hosting services by providers not included in the register will not be permitted.
News aggregator owners
New requirements
The law has tightened up the restrictions on foreign ownership of news aggregators3.
Previously, news aggregator owners could be Russian citizens and Russian entities, no additional imitations were established.
Now there is an additional restriction for citizens who are news aggregator owners: they must not have foreign citizenship.
Russian entities owning news aggregators must be directly or indirectly more than 50 % controlled by Russia, a constituent entity of Russia or a Russian citizen who has no foreign citizenship.
Timelines
The restrictions on foreign ownership of news aggregators have already come into force.
1. Recommender systems are technologies for providing information based on the collection, systematization and analysis of information about user preferences.
2. Recommender systems regulation: Federal Law No. 408-FZ dated 31.07.2023 "On Amendments to the Federal Law "On Information, Information Technologies and Information Protection" (text available in Russian only); other amendments: Federal Law No. 406-FZ dated 31.07.2023 "On Amendments to the Federal Law "On Information, Information Technologies and Information Protection" and the Federal Law "On Communications" (text available in Russian only).
3. According to Russian law, a news aggregator is an online service that is used for processing and distribution news information in the Russian language or languages officially used in constituent entities of Russia, which distributes advertisements targeting users from Russia and has more than 1 mln daily users.
Contacts:
Alexander Monin, partner, Moscow
Denis Khabarov, partner, Moscow
Valeriya Eystrakh, associate, Moscow
Maxim Kalinin, partner, Saint Petersburg
.