21.9.2017

What Should Businesses Know About Russia’s New VPN Law?

In recent years, Russian authorities have done much to prevent Internet users located within the country from accessing illegal online content. As of 1 November 2017, a new law will close some backdoors to the ‘forbidden fruit’.

Not surprisingly, the new rules may jeopardize the use of corporate VPN connections of international companies. How can a business keep its VPN running even if Russian employees want to see more than they are allowed to by the state?

Corporate VPNs Feared to be a Backdoor to Illegal Content

There are several types of online content that are illegal and subject to ban in Russia.  They include, among other things, war and suicide propaganda and extremist materialsBanning procedures vary depending on the nature of the illegal information, but the result is always the same – access restriction to a relevant website.

The Russian Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) keeps records of websites and their network addresses and demands that website owners and hosting providers ban illegal content. If they fail to do so, all Russian Internet service providers (ISPs) will be required to block users’ access to the forbidden content. That is why the ban can be easily bypassed if users access a website through a non-Russian ISP.

Here is where online VPN services step into the breach and assist Russians in moving Internet traffic through exit nodes beyond Russian borders. Corporate VPNs work in the same way, but for a different purpose, as they help establish secured connections between all parts of a corporate network.

In the meantime, Russia-based employees of international companies may enjoy uncensored Internet via their corporate computers.

New Rules to Prevent Access to Illegal Content

On 29 July 2017 the Russian President signed amendments to the IT Law[1]  introducing the following rule:  owners of information and telecommunications networks and/or information resources (Internet websites and webpages, information systems and computer programs) that are used to provide access to information resources and information and telecommunications networks banned in Russia, are prohibited from allowing the resources and networks they own to be used in such a way as to allow access to banned resources and networks in of Russia (the Prohibition).

The law touches upon both online VPN services intended for private users and business solutions such as corporate VPN clients.

According to the amendments, an ‘owner of information and telecommunications networks and/or information resources’ (i.e., a VPN owner) will have to connect to the federal state information system which contains a list of information resources and networks access to which is restricted in Russia (the State Database).

The State Database will be maintained by Roskomnadzor and will filter all censored content. In case of non-compliance, Roskomnadzor may deny access to VPN through Russian ISPs. As of today, the Prohibition is primarily targeting publicly available VPNs, but corporate networks also fall under the Prohibition according to its literal reading. For this reason, the amendments provide for two exceptional cases.

Exceptions to VPN Restrictions

The Prohibition will not apply to state and/or municipal networks and also will not apply in situations where two conditions are fulfilled:

(a)    the users of the VPN that allows access to illegal content banned in Russia are predetermined and

(b)    VPN is used for technological purposes of supporting operations of the person using it.

The law does not elaborate on these two conditions which leaves them open for interpretation.

At this point, it is clear that a VPN owner should list all Russia-based employees using the VPN in order to meet the first condition. According to a common business practice in Russia, the list should be prepared in writing and adopted by the CEO of the company. However, determining which company needs to prepare the list in a group of companies may prove to be difficult.

The Russian IT Law knows no distinction between the parent company, which usually owns the VPN tools, and its subsidiaries and affiliates, the employees of which use the corporate VPN. Another thing to consider is guest networks which may share the same VPN connection with corporate networks. If that is the case, the company should keep a record of visitors using the guest network to comply with the requirements of the Prohibition.

As to the second condition, the actual scope and limits of ‘technological purposes’ seem unclear. The company should somehow ensure that its Russia-based employees do not use the VPN for any purpose other than the ‘technological purposes’. It is also uncertain whether the ‘person using’ the VPN (as specified in the original legal text of the amendments) means the employee or the company. Whatever ‘technological purposes’ are they surely do not include personal needs of the staff.

International Companies Should Prohibit Personal Use of VPNs

Based on Russian business practice, the most feasible approach for Russian subsidiaries of international companies is to amend the local IT policies or release a separate VPN policy prohibiting any personal use of the VPN and corporate computer systems connected with VPN as well as any other use aiming at bypassing local (Russian) laws.  Such policies must be amended/adopted in a formal procedure according to the Labour Code of the Russian Federation.

It will be clear whether or not these measures are sufficient only after the amendments enter into legal force and Roskomnadzor begins their enforcement. That is why we should keep an eye on Roskomandzor’s next steps regarding the Prohibition.

[1] Federal Law No. 276-ФЗ On Amendments to the Federal Law  On Information, Information Technology and Protection of Information dated 29 July 2017

Latest references

We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We successfully acted as the lead external counsel for Citycon Plc in an arrangement whereby Citycon outsourced its Nordic Accounting and Lease Administration operations and related workforce in Finland, Sweden, Norway, Denmark and Estonia to Staria Plc. The outsourcing is expected to take place as of 1 August 2024. With this outsourcing arrangement, Citycon aims to align the size and capabilities of the company’s finance organisation with its future development, ensuring it can adapt to meet the company’s needs at any given time. During the assignment, we assisted Citycon in drafting the necessary contract documentation and planning the contract negotiations and timetable. We led the outsourcing agreement negotiations and advised Citycon on employee transfer and data privacy related matters. We also coordinated legal advice for other in-scope countries. Citycon is the leading owner and developer of urban hubs in the Nordics and Baltics. Citycon’s 33 mixed-use, necessity-based centres are located in the major cities in Finland, Sweden, Norway, Denmark and Estonia. Citycon transforms unique locations into sustainable communities and cities full of life, serving 140 million people each year and delivering long-term share value. Citycon brings value to communities by developing urban hubs for living, working, socialising and shopping. Citycon has extensive experience as an urban developer and uses its expertise in creating mixed-use centres that include retail, offices, hotels, housing, food & beverage as well as healthcare, culture and leisure services.
Case published 13.5.2024
We acted as Zendesk, Inc.’s Finnish legal counsel in its acquisition of Ultimate Enterprises Oy, an industry leading provider of service automation using AI technology. The cross-border acquisition was completed in cooperation with the transaction’s lead counsel Allen & Overy. Zendesk is a leading global technology company that provides software-as-a-service and customer experience (CX) products based in the US. The acquisition of Ultimate expands Zendesk’s AI-powered CX offerings.
Case published 26.3.2024