The last step to the "Spring"

Recently, Russian lawmakers have passed laws that are poorly developed from the point of view of respect for human rights. The loudest of such legislation was the package of “anti-terrorism” bills (Federal Law No. 374, Federal Law No. 375), adopted in July 2016, which the people called the “Spring Law”. A number of laws were introduced resonant norms that can seriously affect the lives of people in Russia. In particular, norms were added on non-information (failure to report a crime), calls for terrorism in social networks, on the regulation of religious missionary activity, on the storage of communications by operators and organizers of the dissemination of information from users.

This article deals with amendments concerning the storage of user data, since they threaten the right to privacy, do not comply with the Constitution of the Russian Federation and a number of other regulatory legal acts.
')

The essence of the amendments

According to the amendments under the “Spring law”, the organizers of information dissemination (hereinafter referred to as “ORI”) and telecom operators from July 1, 2018 will have to store voice information, text and video messages, images and other content of users' messages for 6 months, and metadata - 1 ORI year and 3 years telecom operators.

At the same time, according to the “Spring law”, the obligation to store user traffic and messages applies to persons providing any type of communication services (there are 20 of them). However, on April 19, 2018, on the official legal information portal, the RF Government Decree dated April 12, 2017 No. 445 was published, which specifies the list of communication services that require all users to be kept in correspondence (for example, broadcast services were not included). The new rules will come into force for voice communications and sms from July 1, and operators should store user Internet traffic from October 1, according to the document. Storage must be carried out within 30 days with an annual increase in storage capacity of 15% over 5 years.

“Judging by the resolution, the terms are not final. But the main question is: for what purpose should traffic be stored, if at least half of the users in Russia have it encrypted? And in connection with the Telegram blocking, we note an explosive growth of interest in means of encryption and blocking bypass, ” said Irina Levova , director for strategic projects at the Internet Research Institute.

Since the means of accumulation with the software are part of the means of communication intended for carrying out operational investigations and fall under the definition of “means of communication”, they are subject to mandatory certification on the basis of paragraph 3 of Art. 41 of the Federal Law "On Communications".

The issue of the production and certification of data storage tools is not yet resolved. Telecommunications operators are inclined to think that years may pass until the “rules of the game” are formulated, and perhaps the situation will develop in the same way as with SORM, i.e. certain manufacturers will be “on top”. According to our estimates, taking into account the complexity of the certification procedure, it may take 2–3 years to develop an appropriate procedure.

For the overall picture, it is worth recalling that for the ORI and telecom operators there is already an obligation to store user metadata (information on the facts of reception, transmission, delivery, processing of electronic messages) for one year and three years, respectively. After the entry into force of the “Spring amendments”, law enforcement agencies will have the right to gain access to all the content of user messages and metadata when investigating crimes. The CID is also obliged to assist the investigating authorities with decoding the encrypted electronic messages of users (clause 4.1. Of Article 10.1. Of the Law “On Information”). Just on the basis of these provisions, the Russian FSB demanded in 2017 decoding keys from the Telegram messenger who refused to provide them, for which he was blocked in Russia (though only de jure).

Attempts to cancel

In 2016, the petition “Cancel the“ Law of Spring ”gained 100,000 signatures on the Russian Public Initiative website, but the Expert Working Group under the Government of the Russian Federation recommended not to cancel the“ Law of Spring ” . The conclusions of some experts about the violation of the right to privacy were ignored, the responses of the departments were nothing more than a formal reply.

It is curious that in the draft expert opinion to justify the “Law of Spring” European experience was mentioned, namely the EU Directive 2006/24 / EC dated March 15, 2006 (the so-called Data Retention Directive ), canceled as early as 2014. According to the directive, the data of European users should have been stored by telecommunication companies from 6 months to 2 years. The directive was repealed by a decision of the EU Justice Court. Europeans realized the contradiction of the provisions of the directive on the right to privacy. The EU Justice Court concluded that storing user data, regardless of their category and in the absence of detailed conditions for such storage for a long period, violates the right to privacy and increases the risk of abuse, illegal access and use of their data. Subsequently, references to this directive were removed from the final version of the expert opinion on the petition “Cancel the“ Law of Spring ”.

