WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Russian Federation

Russian Federation

Constitutional Privacy Framework

The Constitution of the Russian Federation recognizes rights of privacy, data protection and secrecy of communications. Article 23 states, "1. Everyone shall have the right to privacy, to personal and family secrets, and to protection of one's honor and good name. 2. Everyone shall have the right to privacy of correspondence, telephone communications, mail, cables and other communications. Any restriction of this right shall be allowed only under an order of a court of law." Article 24 states, "1. It shall be forbidden to gather, store, use and disseminate information on the private life of any person without his/her consent. 2. The bodies of state authority and the bodies of local self-government and the officials thereof shall provide to each citizen access to any documents and materials directly affecting his/her rights and liberties unless otherwise stipulated under the law." Article 25 states, "The home shall be inviolable. No one shall have the right to enter the home against the will of persons residing in it except in cases stipulated by the federal law or under an order of a court of law."[4292]

Data Protection Framework

In 2006, Russia adopted the Law on Personal Data, and the Law on Information, Information Technologies and Protection of Information, which replaced the 1995 Law of Information, Informatization and Protection of Information.[4293] Adoption of the Law on Personal Data fulfills Russia’s obligation to transpose the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data into national law.[4294] The Law on Personal Data generally protects personal data from being collected and processed illegally and without consent of data subject. However, the law is still far from ideal since it gives wide exemptions to the government. The Law on Personal Data came into force in January 2007, but most of its provisions are still inactive; for example, the law provides for the creation of a data protection authority, but none is operational to date.

Data Protection Authority

Russian public organizations tried to change the Law on Personal Data to make its data protection agency an independent body much like it is in many European countries but the Law as passed established the data protection agency as a branch of the Ministry of Communications. As of May 2007, the data protection agency was still inactive.[4295]

Statutory Rules Related to Privacy

The term "personal data" and some guarantees for personal data protection also appear in other laws, in particular, the Tax Code,[4296] the Labor Code[4297] and the federal Law on Statements of Civil Status. Also, confidentiality of information has been mentioned in various laws relevant to professional secrets.[4298]

In Russia (especially in Moscow and St. Petersburg) illegal collection and distribution of data on private persons and organizations is commonplace. Quite popular are databases on purchase/sale of cars, car owners, passport data and foreign passport data of Russian citizens, data on real estate (purchase and sale of apartments, their parameters, location and proprietors), databases of taxpayers, and information about people wanted for crimes and those who have been previously convicted. Cheap CDs with such databases are easily available on the streets and the Internet.[4299] In autumn 2004, CDs appeared with detailed information about income of taxpayers.

Russian legislation provides criminal liability for the invasion of privacy. The Criminal Code provides a penalty for violation of the immunity of private life,[4300] violation of secrecy of communications,[4301] and infringement of home inviolability.[4302] The Criminal Code also provides liability for unauthorized access to legally protected computer information.[4303] The Criminal Code includes sentences such as fines, forced labor, arrest, a ban on the right to hold certain positions or to be engaged in a certain activity and, in some cases, imprisonment for a period of up to five years.[4304] The maximum fine is RUB 300,000 (8,640 EUR).[4305]

According to the Civil Code, privacy is a legally protected non-property right.[4306] Attached to this right are personal dignity, personal immunity, honor and good name, business name, personal secret and family secret. If an individual suffers physical or moral damages by violation of his or her personal non-property rights or some other non-material welfare rights, as well as in other cases provided by the law, a court can force the person invading privacy to provide financial compensation.[4307] The Administrative Code states that "infringement of a legally established procedure of collection, storage, use or distribution of information about citizens (personal data)" shall lead to a warning or penalty.[4308] The Administrative Code also establishes liability for disclosure of information if access to it is restricted by federal law.[4309] The illegitimate refusal by a public official to submit information to a person is also an administrative breach of the law.[4310]

Information Technologies

A special "Department K" within the Ministry of Internal Affairs and its branches in cities of Russia are responsible for investigation of crimes in a sphere of information technologies. The number of cybercrimes grows in Russia every year. In 2005 and in 2006 there were over 14,000 known cybercrimes in Russia (each year).[4311] Most cases relate to unauthorized access to computer systems and networks and the distribution of pirated software, though sometimes Department K deals with cases of breaches of privacy. In March 2005 the court condemned the criminals to fines from 50,000 to 93,000 rubles (about 1,440 – 2,680 EUR).

