Data Retention under the 2016 “Yarovaya Law” in Russia: Disrupting the European Status Quo?


Back in 1998, Prof. Goldsmith concluded that both cyberspace and ordinary transactions involve people in real space transacting with other people in real space, which sometimes causes real-world harms.[1] At times, therefore, in the digital domain as in the “real world”, some of the recognised human rights may be temporarily or permanently restricted to prevent criminal activities. State security concerns stemming from a terrorist threat seem to present a reason du jour for many governments to set limitations on privacy in digital communications. In the recent words of Vĕra Jourová, EU Commissioner for Justice, Consumers and Gender Equality,

‘The recent terror attacks have reminded us of the urgent need to address illegal online hate speech. Social media is unfortunately one of the tools that terrorist groups use to radicalise young people’.[2]

The post-9/11 era “can be characterised by the desire and ability of governments to develop mass surveillance systems, largely unseen and until recently unsuspected” and “a common trend can be discerned whereby governments monitor the communications and online behaviour of the vast majority of ordinary citizens.”[3] Whereas the European Court of Human Rights (“ECtHR”) has often extended a margin of appreciation to the member states when privacy rights have clashed with national security concerns,[4] at the EU-level the attempt to codify data retention rules in an overly wide manner was quashed by the European Court of Justice (“ECJ”). The events unfolded as follows: the 2006 EU Data Retention Directive[5] prescribed the storage of EU citizens’ telecommunications metadata for a minimum of 6 months and at most 24 months and allowing, conditional upon the court approval, an access of the investigative authorities to the details such as IP addresses and times of use of every email, phone call and text message sent or received. The data retention used to serve the purpose of preventing, investigating, detecting and prosecuting serious crimes, such as organized crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid on the grounds that the interference with the fundamental rights to respect for privacy and the protection of personal data was not limited to what was strictly necessary.[6] In December 2016, the Court further elaborated that the EU law precludes national legislation that prescribes general and indiscriminate retention of data.[7]



Judge Spano, whom the author of this publication had an honour of interviewing in Strasbroug for this publication, describes the relevant case-law of the ECtHR as follows:

“The case of Roman Zakharov v Russia (Grand Chamber)[8] is the Court’s current most elaborate judgment on the issue of interception of data by police for law enforcement purposes. An interesting question with which the Court will have to deal in its pending cases is to what extent the reasoning in Zakharov applies in those situations that deal with indiscriminate bulk interception.”


The United States do not have ISP-level mandatory data retention laws similar to the EU Data Retention Directive.[9]

In the meantime, the 6th Convocation (2011-2016) of the Russian Parliament passed a long list of laws regulating the Internet with the principal rationalisation of curbing the terrorist threat. These laws provide the State authorities with a wide set of measures to control the Internet and are among the most radical in Europe. It is difficult to differentiate what is the genuine driving force for these precautions. The legislative package in question can be seen through two different lenses: the first being that the authorities in Putin’s Russia are frank and sincere fighters against terrorism and extremism; the second – that the Russian Federation politically demonstrates a growing authoritarian state in which the anti-terrorism concerns are a smoke-screen used by the politicians with the aim of further reducing the freedom of expression to fortify their subservient political system.

One of the most contentious pieces of legislation is a Federal Law No. 375-FZ, dated 7 July 2016, one of the so-called “Yarovaya Laws”.[10] It builds on an already existing legislation mandating the ISPs and telecoms to cooperate with the investigative authorities and further increases the state’s surveillance discretion in the domain of digital communications. Among other things, the law prescribes that as of 1 July 2018 ISPs and other telecommunications companies store all telephone conversations, text messages, videos, and picture messages for six months. In addition, telecom companies must retain customers’ metadata — that is, information about with whom, when, for how long, and from where they communicated — for three years. The investigative authorities are allowed to access such data retroactively. Providers of telecommunication services are also legally obliged to help the investigative authorities decipher encrypted messages sent by users.