Constitutional conflicts

Without any doubt, the messages and calls of users relate to information about privacy. Storage by telecom operators and ARI of all user traffic, as well as its transfer to law enforcement agencies without a preliminary court decision, as provided for by the “Spring Law”, violates the rights to privacy, personal and family secrets guaranteed by Articles 23 and 24 of the Constitution of the Russian Federation.

Article 55 of the Constitution of the Russian Federation states that human and civil rights may be limited by federal law, if it is necessary to protect the foundations of the constitutional order, morality, health, rights and legitimate interests of others, to ensure the defense of the country and the security of the state. However, the rights and freedoms guaranteed by Articles 23 and 24 of the Constitution of the Russian Federation, constitutional norms provide special protection, they are not subject to restriction, even in a state of emergency.

Thus, the imposition of obligations on operators and ORI to store information of all users threatens violation of the right to privacy of correspondence as a whole and creates the danger that the unlimited number of people will have access to confidential information of all users in Russia.

As is known, in Russia there is a legal mechanism for the protection of constitutional rights through the Constitutional Court of the Russian Federation. The user, whose right to privacy is violated, can challenge the “Spring law” through the Constitutional Court of the Russian Federation, but only within a specific case. Therefore, in order to raise such a question before the Constitutional Court of the Russian Federation, it is necessary to wait until the relevant amendments come into force and law enforcement authorities begin its enforcement. Until the “Law of Spring” comes into force, only the highest authorities - the President, the State Duma, the Federation Council, the Government of the Russian Federation or the legislative / executive bodies of the subjects of the Russian Federation - can challenge it.

Collisions with other laws of the Russian Federation

In addition to the Constitution, the “Spring Law” regarding the storage of personal data contradicts a number of federal laws, which indicates a low level of elaboration of this legislative act.

Personal Data Act

The right to privacy is protected in Russia, including by the federal law on personal data, with which the provisions of the “Spring law” are in considerable conflict.

According to the law on personal data, any content of users (subscribers) with their identifying information will be related to personal data. The collection, storage and transmission of user (subscriber) information by telecom operators and ARI can be qualified as personal data processing. Biometric personal data, special categories of personal data can also be in the accumulated data array, and in general, with the help of these data, all private life of a person and his environment will be compared in the smallest details.

In accordance with Art. 13 of the Federal Law dated August 12, 1995 N 144- “On the operational-search activity”, communication operators do not belong to the bodies that carry out operational-search activity, at the same time, they will be, in fact, operators of technical means intended for operational search activities and the entire data set on these means.

The Ministry of Telecommunications and Mass Communications of the Russian Federation will establish requirements for the technical protection of funds accumulation (Section 7 of the Rules, RF PP No. 445), but it is not yet clear how such requirements will overlap with the general requirements for the protection of personal data in information systems. In the case of SORM, for example, the personal data operator is the FSB, which deals with their protection, including in the state secret mode. “Spring Law”, unfortunately, has a different logic and relieves the responsibility for storing and protecting huge amounts of user data to the private sector, that is, to the telecom operators and the RIS (the responsibility for breaking data processing rules and possible leaks will also be borne by the business).

In general, we can already say that the “Spring Law” contradicts the following articles of the law on personal data:

Article 6. The processing of data must not violate the rights and freedoms of the subject of personal data. The “Spring Law” threatens the right to privacy and confidentiality of correspondence and communications, as telecom operators and ORI are obliged to keep users' electronic correspondence for a long time and provide it to law enforcement officers without reservations about a judicial request.

Article 14. The right of the subject of personal data to access his personal data. It is impossible to exercise this right of the subject of personal data due to the heterogeneity of the information processed. The implementation of the right to update data is also problematic.

Article 19 Data operators should take the necessary measures to protect personal data from their dissemination (including the use of cryptography). It follows from the “Spring Law” that law enforcement agencies, in principle, will have unlimited access to user data without obtaining their consent and without a court decision.

