The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
The Federal Government has adopted austerity measures to minimize the economic consequences of the COVID-19 pandemic. However, the right to apply specific measures aimed at enforcement of policies to combat the pandemic, including the employment of new technologies to monitor the community spread of COVID-19 and trace the contacts of infected people, has been given to the governors of the constituent components of the Russian Federation. Some regions have amended their provincial laws in order to ensure the legality of newly implemented policies. Most of the time, the use of technology has extended to tracing contacts, monitoring one’s location, and fining people for disobeying the isolation orders. Several regions have required the registration of the total population in order to obtain electronic Quick Response codes that serve as digital passes allowing individuals to leave their primary residences. Legal observers have noticed that these measures are not in line with Russian privacy and data protection legislation. As a follow-up to the pandemic, the Government introduced new federal legislation aimed at defining the legal regime for the forced quarantining of the population and building a nationwide population database.
According to information from Johns Hopkins University, on May 22, 2020, Russia officially reported around 326,000 confirmed cases of Covid-19 and 3,250 deaths from the infection. The infection was most widely spread in Moscow, St. Petersburg, and other major industrial cities in the center of the country. A full-scale nationwide quarantine was not introduced in Russia. In late March, Russian President Vladimir Putin announced the closure of nonessential businesses for one week and “asked the Russians to stay at home without outlining penalties for disregarding the request.”
The national legislature adopted austerity measures aimed at fighting COVID-19. The legislative package mainly addressed economic difficulties of the pandemic experienced by individuals and territories. These measures included amendments to the federal budget, new fines for violation of quarantine rules and distribution of fake news about COVID-19, and other specific actions, for example, deferral of loan payments, postponement of state inspections for cars, increased sick leave coverage, a simplified procedure for applying for child subsidies, allowing the online purchase and delivery of medicines, and new rules for airfare refunds. However, the power to make decisions concerning the implementation and enforcement of stay-at-home policies was delegated to the heads of the 85 regional administrations that constitute the Russian Federation. Most of the time, smart phone applications aimed at tracing the contacts of infected persons and identifying their location were used to enforce the established measures, mainly because of the availability of smartphones. Reportedly, 95.3 million out of the 144 million people living in Russia have smartphones.
II. Legal Framework
A. Privacy and Data Protection
The right to privacy is incorporated in articles 23 and 24 of the Russian Constitution. Article 137 of the Criminal Code, entitled “Invasion of Personal Privacy,” provides for a monetary fine of up to RUB200,000 (approximately US$3,380) and up to two years of deprivation of liberty for the illegal collection or spreading of information about the private life of a person, without the person’s consent, where the information concerns personal or family secrets.
Federal Law of the Russian Federation No. 152-FZ on Personal Data is the main legal act in the field of collecting, handling, and protecting information deemed personal. Under this Law, “any information directly or indirectly related to a physical person or that allows a physical person to be identified” is recognized as personal data. State and municipal authorities, legal entities, and individuals are required to obtain a person’s consent in order to process personal data.
The Law does not include an exhaustive list of information that is considered personal. Some examples of what should be treated as personal information can be found in various implementing regulations. For example, Government Regulation No. 125 of March 4, 2010, on the List of Electronically Recorded Personal Data Included in Identification Documents, states that one’s passport or other ID number, personal name, date of birth, citizenship, gender, and digital photographic image constitute personal data.
It is not clear, however, if each separate component of this information is recognized as personal data or only in combination with other information if such a combination would allow an individual to be identified. Russian lawyers are generally of the opinion that a person’s name (first, middle, and last), date and place of birth, address, family and social status, education, profession, income, and other information may constitute personal data if this information or its combinations would allow an individual to be identified.
Regarding other forms of identification, it appears that there is agreement among Russian lawyers that a computer IP address cannot be considered personal data because it does not allow a person to be directly identified. A person’s telephone number is viewed as personal data only if it is firmly associated with an individual through an agreement with a service provider. Similar principles apply to the recognition of an individual’s email address as personal information.
