Nationalized data: New Russian legislation is latest example of emerging data borders

Russia began enforcing a law last year requiring data relating to Russians to be stored on servers that physically sit in Russia. Now, word has leaked of a new law (currently in draft form) that would attempt to further restrict Internet traffic along geographic borders.

The proposed law would give state regulators control over the “Russian part of the Internet,” including routing and domain administration, and would require surveillance of any cross-border traffic. The bill is part of a broader expansion of surveillance, including an effort to require Internet and phone providers to log Russians’ activity so that the state can access it for three years.

But even if Russian lawmakers decide restricting cross-border traffic is a good idea, it’s unclear they’d have the capability to enforce such a restriction. The company I work for, Dyn, monitor’s global Internet performance, and our visibility into Internet traffic suggests that much of Russia’s domestic traffic currently depends heavily on routes that lead far outside the country. There are state-owned telecom companies, for example, that detour their data through a country Russia is in armed conflict with as well as through other European neighbors Russia has butted heads with on important policy issues.

Consider a Russian citizen in Moscow using the country’s third largest telecom provider, MegaFon, to send some data to St. Petersburg. Nine out of 10 times, that data would hop right through Kiev, Ukraine. And more than 40% of data from Moscow to St Petersburg via MTS, the country’s largest mobile operator, gets there via Amsterdam and Frankfurt.

Government-owned telecoms follow the same pattern: More than 85% of the Moscow-St.Petersburg data travels via Frankfurt for TransTelekom, which is a part of government-owned Russian Railways. Most of the data leaving Russia does so over RETN’s high-speed backbone, which has major points of presence throughout Central and Eastern Europe and operates a major Moscow-Kiev link.

What Russia’s move could mean for your business

Russia’s current data nationalization law, which it started enforcing last year, requires personal data about Russians to be stored and processed on servers physically located within Russia. The law applies to both domestic and foreign companies doing business in Russia. Russia’s data regulator, Roskomnadzor, audited 317 companies for compliance last year and found two violations. It announced plans to expand those audits this year, including audits of major companies like Microsoft, Hewlett-Packard, and Citibank.

It is unclear whether the Russian law will be enforced in a way that covers temporary routing of data outside of Russia. A provision of the law says that Russians’ personal data can only be transferred across borders when there is adequate protection for that data, although it’s unclear whether temporary routing would count as such a transfer. (If it does, Ukraine, Germany, and the Netherlands have all signed a European treaty on data collection, which the Roskomandzor has indicated satisfies the adequate protection requirement.) It is not clear whether strong encryption is sufficient protection under any of these proposals. Even if it is, the Russian legislature (like the legislatures of many other countries) is also considering weaker encryption regimes.

Data nationalization policies should be of increasing interest to businesses. Proposals elsewhere, including in India and Germany, have raised the possibility that some countries will require domestic traffic to be routed exclusively in-country. Indeed, we may see a trend in the nationalization of data.

Since the Internet is a network of networks, with each independent network designed to make its own choices about what is most efficient and effective for its own use, creating geographic boundaries around the flow of traffic is fundamentally problematic. Nevertheless, this trend — in Russia and elsewhere — is showing no signs of abating.

Dave Allen is the Senior Vice President at Dyn where he oversees Dyn’s legal team. He is an alumnus of Nixon Peabody LLP, where he practiced in the Global Business Transactions and Private Equity groups. In private practice, he represented strategic and financial buyers and sellers of publicly and privately held businesses and served as outside general counsel to technology companies. He has been recognized as a New England Super Lawyer, Rising Star each year from 2009-2013 by Law and Politics Magazine.