Maria Ostashenko

Please be informed that major changes in regulation of information technologies and the Internet in Russia have been enacted recently by legislators in the third reading at the Russian Parliament. The bills are aimed at establishing new requirements for hosting providers, restrictions on the use of recommendation technologies on the Internet and authorisation methods on Russian websites, new fines for social media platform owners. Law on hosting providers in Russia As of December 01, 2023, hosting providers will be subject to the new requirements in Russia. This regulation applies to companies providing services for the provision of computing power for posting information in information systems permanently connected to the Internet. The hosting providers will have the following obligations: To send a notification on commencement of hosting services to Russian Data Protection Authority (Roskomnadzor); To ensure the implementation of information security requirements; To ensure the implementation of requirements for conducting operational and investigative activities and to prevent disclosure of organisational and tactical methods of conducting such activities (the procedure for interaction of hosting providers with authorised state authorities shall be established by the Government of the Russian Federation); To comply with the requirements the 'Sovereign Runet' Law and other specified provisions of the Russian Communications Law1 ; To verify the identification or authentication of its customers. Based on the hosting provider’s notification, a hosting provider shall be included into a special register which will be maintained by Roskomnadzor. As of February 01, 2024, the absence of information in the register will be an obstacle for the operation of hosting providers. Hosting providers that were operating before these changes came into force shall notify Roskomnadzor regarding commencement of hosting services by December 15, 2023. Roskomnadzor will monitor the activities of hosting providers in Russia. If the hosting provider fails to eliminate violations identified by Roskomnadzor, within 10 business days from the date of the request (unless earlier deadlines are set out in the notification itself), the hosting provider will be removed from the register and prohibited to carry out its activities. Regulation of recommendation technologies used in relation to Russian users As of October 1, 2023, new requirements will be introduced for owners of websites, mobile applications or other information systems ('owners') when using information technologies to provide information based on the collection, systematisation and analysis of information relating to the preferences of users (so-called “profiling”) located in Russia ('recommendation technologies'). For instance, the respective amendments will be relevant for owners of social media platforms, video hosting platforms, streaming platforms, search engines, e-commerce platforms (marketplaces) that use various recommendation algorithms and the rest owners who performs profiling on their websites and mobile applications. Owners using recommendation technologies or algorithms will be obliged to: prevent the use of recommendation technologies that violate the rights and legitimate interests of citizens and organizations and the provision of information in violation of the legislation of the Russian Federation; inform users about the use of recommendation technologies; provide an e-mail address for users to send their requests; publish the policy for the use of recommendation technologies in Russian language specifying the types of information on user preferences, sources of obtaining such information, a description of processes and methods of collecting, systematizing, analyzing information on user preferences, and methods of implementing such processes and methods. Roskomnadzor will monitor compliance with the restrictions: in case of non-compliance with the requirements, it is authorized to send a notice to the owner to take measures to eliminate violations. If the owner again fails to take any measures, Roskomnadzor may restrict access to such information resource. Such blocking of the resource may be removed based on the court’s decision, provided the owner eliminates the violations with further notification of Roskomnadzor. Roskomnadzor is also expected to adopt rules for informing users about the use of recommendation technologies. New rules on authorisation for users on Russian websites As of December 1, 2023, owners of websites, mobile applications or other information systems ('owners') that are Russian legal entities or citizens of the Russian Federation are limited in the possible options for authorization of users located in Russia. These restrictions, however, do not apply to foreign owners of websites, mobile applications or other information systems available in Russia. As of December 1, 2023, only the following authorisation methods may be used: Via phone number in accordance with the procedure established by the Government of the Russian Federation based on an identification agreement concluded by the owner with a telecom operator; Via 'Gosuslugi' (a Russian state services platform); Via Unified Biometric System; Via another information system that meets information protection requirements. The owner of such a system may only be a citizen of the Russian Federation who does not have citizenship of another state, or a Russian legal entity. Thus, the use of various foreign authorization systems on Russian websites or applications, such as Apple ID, Google is restricted. Therefore, Russian owners of websites, mobile applications or other information systems should review their user authorization solutions before the effective date of the new requirements. New fines for social media platforms owners As of September 1, 2023, administrative liability is established for violation of statutory duties by the owner of a social media platform. New rules apply to companies whose information resources are used to disseminate information in Russian (other languages of the regions or peoples of the Russian Federation), on which advertising that attracts the attention of consumers located in the territory of the Russian Federation may be disseminated, and to which more than 500,000 Internet users located in the territory of Russia have access during the period of a day. --table-- --table-border-- Obligation of a social media platform owner Administrative fine for violation of the specified obligation Annual posting of a report on the results of consideration of appeals about information disseminated in violation of the law and the results of monitoring the social media platform, and an electronic form for sending relevant requests;Posting a document in the social media platform that establishes the terms of use of the social media platform and informing users of any changes made to these terms. For officials - from RUB 200 000 to 400 000 (approx. from 2,200 USD to 4,400 USD);For legal entities - from RUB 600 000 to 1 000 000 (approx. from 6,615 USD to 11,000,00 USD). Monitoring of the social media platform, taking measures to restrict access to information the distribution of which is restricted under the Law 149-FZ2;Fulfilment of Roskomnadzor's requirement to cancel measures taken by the owner to restrict access to users' information. For officials - from RUB 200 000 to 400 000 (approx. from 2,200 USD to 4,400 USD);For legal entities - from RUB 800 000 to 4 000 000 (approx. from 8,820 USD to 44,100 USD).In case of repeated offence:For officials - from RUB 500 000 to 800 000 (approx. from 5,510 USD to 8,820 USD); For legal entities - from RUB 4 000 000 to 8 000 000 (approx. from 44,100 USD to 88,200 USD). Submission to Roskomnadzor the information on the owner of a social media platform or other information necessary for the maintenance of the relevant register. For legal entities - from RUB 50 000 to 300 000 (approx. from 550 USD to 3,300 USD). Fulfilment of Roskomnadzor’s order to monitor a social media platform to identify information that is confusingly similar to the information in respect of which the owner was obliged to take measures to remove on the basis of an earlier request from Roskomnadzor. For legal entities – from RUB 4 000 000 to 6 000 000 (approx. from 44,100 USD to 66,150 USD). Only articles 561 (3), 562 (8 (1-3)) and 651 (4) of the Federal Law of the Russian Federation No. 126-FZ of 7 July 2003 on Communications shall apply to hosting providers. the Federal Law as of July 27, 2006, No. 149-FZ on Information, Informational Technologies, and Protection of Information