B. Data Retention and Location Tracking
Every organization involved in processing personal data sets its own time frame and rules for handling personal data based on principles established by the Law and guidance issued by the Federal Service for Oversight in the Field of Communications and Information Technologies. The retention term is no less than six months for the messages and transmitted files, and no less than three years for information about the fact of communication.
The Law established a general prohibition on taking any actions involving personal data without the consent of the data subject, except for a few specific situations when such consent may not be required. These may occur when personal data actions are necessary for any of the following purposes:
- To perform obligations under an international treaty,
- To conduct judicial proceedings and ensure the enforcement of a judgment,
- To secure legal rights and interests of third persons,
- To perform the activities of government institutions, and
- To protect the life, health, and other interests of the data subject if the subject’s consent cannot be obtained.
Tracking and identification of one’s geographic location by using electronic devices is not regulated by Russian legislation. This information is not included in article 10 of the Personal Data Law, which defines what information can be recognized as personal. A 2014 government regulation ordered provincial and municipal emergency services to develop tools that would allow the identification of the location of a person who calls for assistance in an emergency such as a fire or roadway traffic accident. In 2019, Russian legislators decided that geolocation information is information about services provided to customers by telecom operators. The new law protects the right of law enforcement to receive this information from mobile communications providers when a search for a missing child is conducted. Law enforcement authorities are required to receive judicial approval within 48 hours for the usage of geolocation information. Later, the legislature discussed a proposal to expand the right of police to use geolocation information in all search and rescue operations and allow the mobile phone users to transfer this information to third persons, however, this bill did not advance beyond the first reading. In 2016, a court found that when a telecom company shares with third persons information about its customers, including their geolocation information, it commits a violation of the licensing agreement.
III. Electronic Measures to Fight COVID-19 Spread
The Russian health care system is based on a strong governmental role in ensuring the country’s sanitary and epidemiologic well-being. Combating epidemics and responding to emergencies are included in the joint jurisdiction of federal and provincial authorities. Government policy in the area of protection against medical emergencies is formulated in a number of federal and provincial legislative acts, presidential decrees, government regulations, and government programs. There is no special legislation aimed at the regulation of issues related to public health emergencies and epidemics. The outbreak of epidemics is considered an emergency situation, and depending on the outbreak’s severity, rules under a state of emergency may be declared.
While the federal legislation was amended with provisions introducing criminal responsibility for violation of quarantine rules and stricter punishments for distribution of fake news about the pandemic, most of the measures for countering the pandemic were introduced by regional authorities. On March 23, 2020, the Prime Minister of Russia ordered the federal Ministry of Communications to develop, within the next three days, a guidance for regional authorities on how to build contact tracing systems based on transferring customers’ geolocation information by mobile phone operators to regional authorities in charge of fighting COVID-19. Transportation employees became subject to additional control and extended contact tracing.
The introduction of digital passes that would allow individuals to go outside of their residences and the consequent surveillance of people’s movements has turned out to be the most controversial point of the quarantine measures implemented. Most of the Russian regions required the self-isolated population to use tracking technology and install a system of downloadable matrix barcodes called Quick Response (QR) codes, which serve as digital passes. These QR codes are required to use public transportation. They are linked to prepaid transportation tickets, while individual public transit tickets usually available for purchase by cash at any point of sale were canceled.
As described in a Washington Post article, “as soon as the digital code is created on a cellphone, the clock is ticking. It allows three hours to shop at the nearest grocery store or pharmacy or to visit a doctor. One hour is allotted to walk the dog. Taking out the trash should take no more than 30 minutes. Street surveillance cameras are watching for anyone trying to skirt the rules.”
A concern has been reported that these efforts will require “building up an entirely new huge database and then getting all people living in Moscow to provide their personal data to that database.”
