Russian Federation

Activity in the sphere of information security:
Federal Security Service is empowered to issue licenses re following activities mentioned in the Article 12 of the Law on Licensing:
- development, manufacturing and distribution of encryption tools, informational and telecommunication systems protected by them as well as provision of services in the sphere of encryption;
- development, manufacturing and distribution of technical tools for secret obtaining of information;
- detection of the tools for secret obtaining of information;
- development and manufacturing of tools for protection of confidential information (for certain state authorities only).
In respect of the issued licenses Federal Security Service is empowered to exercise state control on the compliance with the legislation, including conduction of audit (documentary or field; scheduled or unscheduled). Also it has the powers re administrative liability:
- to bring persons to administrative liability for administrative offence stipulated by the Section 1 of the Article 13.12 of the Administrative Offences Code re breach of terms of license for conduction of activity in the sphere of information security (Article 23.46 of the Administrative Offences Code);
- to deal with major breach of terms of license (Section 5 of the Article 13.12) but decision on case is being delivered by the court;
- to bring persons to administrative liability for administrative offence stipulated by the Section 1 of the Article 13.13 of the Administrative Offences Code re unlicensed activity in the sphere of information security (if license is needed).
Federal Service for Technology and Export Control is empowered to issue licenses re following activities mentioned in the Article 12 of the Law on Licensing:
- development and manufacturing of tools for protection of confidential information (except for cases when Federal Security Service is a competent authority);
- technical protection of confidential information.
In respect of the issued licenses Federal Service for Technology and Export Control is empowered to exercise state control on the compliance with the legislation, including conduction of audit (documentary or field; scheduled or unscheduled). The powers of Federal Service for Technology and Export Control re administrative liability are similar to powers of Federal Security Service.
State secret. Federal Security Service, Foreign Intelligence Service of the Russian Federation, Federal Service for Technology and Export Control, Ministry of Defense are empowered to deal with the licensing and exercising of state control in respect of state secrets (including the issuance of licenses and audit) (Government Regulation No. 333). They are empowered to bring persons to administrative liability for administrative offence stipulated by the Section 3 of the Article 13.12 of the Administrative Offences Code re breach of terms of license for conduction of activity in the sphere of information security in respect of state secret (Article 23.45 of the Administrative Offences Code).
Commercial secret
Investigative jurisdiction on the criminal offence established by the Article 183 of the Criminal Code re illegal collection of information conducting commercial, tax or bank secret is vested in internal affairs authorities, however other authorities may also investigate such offence if it was revealed by them (the Article 151 of the Criminal Procedure Code).
Personal data
Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roscomnadzor). Roscomnadzor is subordinate to the Ministry of Communications and is an authority empowered to protect personal data subjects. In accordance with the Law on Personal Data, Law on Information and Government Regulation No. 228, the main function of Roscomnadzor in connection with personal data is to exercise state control and supervision for compliance with the Russian legislation on personal data. Thus, Roscomnadzor is empowered to:
- Conduct audit of the personal data operators re proper compliance with the legislation on personal data which may be documentary or field and scheduled (personal data operator may be randomly included in the list but not more than 1 time per 3 years) or unscheduled (in case a complaint from personal data subject, other state authority or other entities was received).
- Maintain Register of Operators Conducting Personal Data Processing and verify notifications submitted by operators.
- Request operators to provide necessary information.
- Take measures re suspension or termination of processing of personal data if such processing is carried out with violations.
- Apply to court to protect rights of personal data subjects. In particular, Roscomnadzor have a right to demand blocking of the Internet sites with violations. In case of positive decision of the court Internet site containing personal data processed with violations of personal data legislation shall be filled to the Register of Violators of Rights of Personal Data Subjects (https://pd.rkn.gov.ru/registerOffenders/viewregistry/) and be blocked on the territory of the Russian Federation (Article 15.5 of the Law on Information). In case of correction of the violation the Internet site shall be deleted from the Register and unblocked.
- Bring violators to administrative liability established by the Article 13.11 of the Administrative Offences Code.
- In case of criminal liability Roscomnadzor is not entitled to launch a criminal case but may sent materials re violation to appropriate law enforcement agencies. Criminal Code does not contain special offences re personal data, but in some case the Article 137 re illegal collection of information on private life of the individual or the Article 272 re illegal access to the computer information may apply.