Please be informed of the adoption of a number of legislative and regulatory acts that impose restrictions on the use of foreign programs and products in the government and financial sectors. Ban on the use of foreign messengers As of March 1, 2023 restrictions on the use of a number of foreign messengers1 for specific operations related to the transfer of payment documents and personal data are imposed on certain organizations in Russian government and financial sectors: --table-- --table-border-- To whom the ban applies? State-owned and municipally owned companiesCompany with predominant state participationCredit institutions and non-credit financial institutions engaged in activities of non-credit financial institutionsSubjects of the National Payment System Prohibited Operations Transfer of personal data of Russian citizensTransfer of payment documentsSubmission of data on non-cash funds transfersSubmission of information for making paymentsTransmission of data on bank accounts and deposits of Russian citizensConnection to any informational systems enabling transfer of funds of the Russian citizens Banned foreign messengers (as of March 1, 2023)2 DiscordMicrosoft TeamsSkype for BusinessSnapchatTelegramThreemaViberWhatsAppWeChat What is allowed? Companies may still use the messengers listed above as long as their use does not fall within the Prohibited Operations. As an extension of this ban, liability in the form of fines for the use of foreign messengers was imposed as of June 24, 20233: For officials – from RUB 30 000 to 50 000, For legal entities – from RUB 100 000 to 700 000. Control of the Bank of Russia over the Russian financial sector organizations’ transition to domestic software As of March 1, 2025, a ban on the use of foreign software at significant critical information infrastructure facilities (“SCIIF”) owned by state authorities and customers under the Law No. 223-FZ (except for entities with municipal participation) is imposed4. This ban will affect large Russian banks and non-credit financial institutions that are subject to legislation regulating security of critical information infrastructure. Furthermore, as of September 2023 the Bank of Russia will be authorized to coordinate and control the transition of credit institutions and non-credit financial institutions5 to domestic software, domestic radio electronic products, and telecommunication equipment. The Regulator will control purchases of foreign software and services falling within its competence. The Bank of Russia will also manage and monitor credit institutions and non-credit financial institutions in order to implement measures ensuring security of critical information infrastructure. Federal Law No. 584-FZ dated December 29, 2022 “On Amending the Federal Law “On Information, Information Technologies, and Information Protection” The list of banned foreign messengers is adopted by Roskomnadzor: https://rkn.gov.ru/news/rsoc/news74672.htm Federal Law No. 277-FZ dated June 24, 2022 “On Amending the Code of Administrative Offenses of the Russian Federation” Decree of the President of the Russian Federation dated March 30, 2022 No. 166 “On measures to ensure technological independence and security of the critical information infrastructure of the Russian Federation” Federal Law No. 243-FZ dated June 13, 2023 “On Amending the Federal Law “On the Central Bank of the Russian Federation (Bank of Russia)”