Criminal Code of the Russian Federation

According to Art. 138 of the Criminal Code of the Russian Federation, violation of the secrets of correspondence, telephone conversations, postal, telegraphic or other communications of citizens is punishable by a fine, correctional or compulsory work. For the commission of this crime with the use of official position provides for punishment up to imprisonment. These provisions of the Criminal Code are ignored by the “Spring Law”, it is obvious that telecom operators and ARI, keeping records of electronic messages and calls of their users and giving them to law enforcement agencies, will potentially commit the crime under Art. 138 of the Criminal Code of the Russian Federation, or such a crime may be committed at the slightest violation of the rules for storing data by a telecom operator or ARI.

Criminal Procedure Code of the Russian Federation

Article 186 of the Code of Criminal Procedure states that the control and recording of telephone and other negotiations may be authorized on the basis of a court decision , and, in some cases, if there is a threat to the victim, the witness or their close relatives, this is allowed upon a written statement of the said persons. However, in the “Spring Law” there is no mention of the need to obtain a court decision authorizing the recording of user traffic. According to the “Spring law”, the storage (recording) of user data must be made by telecom operators by default, without issuing any special act by any authorized body or court.

Law on Operational Investigation Activities

Article 5 of the Law "On the OSA" provides that in carrying out operational-search measures, the rights of a person and a citizen to privacy, personal and family secrets and correspondence secrets must be respected. Restriction of this constitutional right is possible only by a court decision and in the presence of certain information (about signs of a crime, about persons committing a crime, about events or actions (inaction) that threaten the state, military, economic, informational or environmental security of the Russian Federation) (art. . eight).

Federal Security Service Act

The Federal Security Service Act also requires counterterrorism measures that can encroach on citizens' rights to privacy of correspondence, court rulings and the motivated petition of the head of the counter-terrorism authority (Article 9.1 of the Federal Law on the Federal Security Service).

As can be seen, when it comes to restricting the right to privacy of correspondence and the inviolability of private life in the framework of the OSA, the participation of the court and the decision of the court is obligatory. But the “Spring Law” does not provide for the need for a court decision and at the same time does not make any changes to other legislative acts (CC, CCP, etc.). Guarantees of the protection of the constitutional rights of users and their personal data are also not provided for in the “Spring Law”.

Conclusion

In the context of a comprehensive development of technology and the Internet, as well as in the light of the latest news, the “Spring Law” causes great damage to an important and very vulnerable at the present time legal institution - the institution for the protection of the right to privacy. There is a high risk of arbitrary, uncontrolled, inappropriate use of user data by both private companies and law enforcement agencies. Moreover, it seems that the authors of the law also did not assess the negative consequences of the law for the business sector, namely, telecom operators and the ORI, who need to install expensive equipment for storing data and incur other costs to comply with the “Spring Law”. Telecom operators (Megafon, MTS, VimpelCom, Tele2) called the costs of implementing the law unaffordable and estimated them at 2.2 trillion rubles. According to some experts, this amount may exceed 10 trillion rubles.

According to Denis Lukash, executive director of the Center for Digital Rights , today any violation of the law on communications by telecom operators is interpreted by territorial bodies of Roskomnadzor as a violation of licensing conditions, for which telecom operators are held liable under part 3 of art. 14.1 of the Administrative Code. The exception is made by several provisions of the Law “On Communications”, for which responsibility has been explicitly introduced by other articles of the Code. Roskomnadzor bodies will constantly possess information about the lack of storage facilities at telecom operators, as they are one of the signatories of the act of commissioning storage facilities (clause 6 of the Regulations, RF PP No. 445).

Electronic communications data can potentially help investigate crimes, identify the whereabouts of victims and suspects, and link the suspect to the crime scene. However, without a detailed description of the procedures, definitions, clearly defined conditions and grounds for storing and accessing user and subscriber data, a fair balance between respecting the privacy of citizens and government intervention in it will be difficult to maintain. The “Spring Law” in terms of information storage adheres to a general approach: without specifics, without ensuring the safety of the fundamental right to privacy, it requires the storage of all data of electronic correspondence and other messages. Soon these legislative mistakes will start to play in practice.

In addition to the legal conflicts of the “Spring Law” described in this article, the financial side of the issue also requires attention, the issue of encrypting Internet traffic, electricity costs for operating data storage media and other aspects that we propose to discuss in the comments.