In October 2006, three young Russian hackers were convicted to 8 years of high security prison and a 100,000 RUB (2,880 EUR) fine after they gathered information about British online services and blackmailed their owners.[4312] In March 2007, the Financial Times wrote about a high-skilled group of Russian criminals that used phishing methods to cheat Internet users and steal money from banks. The gang's takings are reported to be over 110,167,000 EUR, and the criminals haven't been convicted yet.[4313]

Wiretapping and Surveillance Rules

The 2003 Communications Law protects secrecy of communications.[4314] The tapping of telephone conversations, scrutiny of electronic communications, delay, inspection and seizure of postal mailings and documentary correspondence, receipt of information therein, and other restriction of communications secrets are allowed only with a court order except as otherwise provided by a federal law. The Law on Operational Investigation Activity that regulates surveillance methods used by secret services requires a court-issued warrant.[4315] The law was amended in December 1998 by the State Duma. Guarantees for the protection of privacy were emphasized and additional controls imposed on prosecutors. Article 5 of the Law provides that an investigative structure must secure people's privacy. The Law also provides: "If one believes that some actions of bodies conducting operational investigation have infringed on an individual's rights or freedoms, the individual has the right to appeal to a court, a prosecutor, or to a higher body that carries out investigative activities."

The law also provides: "If a person has not been proved guilty during a legally established procedure, then all materials obtained during this operational investigation must be archived for a period of one year and subsequently deleted." However this provision is virtually revoked by the following addition: ". . . unless official interests or justice require otherwise."[4316] In December 1999, the law was amended to allow surveillance by the tax police, the Ministry of Internal Affairs, Border Guards, the Kremlin Security Service, the Presidential Security Service, the parliamentary security services and the Foreign Intelligence Service.[4317] In 2001, the following provision was added to the Law:[4318] "Audio recordings and other materials resulting from interception and wiretapping of the conversation of persons being out of criminal proceedings must be deleted within six months after the wiretapping is over with an appropriate protocol.[4319] The judge must be notified three months before materials reflecting the results of operational investigations, implemented on the basis of a court warrant, are deleted." Disclosure of data that affects someone's privacy without his or her consent is legally prohibited unless otherwise stipulated by federal laws.

The law states that officials may enter a private residence only in cases prescribed by federal law or on the basis of a judicial decision; however, according to the US State Department, authorities did not always observe these provisions. The law permits the government to monitor correspondence, telephone conversations, and other means of communication only with judicial permission and prohibits the collection, storage, utilization, and dissemination of information about a person's private life without his consent. While these provisions were generally followed, problems remained. There were accounts of electronic surveillance by government officials and others without judicial permission, and of entry into residences and other premises by Moscow law enforcement without warrants. There were no reports of government action against officials who violated these safeguards.[4320]

In 2005, the government, citing concerns about terrorism, approved new regulations for interactions between communication companies and certain government agencies. The new regulations give law enforcement agencies greater access to telephone and cellular phone company clients' personal information and require providers to grant the Ministry of Internal Affairs and Federal Security Service (FSB) 24-hour remote access to their client databases. Some experts believed these new rules contradict the Constitution. Given that the authorities have had legal access to these records for 10 years, mobile operator MegaFon's press secretary suggested that the new rules change nothing, and simply make the process "more transparent."[4321]

The FSB has conducted phone tapping using the "SORM" system (or "System of Operative Investigative Activities"). In 1998, information about a new SORM-2 system that applies to the Internet was revealed. SORM-2 requires Internet Service Providers (ISPs) to install surveillance devices and high-speed links to local FSB departments, which would allow the FSB to directly access Internet users' communications, although with a warrant requirement.[4322] These rather expensive devices and links are to be paid for by the ISPs themselves. While most ISPs have not publicly resisted FSB's demands to install SORM-2, one ISP in Volgograd, Bayard-Slaviya Communications, challenged the FSB's demands. The local FSB and the Ministry of Communications attempted to have the ISP's license revoked[4323] but backed off after the ISP challenged their decision in court.