A separate app called Social Monitoring and built with the purpose of tracking patients who have tested positive for COVID-19 but were allowed to undergo treatment at home, as well as people who have been in contact with them, has been implemented in Moscow since April 3, 2020. A request to install the app is sent as a text message to all people identified as those who were in contact with an infected individual. The Deputy Mayor of Moscow has said this may include relatives, coworkers, passengers on a flight used by the infected person, cab drivers, couriers, etc. Reportedly, the Moscow City Government has an agreement with all Russian airlines operating international flights, and they share information with the authorities about all individuals arriving from abroad, including their phone numbers and addresses. Similar agreements exist with mobile services providers who report to the government instances when a customer uses a SIM card purchased abroad. The app is based on using the Global Positioning System (GPS) function for geolocation or the user’s network connections in order to determine his or her location if the GPS function is not available. The app monitors the location of the person automatically and periodically requests the smart phone holder to submit a selfie taken inside his or her home. If a person has not registered within 24 hours after being required to do so, has not responded to the request for identification within one hour, or has moved away from the location designated for the person’s isolation, the app reports the violation to the city authorities. If people refuse to install the app on their phones, they receive text messages with reminders during the first three days after an installation request is made, and then fines are issued. Individuals who have no smartphones receive special devices with a preinstalled Social Monitoring app.
Confirming popular concerns about weak protection of data collected by government agencies, it was reported that the names and passport numbers of people fined for violation of the isolation rules can be found on the website for making fine payments by using ticket numbers. The city government stated that disclosure of this information does not constitute a violation of data protection rules. While lawyers disagree with this government position, they believe that individuals have no chance for remediation and compensation. Formally, government institutions can receive personal information from private companies under the court order only. Law enforcement may be allowed to have access to this information during investigative operations based on a special request. It appears that such information is shared most of the time regardless of the legal arrangements. Authorities also have information to all the personal data of individuals who have been registered on the web portal for state services because such a registration requires the customer’s consent for transfer of information to the third persons. Russian experts say that even when information includes nonpersonal data, there are possibilities for full identification of a person.
Similar apps and monitoring systems were developed and established in other regions. All the regionally introduced systems are not connected with each other, and regional governments were free to select local solutions. For example, in the largest East Siberian region, employers and self-employed individuals are supposed to send requests for passes by email to the regional digital development agency and then receive codes through text messages after verification of the requester’s identification through the database of residents registered at the regional web portal for state services. Reasons for pass requests are, for example, visiting relatives, traveling to summer homes in the country, meeting with an attorney or a notary, and accompanying minors, among other things. Each pass is valid for two 60-minute trips.  In another region, the local administration partnered with a regional bank in which the regional government is a major stakeholder and asked all residents applying for the digital passes to consent to the processing of their personal information by the bank.
Cybersecurity experts expect leaks of personal data and violation of data protection requirements because these regional systems were built in a rush and were not certified by federal cybersecurity authorities. They are concerned that mobile applications require access to sound, video, pictures, and records of movements stored in the phones.
The implementation of these measures met with two major problems: the difficulties of actual enforcement and technical glitches in computer systems. It was reported that 60,000 people in the city of Moscow installed the Social Monitoring app on their smartphones. About 54,000 fines were issued to about one-third of those who were under surveillance. Some people were fined several times. People complain that they are fined for not sending a selfie on time or when the GPS erroneously shows that a person has left his or her residence. About 400 people were fined for not responding to self-identification requests received at nighttime. Later, the nighttime self-identification requests were terminated and fines were canceled. The city government allows a person to dispute a fine but the procedure is reportedly long and complicated. Each person who allegedly violates the house quarantine rules is fined in the amount of RUB4,000 (approximately US$70) under the city law. While federal legislation provides for 10 times higher fines for approximately the same violations, it is the regional laws, which were quickly amended with detailed norms regulating the behavior of different categories of the population during the pandemic, that are enforced.