In short, the legislation creates a precedent for storage of personal data on a previously unseen scale and makes criminally punishable an expression of a wider range of opinions on the Internet, further eroding online freedom of expression in Russia. The approach to data retention taken by the Russian legislature is in stark contrast with the position recently expressed by the ECJ, described above. The laws under scrutiny have been criticized not only by journalists and human rights advocates[11] but also by some Russian State-funded experts.[12] Firstly, the legislation creates a precedent for storage of personal data on a previously unseen scale, making any security breaches a non-trivial event from data protection perspective.[13] Secondly, the representative of the biggest[14] Russian telecom operator, MTS, pointed out that, given MTS’s current income figure, they will have to put all of their profits into the data centre infrastructure for the next 100 years to fully implement data storage provisions and ensure compliance with Yarovaya’s Laws.[15] The fact that most Russian telecoms will not be able to comply with this legislation may, in fact, be beneficial for the government – those companies will become de facto criminals, giving the state authorities “the leverage to extract from them any other concession it desires”.[16]

The author harbours a concern that, despite the recent loss of the “Internet regulationists” before the ECJ in Digital Rights Ireland and Tele2 cases, the Russian approach might still inspire Eastern European non-EU legislators. This concern is based on the following three factors. First of all, taking into account political, cultural and religious ties with a number of European nations, as well as its strong position as an exporter of energy resources,[17] Russia has a significant influence over the Soviet successor states currently not in the EU, namely, Azerbaijan, Armenia, Belarus, Georgia, Moldova and Ukraine.[18] Secondly, due to the ethnic composition of and recent events in the North Caucasus region,[19] Russia joins Turkey[20] on the long list of European states where political violence and terrorism have religious and ethnic background and where the authorities are constantly seeking the ways to mitigate the terrorist threat. Thirdly, in the field of online regulation a trend of transnational convergence and cross-fertilisation of legislation can be traced.[21]

[1] Goldsmith, J. L. (1998), Against Cyberanarchy. University of Chicago Law Review 65(4), pp. 1199-1250 at p. 1200.

[2] [].

[3] Vedaschi, A. & Lubello, V. (2015), Data Retention and its Implications for the Fundamental Right to Privacy, Tilburg Law Review 20(1), pp. 14-34.

[4] F. Fabbrini, F. (2015), Human rights in the digital age: The European Court of justice ruling in the data retention case and its lessons for privacy and surveillance in the U.S, Harvard Human Rights Journal 28, pp. 65-95.

[5] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

[6] Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd, Kärntner Landesregierung, Michael Seitlinger, Christof Tschohl and others (ECJ, 8 April 2014).

[7] Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post-och telestyrelsen, Secretary of State for the Home Department v Tom Watson and others (ECJ, 21 December 2016).

[8] Roman Zakharov v. Russia (47143/06) [GC] (ECtHR, 4 December 2015)

[9] Akrivopoulou, C. and Psygkas, A. (2011). Personal data privacy and protection in a survillance era. 1st ed. Hershey, Pa.: IGI Global.

[10] []

[11] Bailey, R. (2016). I Learned It By Watching You! Reason, 48(6), pp. 18-19.

[12] [].

[13] []

[14] []

[15] []

[16] Bailey, R. (2016). I Learned It By Watching You! Reason, 48(6), pp. 18-19.

[17] Demakova, E. & Godzimirski J. M. (2012), Russian External Energy Strategy: Opportunities and Constraints, in Kuzemko, C.; Belyi, A. V.; Goldthau, A. & Keating, M. F., eds, Dynamics of Energy Governance in Europe and Russia. New York: Springer, pp. 149-168.

[18] See, for general discussion, DeBardeleben J. (2009) The Impact of EU Enlargement on the EU-Russian Relationship pp. 93-112, in Kanet R.E., ed., A Resurgent Russia and the West: The European Union, NATO, and Beyond, Dordrecht, Netherlands: Republic of Letters Publishing, pp. 93-112.

[19] Toft, M. D. & Zhukov, Y. M. (2012), Denial and punishment in the North Caucasus: Evaluating the effectiveness of coercive counter-insurgency. Journal of Peace Research, 49(6), pp. 785-800.

[20] Alexander, Y., Brenner, E. and Krause, S. (2008). Turkey: Terrorism, civil rights and the European Union. 1st ed. London: Routledge.

[21] Hughes, J. (2002), The Internet and the Persistence of Law, Boston College Law Review, 44, pp. 359-396.

Share this article!

About Author

Leave A Reply