The existence of SORM-2 was confirmed by the State Committee of the Russian Federation on Communication and Informization (Goskomsvyaz, now the Ministry of Communications) as Order No. 47 in March 27, 1999, and Order No. 130, in July 25, 2000, which was registered with the Ministry of Justice on August 9, 2000. Order No. 130 was immediately challenged in the Russian Supreme Court by Pavel Netupsky, a St. Petersburg journalist. Although the Court upheld SORM-2, it ruled part 2.6 illegal, and therefore made sure that ISPs would know whom the FSB is monitoring.[4324] Netupsky lost on all other counts. SORM-2 has now been implemented, although FSB representatives have not provided any evaluation of how effective SORM-2 has been for the prevention and investigation of criminal activities, and there have been no announced arrests as of yet. Although the FSB insists that there have been no violations of privacy, its assertions cannot be verified as Russia lacks the appropriate supervisory and independent body to control FSB's activities. ISPs are used to avoid comments on any issues connected with SORM-2. The Russian communications call ISPs for cooperation and assistance to governmental investigative bodies.[4325]

Human rights observers continued to allege that officers in the special services used their services' power to gather compromising materials on public figures. There were credible charges that regional branches of the FSB continued to exert pressure on citizens employed by foreign firms and organizations, often to coerce them into becoming informants.[4326]

The Federal Law on Commercial Secret was enacted on July 29, 2004.[4327] The law regulates the disclosure of "commercial secrets" and how its confidentiality can be protected. It also defines information that may not be considered commercial secret, and establishes a list of information that may constitute commercial secret, including but not limited to, the number of employees, the system of remuneration, labor conditions including safety arrangements, work-related injuries, occupational morbidity figures, and vacancies; as well as past infringements to the Russian Federation legislation and ensuing prosecutions. The law expressly stipulates that the owner of commercial secrets is the employer.

In May 2004, President Putin signed the Presidential Decree on "Measures of Providing Information Safety to the Russian Federation in the International Information Exchange Area," which forbids the connection of information networks, communication networks and autonomous computers to the Internet and other networks of the international information exchange, if they contain state and official secrets and other information that can be withheld.[4328]

Despite these clear restrictions, President Putin declared that he does not approve of administrative restrictions of the Internet networks: "The Internet is the most democratic way of the dissemination of information, and reasonable restrictions of the criminal use of the Internet should not have influence on freedom of information.”[4329] Since then President Putin made several public declarations that he and his government were against such limitations and that Internet should regulate itself without governmental pressure.[4330] However, some Russian officials have another standpoint. Minister of Foreign Affairs Sergey Lavrov said that some Internet sites are propagandizing intolerance and violence.[4331] Alexander Kotenkov, who represented the President in the Council of Federation, declared that all Internet sites should have permanent IP addresses in order to define the information resource. However, officials could not resolve the issue of whether the Internet sites are traditional mass media or not. In some cases, Internet sites could be considered mass media. For example, according to the Decision of the Supreme Court, when detractive and false information are put on the Internet site, which has been legally registered as mass media, it should be regulated by the Russian mass media legislation.[4332] If it is impossible to find out the person who disseminated detractive and false information, judicial protection is certainly possible. The registration of Internet sites as electronic editions of mass media is carried out in the Federal Service regarding Supervision of Observance of the Legislation, in the field of Mass Communications and Protection of a Cultural Heritage. The registration is carried out voluntarily and assumes the fulfillment of Civil Code and also Mass Media Legislation.[4333]