IV. Related Legislative Developments
On May 21, 2020, Russian media reported that the upper chamber of the legislature discussed a bill that would amend the Federal Law on Protection of People and Territories in Emergency Situations, which would define the regime of self-isolation and allow federal and regional authorities to impose varied restrictions on individuals’ rights. Presently, Russian law differentiates between an emergency situation and a state of emergency. The Law on Emergency Situations emphasizes that additional measures undertaken by government authorities to mitigate the consequences of the emergency cannot restrict the rights and freedoms of people. These rights, specifically the right to free movement, were limited by isolation rules recently imposed by regional governments to fight the pandemic. These regional measures appeared to be in contradiction with federal legislation. The amendment appears to be able to bring the practice in line with legislation and create legal grounds for restriction of rights in the future.
Also, a new Federal Law on Unified Federal Information Registry was passed by the legislature on May 21, 2020. The Law provides for the creation of a single comprehensive database run by the National Tax Service that would collect data on all Russian citizens and residents and keep records of their personal life. Data will be collected from the police and other ministries and government organizations, including information on one’s family status, education, employment, military service, citizenship and migration information, civil registration records, etc. All individual records will be linked to profiles of one’s parents, spouses, and children. Legislators who introduced the Law stated that no medical or biometric information will be collected, although a person’s social security and health insurance information shall be included in the database. The Law allows individuals to request information from the database and provides for the creation of a secure part of the database for information on persons placed under state protection. The Law will enter into force as soon as it is published, and a transition period will be established through December 31, 2026. The Law makes it possible for the collected information to be shared among government agencies and institutions. Legislators from the opposition parties said that the Law contradicts the Constitution and violates the privacy rights of citizens. They stated that, presently, there are no technical means in Russia to guarantee the safety of the collected information.
Prepared by Peter Roudik
Director of Legal Research
 COVID-19 Dashboard by the Center for Systems Science and Engineering (CSSE), Johns Hopkins U. (May 22, 2020), https://gisanddata.maps.arcgis.com/apps/opsdashboard/index.html#/bda7594740fd40299423467b48e9ecf6.
 Federal Law No. 98-FZ of Apr. 1, 2020, on Amending Legislative Acts Related to Preventing and Eliminating Emergency Situations, Pravo.gov.ru (official publication), https://perma.cc/WK8J-LFB7 (in Russian).
 Ugolovnyi Kodeks Rossiiskoi Federatsii [Criminal Code of the Russian Federation] No. 63-FZ, June 13, 1996, Sobranie Zakonodatel’stva Rossiiskoi Federatsii [SZRF] June 17, 1996, No. 25, item 2954, https://perma.cc/N8FX-NZJX (in Russian), https://perma.cc/43WT-78TJ (unofficial English translation).
 Id. art. 3(1).
 Id. arts. 6(1), 9.
 Government Regulation No. 125 of Mar. 4, 2010, on the List of Electronically Recorded Personal Data Included in Identification Documents, Rossiiskaia Gazeta (official publication), Mar. 10, 2010, No. 48, https://perma.cc/4W52-GKTH (in Russian).
 Law on Personal Data, art. 5.
 Federal Law No. 374 of July 6, 2016, on Amendments to the Federal Law on Countering Terrorism and Other Legislative Acts, Rossiiskaia Gazeta (official publication), July 8, 2016, https://perma.cc/SR95-SAUH (in Russian).
 Law on Personal Data, arts. 7, 9.
 Government of the Russian Federation, Regulation No. 2446 of Dec. 3, 2014, on Approving the Complex Development Program “Safe City,” Pravo.gov.ru (official publication), https://perma.cc/D73Q-7SBK (in Russian).
 Constitution of the Russian Federation art. 72.
 Daria Kozlova, Big Med Brother: How Big Data Is Used to Fight COVID-19 and Whether Total Surveillance Is Justified in the Face of a Pandemic, Nezavisimaia gazeta, Mar. 20, 2020, https://perma.cc/Q9R4-AXY9 (in Russian).
 Khurshudyan, supra note 24.
 Kozlova, supra note 27.
 Anna Vilisova & Ilya Shevelev, Digital Pass Systems Are Being Introduced Throughout Russia. We Checked Some of Them with Security Experts—and This Is What Happened, Meduza.io, Apr. 27, 2020, https://perma.cc/TK5B-HW9N.
Last Updated: 12/30/2020