We are glad to present you with an overview of the Russian regulations in the sphere of pharmaceuticals and life sciences for the 1st half of 2023. There are several digital initiatives in the healthcare sector, such as pilot launch of online sale of Rx medicines and the extension of experiment with track-and-trace system for medical devices. We see that the regulators are willing to take step forward and extend the period of registration of medical devices under national rules, but in other sectors they are taking closer look on current requirements and may apply stricter approach (e.g., implement additional requirements for food additives). All in all, the pharma industry and its regulatory framework is relatively stable now.

As we have informed previously1, on September 1, 2022, the Law “On Advertisement” was added with provisions, introducing obligations to label and register online advertisement for advertisers, advertisement distributors and advertising system operators. No specific liability for violations of the new provisions was introduced at that time. In June 2023 the law introducing administrative liability for non-compliance with the requirements of online advertisement registration was adopted2. The respective provisions were implemented in Article 14.3 of the Russian Code of Administrative Offences and shall come into force on September 1, 2023. Please, see the detailed overview of the provisions of the Law “On Advertisement” on Internet advertisement labeling in our previous newsletter. Federal Law dated June 24, 2023 No. 274-FZ “On amending the Code of Administrative Offences of the Russian Federation” (in Russian only).

Please be informed that on September 1, 2023, the Federal Law No. 75-FZ on Amending Article 562 of the Federal Law on Communications will come into force (“Law 75-FZ”), establishing new obligations for the owners of technological communication networks which have an autonomous system number (“ASN”).

Dear Ladies and Gentlemen, We are pleased to present you with a current digest of the most significant bills, regulatory changes, and measures in matters concerning TMT industry for the period from June 2022 to February 2023.

Dear Ladies and Gentlemen, As a part of a reform of Russian data protection laws, Roskomnadzor adopted new rules for ban or restriction of cross-border transfer of personal data outside of Russia. Roskomnadzor may decide to ban or restrict cross-border transfer of personal data in the following cases: After the consideration of a data controller’s notification on cross-border transfer of personal data; Upon the motion of a competent authority to Roskomnadzor.

Dear Ladies and Gentlemen, We kindly remind you that new rules for cross-border transfer of personal data will come into force on March 01, 2023. If you plan to transfer personal data outside of Russia from March 01, 2023, you will need to submit the respective notification to Roskomnadzor. Please read our guideline if you are not ready to submit the notification on cross-border data transfer before March 01, 2023.

Dear Ladies and Gentlemen! In the last months of 2022, a number of new laws were adopted and came into force. The laws entail a need to revise the approaches of online platforms to content moderation and launching media campaigns in Russia. These novelties of legal regulation include: Introduction of prohibition of LGBT propaganda; Tightening state control over the activities of foreign agents; Changing the rules for registration of domain names in the zone .RU, .RF; New procedure for restricting access to messengers and social networks upon a court decision. In this regard, we present you with an overview of the key changes that online platforms need to take into account when carrying out business activity in Russia. Follow the link to learn more. Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter, bear any liability for consequences of any decisions made in reliance upon this information.

Dear Ladies and Gentlemen! We would like to inform you about the upcoming changes in the regulation of personal data which will take effect in 2023. The mentioned changes comprise: New order of planned state inspections over personal data processing in 2023; Changes in cross-border data transfer; Assessment of harm that may be caused to personal data subjects in case of violation of personal data legislation; New forms of notifications on personal data processing; The procedure for destruction of personal data. Follow the link to learn more. Note: Please be aware that all information provided in this letter was taken from open sources. Neither ALRUD Law Firm, nor the author of this letter, bear any liability for consequences of any decisions made in reliance upon this information.