After some controversial proposals and ideas concerning spam, Vladimir Putin approved the federal law "On advertising.”[4334] The law confirms the "opt-in" principle, and in a conflict situation the sender must prove that the addressee gave his/her consent to receive mail. The law also prohibits automatic mailing systems.[4335]

Anti-terrorism Measures

Anti-terrorist campaigns that the United States government promoted worldwide after the terrorist acts of September 11, 2001 have influenced Russian legislation. On December 20, 2000, the State Duma approved amendments to federal laws on Terrorism and on Mass Media in first reading. Although these amendments did not specifically concern online privacy, they seriously limited distribution of "extremist materials" via the Internet (even though "extremism" and "extremist materials" were not defined in Russian law at the time). On April 30, 2002, the President announced a bill on Counteraction to Extremist Activities. The bill contained broad definitions of "extremist activities" and, some critics argued, enabled a wide range of public protest actions to be viewed as extremism. The first draft contained an article relevant to the Internet: ISPs were forced to censor materials on their servers and remove or block "extremist sites." This article was later replaced with the indistinct reference to other legislation, and the controversial procedure of Internet monitoring and censorship was dropped.[4336]

After the terrorist attack in Moscow of October 2002,[4337] the State Duma quickly adopted several amendments to the laws on Mass Media and Terrorism, banning any distribution of information that could impede anti-terrorist actions.[4338] In December 2004, a new concept of the "state of a terrorist emergency" was introduced in the State Duma as one counter-terrorism measure. The new regime of a "state of a terrorist emergency" could seriously limit civil rights in case Russian law enforcement bodies receive information about a terrorist act prepared but failed to check this information. [4339] In the beginning of 2006, after lengthy discussions, the parliament removed the new proposal from the counterterrorism bill. However, according to the new counterterrorism law enacted in 2006, Russian secret services can easily wiretap and intercept communications during their counter terrorist operations.[4340]

According to Article 53 of the Federal Law on Communications, the data about telecommunications users are confidential and are protected by Russian laws.

The Fifth Periodical Report of the Russian Federation on the Implementation of the International Covenant on Civil and Political Rights of 2002 provides that in the period of four years 42 persons were convicted for violations of privacy, 61 for the violation of the secrecy of communications. According to the report, the number of persons convicted for breaching the inviolability of the home for the same period is much higher (5,476 persons). This apparently shows the lack of the enforcement required for the investigation of crimes related to the breach of privacy, as well as the lack of governmental oversight and independent institutions that could monitor how privacy laws are implemented. Before 2007, law enforcement structures used to refer to the lack of legal grounds and, in particular, to the lack of clear legal procedures about how to collect, process, store, transfer and disclose personal data. The new Law on Personal Data (which came into effect in January 2007) gives more grounding for prosecution of violators of privacy but it has not been implemented in legal proceedings yet.[4341]

National ID System

Russia has a national ID system. Each person older than 14 years of age must have a personal document (internal passport) that can be obtained at a local department of the Ministry of Internal Affairs. This passport is used as the main ID document and is necessary for many activities, including the purchase of train and plane tickets. Each passport bears a residency permit stamp. Russian courts (including the Supreme Court in 1998) have asserted that this permission regime is unconstitutional. Moscow authorities insist that it is only a notification procedure. However, in some situations getting registered can be a painful and complicated process. Without registration it is difficult get a well-paid job, get full public medical aid, children cannot attend public schools, etc. Moscow police used to stop people at streets, check their passports and fine those who have no registration stamp in it.[4342]

In recent years, officials, both at federal and Moscow levels, announced several times that a new system of electronic IDs would be introduced in the near future. According to these statements, the new system would supplement, and later replace, internal passports.[4343] For the moment, Russian citizens have limited ability to get so-called “foreign” biometrics passports (that are necessary for travel outside the country) on a voluntary basis.

Open Government

A federal draft on Access to Information has been pending in Russia since 1997; however, on April 18, 2007, a draft on Providing of Access to the Information on Activity of the State Bodies and Institutions of Local Government passed the first of three readings in the Russian Parliament. The new Law on Information (LIITPI) began to partly regulate citizens’ right to access to information.

According to the federal Law on Information, Information Technologies and the Protection of Information (LITPI), governmental data resources are open for general use except for confidential information stipulated by federal laws. The law prohibits any limitations of access to information about activities of governmental structures, legislation related to human rights and freedoms, environment and public libraries.[4344]

International Obligations

Russia is a member of the Council of Europe (CoE) and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[4345] The Russian Federation has signed and ratified the CoE Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[4346]

Russia participated in the negotiations on the CoE Convention on Cybercrime which was opened for signature in November 23, 2001.[4347] The Convention requires Member States to establish criminal offences under their domestic laws regarding various computer or computer-related crimes, including unauthorized access to a computer system and unauthorized interception of a data transmission. As of May 2007, Russia has not yet signed the treaty.

Autonomous Russian Republics

The Constitutions of 16 republics of Russian Federation reproduce Articles 23, 24 and 25 of the Federal Constitution. Constitutions of Bashkortostan and Ingushetya stipulate the same guarantees with different wording. The Constitution of Bashkortostan incorporates the addendum, allowing a search only on the basis of a judicial warrant. In other cases, there are fewer privacy safeguards than in the federal Constitution, or even no safeguards at all (Karelia, Kalmykia). There are no essential differences between the constitutions of the republics and federal privacy guarantees.[4348]

[4292] Constitution of the Russian Federation, available at <>.The Constitution of the Russian Federation was adopted by national voting on December 12, 1993. The previous Constitution (which was adopted in 1977 by the Supreme Soviet of the USSR) included weaker privacy guarantees.

[4293] Law on Personal Data, Law 152-FZ, July 27, 2006, available at <> (in Russian). Law on Information, Information Technologies and Protection of Information, Law 149-FZ, July 27, 2006, available at <>. See also Russian Federation Federal Law No. 24-FZ, Law of the Russian Federation on Information, Informatization and Information Protection, January 25, 1995, available at <> (extracts).

[4294] Ratified by Russia on December 19, 2005.

[4295] Id.

[4296] Tax Code, Article 84, Part 1.
[4297] Labor Code, Articles 85-90; see also, "Improved Russian Labor Code Entered Into Force," Vol. 8, No. 2, International Law Update, February 2002.
[4298] Law "On Banks and Banking Activity," Principles of legislation of the Russian Federation with regard to citizens' health protection, Family Code, Tax Code, etc.

[4299] Sabrina Tavernise, "Personal Data Is Pirated from Russian Phone Files," New York Times, January 23, 2003, available at <>.

[4300] Criminal Code at Article 137.
[4301] Id. at Article 138.
[4302] Id. at Article 139.
[4303] Id. at Article 272.
[4304] Criminal Code, supra at Article 272, Part 2.
[4305] For the period of spring 2005, RUB 300,000 is about USD 10,800.

[4306] Civil Code, Article 150, Part 2.
[4307] Id. at Article 151.
[4308] Administrative Code, Article 13.11.
[4309] Id. at Article 13.14.
[4310] Id. at Article 5.39.

[4311] According to Boris Miroshnikov, Chief of the Bureau of special technical measures within the Ministry of Internal Affairs, speech on a National forum for informational security, Moscow, January 25, 2007, available at <> (in Russian).

[4312] "Russian hackers convicted of cracking computers in the UK", OSP International, October 24, 2006, available at <>.
[4313] Arjen de Landgraaf , "Security matters: The almost perfect bank heist," Financial Times, March 14, 2007, available at <>.

[4314] The Federal Law No. 126-FZ of July 7, 2003.
[4315] The Federal Law No. 144-FZ of August 12, 1995; amended in 1997, 1998, 1999, 2001, 2003, 2004, 2005 at Art. 8.

[4316] Article 5 of the Federal Law "On operational investigations" of August 12, 1995 (the Federal Law No. 144-FZ of 1995).
[4317] "Police Get Window of Access to E-mail," The Moscow Times, January 13, 2000.
[4318] This amendment has been introduced by the Federal Law No. 26-FZ of March 20, 2001.
[4319] The "protocol" is an official paper, a form that must be completed and signed to certify that the data was deleted.

[4320] US State Department Human Rights Report 2006 – Russia, available at <>.

[4321] Id.

[4322] "Russia Prepares to Police Internet," The Moscow Times, July 29, 1998. More information in English and Russian is available from the Moscow Libertarium Forum <>.
[4323] In Russia a license is necessary for providing Internet services. ISPs have to meet license terms and conditions including cooperation with secret services.

[4324] "Supreme Court Rules Phone-Tapping Clause in Decree to be Illegal," BBC World Monitoring, September 28, 2000.
[4325] Article 64 of the Federal Law No. 126-FZ of July 7, 2003.

[4326] US State Department Human Rights Report 2006, supra.
[4327] Federal Act No. 98-FZ.

[4328] Decree of President of the Russian Federation on "Measures of Providing the Information Safety of the Russian Federation in International Information Exchange Area" No. 611 of May 12, 2004.

[4329] "President Putin doesn't approve administrative restrictions of Internet," December 23, 2004, available at <>.

[4330] See "Internet should choose self regulation," Mayak, January 31, 2006 <>; "Less limitations is better," Novye Izvestia, July 7, 2006 <> (in Russian).

[4331] Ministry of International Affairs: Internet must be under control of the State, of November 2004, available at <>.
[4332] Decree of the Plenary Session of the Supreme Court of the Russian Federation on "Court Practice for Cases on Protecting of Honor and Dignity and also Business Reputation of persons and Legal Persons" No. 3 of February 24, 2005.
[4333] A. Richter, "Legal Basis of the Journalism," Institute of the Information Law Issues, Moscow, 2004.

[4334] Of March 13, 2006 N 38-FZ.
[4335] "Russian anti-spam laws", Olga Emelyanova, CitCity, January 30, 2007 <> (in Russian).

[4336] The Law "On Counteraction Extremist Activity" No. 114-FZ of July 25, 2002. See also Declan McCullagh, "Russia Poised to Restrict Net Activities," CNET, June 24, 2002, available at <>.

[4337] On October 23, 2002, a group of Chechen terrorists captured about 800 hostages in one of Moscow theaters. They demanded taht the Russian government withdraw its troops from the territory of Chechnya. The terrorist attack ended with the death of all terrorists and 129 of the hostages. Since 1999, Russia has been at war in Chechnya.
[4338] The Russian government considers the war in Chechnya to be a "counter-terrorist" operation.
[4339] Nabi Abdullaev, "Duma Seeks to Grant FSB Sweeping Powers," The St. Petersburg Times, December 21, 2004, available at <>.
[4340] Federal law N 35-FZ on Counteraction to Terrorism; Government Decree N 352 on Measures on Realization of the Federal Law on Counteraction to Terrorism. See "Putin Signs Controversial Antiterrorism Law", Radio Free Europe / Radio Liberty, March 6, 2006 <>.

[4341] Human Rights Network, Privacy in the Russian Internet (Human Rights Publishers, 2005), available at <> (in Russian).

[4342] See, e.g., Chris Riley, "Moscow's Heart of Darkness," NBC News, August 7, 1998, available at <>.

[4343], available at <>; "Gref: electronic Ids may replace passports in 6-8 years," Russia Journal Daily, June 10, 2003, available at <>.

[4344] Email from Sergei Smirnov, Human Rights Network, Russia, to Allison Knight, Research Director, Electronic Privacy Information Center, May 31, 2007 (on file with EPIC).

[4345] Signed February 28, 1996; ratified May 5, 1998; entered into force May 5, 1998, available at <>.
[4346] Signed November 8, 2001; ratified December 19, 2005; available at <>.

[4347] <>.

[4348] Human Rights Network, Privacy in the Russian Internet (Human Rights Publishers, 2005), available at <> (in Russian).

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback