Digital Business in Russian Federation: overview
A Q&A guide to digital business in Russian Federation.
The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.
To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.
This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/digital-business-guide.
There is no all-encompassing regulation in Russia specifically for e-commerce. The statutory framework is fragmentary and can be derived from several laws, including, but not limited to:
Information Law No. 149-FZ of 27 July 2006.
E-Signature Law No. 63-FZ of 6 April 2011.
Communications Law No. 126-FZ of 7 July 2003.
Personal Data Law No. 152-FZ of 27 July 2006.
It is also derived from a variety of laws and regulations setting out general rules applicable to conducting business in Russia, such as:
Civil Code of the Russian Federation.
Tax Code of the Russian Federation.
Laws applicable to certain corporate entities, including:
Limited Liability Company Law No. 14-FZ of 8 February 1998.
Joint Stock Company Law No. 208-FZ of 26 December 1995.
National Payment System Law No. 161-FZ of 27 June 2011.
Consumer Protection Law No. 2300-1 of 7 February 1992.
Advertising Law No. 38-FZ of 13 March 2006.
Importantly, rules set by international treaties to which the Russian Federation is a party are to prevail over national laws (see Article 15(4), Constitution of the Russian Federation; Article 7, Civil Code). However, direct implementation and enforcement of such rules in Russia is often difficult. One of the international treaties in the field of e-commerce that recently entered into effect in Russia (on 1 August 2014) is the UN Convention on the Use of Electronic Communications in International Contracts (2005).
The principal regulatory framework in civil, finance, customs law and other areas relevant for the regulation of e-commerce belong to the federal level jurisdiction, and is formed by federal laws passed by the Russian Parliament (the Federal Assembly) and signed by the President. Subordinate regulations on the implementation of the federal laws are issued by the Government of the Russian Federation and by competent governmental bodies, including, among others:
The Ministry of Finance.
The Ministry of Telecom and Mass Communications.
Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor).
Federal Service for Surveillance on Consumer Rights Protection and Human Wellbeing (Rospotrebnadzor).
Setting up a business online
Any commercial activity, including online business, can be carried out by a legal entity established in a corporate form for commercial companies or by an individual registered as an individual entrepreneur. Corporate forms most commonly used for small to medium-sized businesses are those of a limited liability company or a private joint-stock company.
If a company is already in existence, or an individual is registered as an entrepreneur, setting up a business online does not require any special registration, as commercial companies and individual entrepreneurs have universal capacity and can engage in any type of business. This is subject to compliance with specific restrictions or licensing requirements, if any.
The formation of a company involves some mandatory elements:
A registered office (which has to be a physical office (not a PO Box) and is presumed to serve as the contact address for all governmental communications).
A bank account (to be fully operational, a company must maintain an account with a bank in Russia).
An employed CEO. Importantly, a company has to have an executive body (unless managed by a specialised management company), which is usually the CEO or the general director. The CEO, if appointed, must be on the company's payroll.
Individual entrepreneurs also need a Russian bank account, but can be registered at and operate from their residential addresses.
Individual entrepreneurs, like companies, can hire employees.
Legal entities and individual entrepreneurs get registered with tax authorities and social funds, and are subject to reporting requirements set by Russian accounting and tax laws. Depending primarily on revenue size, certain companies and individual entrepreneurs qualify for a simplified taxation regime.
Further registration requirements may apply to online businesses if their activities involve operations qualifying as personal data processing (not falling under exemptions set by Personal Data Law) or activities of "administration of information distribution in the internet" (defined, for the purposes of Information Law, as operation of information systems or software designed or used for receipt, transfer, delivery or processing of electronic messages of internet users). A party intending to engage in activities falling in the above categories is required to notify Roskomnadzor and be added to the respective registry.
For the purposes of domain name registration, online businesses most frequently contract with JSC RU-Center (see www.nic.ru/en/), a state-founded private company that is a major host and registrar for Russian national domain names, or any other accredited registrar and hosting services provider.
Russian civil legislation does not recognise web development contracts as a separate category of a contractual relationship. For web developers, IT service providers and any other contractors for online business, the online business may use an employment versus service contract model. In the latter, the relationship may be governed, depending on its nature and scope, by a combination of rules applicable to commissioning contracts, service contracts or IP development agreements. Accurate elaboration of contractual provisions relating to the transfer or licence of intellectual property created in the course of the performance is of critical importance.
If the business involves online sales of goods, contracts with importing distributors or customs brokerage agreements will likely be needed, as well as storage service.
As with a website, an app can be commissioned to a third party service provider (a company, an individual entrepreneur or, less frequently, a private individual). The IP rights regime, including the assignment or licence terms, has to be clearly elaborated in the third-party contract to secure the business with the full and unrestricted right to the app. Service contracts are particularly efficient for short-term or one-off assignments.
Alternatively, the development of the app may be covered by the work-for-hire regime under the employment contract, which should explicitly provide that creative work resulting in IP products is part of the employee's duties.
Apps can be distributed directly to customers or via a distributor (for example, a mobile operator).
Running a business online
Contracts between legal entities and individuals generally must be executed in writing. A written form requirement can be met by means of:
Execution of a single document bearing all parties' signatures.
Exchange of messages, or other documents, including electronic documents via communication channels that allow true identification of the sender as a party to the contract.
Acceptance of a written offer by implicative actions (payment, shipment or other performance under the contract).
For e-commerce, the second and third options are relevant. The latter is broadly used for online sales where the presentation of a product as offered for sale with all material terms defined, accompanied with its description and addressed to the broad public, is recognised to constitute a public offer (see, for example, Article 12 of the Distance Sales Rules approved by Regulation No. 612 of the Russian Government (Distance Sales Rules)) and therefore capable of being accepted by the consumer.
The Distance Sales Rules flow from and expand on the Consumer Protection Law and apply to all sales where a customer has no opportunity to physically examine the product offered for sale. The buyer has the right to cancel the order at any time before delivery or return the goods within seven calendar days after receipt (or within three months, if the customer was not informed of the terms and conditions of returns).
The provision allowing the formation of a contract by exchange of electronic documents was only introduced to the Civil Code in March 2015. It is still making its way to consistent implementation and recognition by governmental authorities and courts.
There are no rules applicable specifically and exclusively to contracting on the internet. Online transactions are qualified, like offline transactions, depending on the parties involved. They fall under the general rules applicable to commercial activity as set out in the Civil Code or in regulations setting the statutory framework for certain types of commercial relationship. For example, business-to-customer (B2C) transactions would additionally be governed by consumer protection rules, including the Distance Sales Rules. At the same time, the supply of goods or services to state or municipal governmental bodies is subject to special rules set by state procurement laws.
Since the application of the Distance Sales Rules is limited to B2C sales, there is a critical difference in the concept of an "offer" in B2C and business-to-business deals. Specifically, in the latter case, presentation of a product on a website, even if accompanied with price details, does not necessarily qualify as a public offer, unless the intent to be bound in the case of acceptance is evident (Article 437, Civil Code). This is an approach consistent with Article 11 of the UN Convention on the Use of Electronic Communications in International Contracts.
Electronic forms of contracts are not allowed in cases where a certain form (for example, certification by a notary or a state registration) is required by law, for example, for trademark licence agreements or long-term real property lease agreements. When accepting the UN Convention on Electronic Communications, the Russian Federation made a declaration to that effect. Sales of goods prohibited or restricted for importation into the territory of the Russian Federation cannot be made electronically.
Regardless of the form of contracts, Russian businesses are bound by the documents and information retention and storage requirements set by the Accounting Law No. 402-FZ of 6 December 2011. This, among other things, obliges the parties to keep financial documents and statements, including, for electronic documents, means of their reproduction and verification of electronic signatures, for no less than five years following the year in which the documents and information were last used (Article 29(2)).
Under the Information Law, parties qualifying as administrators of information distribution on the internet (see Question 3) are obliged to keep in Russia (which is understood as the obligation to physically place the servers in Russia) all metadata relating to any voice, text, image or other electronic communications of the internet users for at least six months and make such data accessible to law enforcement and state security bodies as required by prosecution and enforcement laws (Article 10.1, Information Law). This is a fairly new rule (in effect since 1 August 2014) and there is no consistent implementation practice in that regard as yet.
There are a few associations, including, for example, the Association of Internet Commerce Companies (AKIT) (see www.akit.ru/), that as part of their activities offer audit and certification of online sales. However, they primarily act in the interests of a limited number of their members and hardly set a level of market aspiration for site accreditations.
There is no difference between a breach of an electronic versus offline contract or between remedies available to the party damages in either case. In practice, electronic contracts may create a risk of being held to lack the written form, which in civil procedure limits the parties' ability to refer to testimonial evidence (Article 162(1), Civil Code). However, even if the existence of a written contract cannot be established, the contract is not automatically nullified. Written evidence (email confirmations, screen shots and so on) is still admissible in such cases.
E-signatures are recognised by Russian law. The new E-Signature Law (that replaced the old regulation of 2002) has been in effect in Russia since 2011. It is based on, and substantially follows, the Electronic Signatures Directive (1999/93/EC).
The general rule is that the use of e-signatures is permitted as long as explicitly provided for by law or agreed by the parties (Article 160(2), Civil Code), and their evidentiary value is recognised in civil procedure (with essentially the same qualifications as described above) (see Question 6).
Electronic signature means information in electronic form attached to another information in electronic form (signed communication), or otherwise tied to such information and used to identify the signatory (Article 2, E-Signature Law).
Three types of e-signatures are recognised:
Advanced non-qualified e-signature.
Common e-signature. The common e-signature confirms the fact of its creation by a certain person by means of codes, passwords and other tools (Article 5, E- Signature Law). To serve as a valid means of signing electronic documents, a common signature must either (Article 9, E-Signature Law):
Be incorporated in the document.
Its key must be used on the terms set by the operator of the relevant information system in which the document was created or by which it was sent, and the document must include the name of the person who has created or sent it.
An electronic document signed with a common e-signature may be considered as equivalent to a handwritten signed document only if explicitly permitted by law or agreed by the parties to that electronic document. Examples of common e-signatures accepted as fully equivalent to handwritten authentic signatures are scarce. One of the statutory references to such a possibility is the June 2014 amendment to the Insurance Law No. 4015-1 of 27 November 1992, which allows the acceptance by insurers of common electronic signatures as equivalent to original handwritten signatures. However, this is only in respect of individual beneficiaries (or insured parties, as the case may be) and provided the insurer has not set stricter requirements in its internal policies.
Advanced non-qualified e-signature. The advanced non-qualified e-signature implies the use of certain cryptographic means of data conversion with the use of a signature key. This allows identification of the signatory and shows changes (if any) made to the document after signing (Article 6, E-Signature Law). Non-qualified e-signature conveys the same level of verification and validity to the electronic document to which it is attached as a common e-signature.
Qualified e-signature. The advanced qualified e-signature (otherwise known as electronic digital signature) involves the use of both a private signature key and a qualified public verification key issued by a state accredited entity. This type of e-signature enjoys the presumption of validity as ameans of execution equal to affixing a handwritten signature. The Ministry of Telecom and Mass Communication is the competent governmental body responsible for accreditation of certified e-signature key providers and the main certification centre for electronic digital signatures in Russia.
The Russian electronic digital signature uses Cryptographic Message Syntax format. Russian standard (recommended) is set by the "National Standard. Information technology. Cryptographic data security. Generation and verification processes of electronic digital signature (GOST Р 34.10-2012)", adopted by the Order of the Federal Agency for Technical Regulation and Metrology No. 215-st of 7 August 2012.
The Russian national standard is developed on the basis of international standards: ISO 2382, ISO/IEC 9796, ISO/IEC 9796, ISO/IEC 14888 and ISO/IEC 10118.
A common e-signature cannot be used to sign a document containing state-secret information (Article 9, Electronic Signature Law).
The use of e-signatures may be restricted by law (if a contract or another document must be executed in a particular form) or by the parties' agreement.
E-signatures with a verification key issued by a foreign state are permitted but classified based on the criteria set out in Russian laws.
Implications of running a business online
Cyber security/privacy protection/data protection
The most recent amendments to the Personal Data Law that introduced stringent personal data localisation requirements entered into force on 1 September 2015. Certain rules applicable to personal data processing are incorporated into other laws, for example, the Information Law. Exempt from the scope of the Personal Data Law are matters arising from the personal data processing:
By individuals exclusively for private and family purposes.
In the course of processing of archived documents forming part of the state archives or otherwise as prescribed by laws on archiving.
On matters covered by the state secrecy regime.
In connection with public information disclosure about judicial activity in Russia.
The Personal Data Law applies to the activity of any "operator" (defined as any party, therefore including individual and entities, in the latter case, both private, public and governmental) engaged on its own or in co-operation with other parties in the processing of personal data. Therefore, the definition of an "operator" is extremely broad and covers, among other things, all employers that inevitably collect and process personal data of their employees.
For further information on data protection laws in the Russian Federation, see Country Q&A, Data Protection in Russian Federation: overview.
The Personal Data Law applies to matters of personal data, that is, any information pertaining to a directly or indirectly identifiable individual (Article 3, Personal Data Law).
There are other categories of data that fall under different regulation. For example, the use of an individual's image is also covered by certain provisions of the Russian Civil Code (Article 152.1). Certain metadata related to communications between the parties in the internet has to be retained by the party qualifying as administrator of the information distribution ( Question 9). The data capable of qualifying as commercial secrets (meaning information having potential or real commercial value due to its non-public nature, restricted from third party access and identified by its owner as commercial secrets) falls under the regulation of the Civil Code and the Commercial Secret Law No. 98-FZ of 29 July 2004.
Separate regulation and protection requirements are set for specific types of data, such as state secrets, tax secrets, bank secrets, medical secrets and others.
The cornerstone requirement applicable to personal data collection and processing is that the data can be collected and processed on the data subject's specific, informed and conscious consent and only to the extent the scope of processing meets the original declared intent. For example, if the data is collected for a particular purpose, it cannot be used for targeted advertising, unless the data subject has explicitly consented to it. The data subject's consent can be given in any verifiable form, unless a written consent is specifically required by law (for example, in cases of biometric and certain sensitive categories of personal data). The list of exemptions from the personal data subject's requirement is set out in Article 6 of the Personal Data Law. It includes, among others, cases of personal data collection and processing under and for the purposes of the performance of a contract to which the data subject is a party or beneficiary, or as may be required in the interests of the state, public interest, human welfare, justice and security, or under international treaties.
Before starting the activity of a personal data operator in cases where no exemptions apply, the party must notify the competent authority (Roskomnadzor) of its intention to process personal data and get on the register of personal data operators maintained by the authority and publicly accessible at its official website (see, rkn.gov.ru).
If the personal data is collected online, the operator must place on its website a document setting out its terms and policies in respect of the personal data processing and security measures used.
There are no limitations on storage of personal data in the cloud. However, from 1 September 2015, all operators collecting personal data of Russian citizens (including parties without any Russian presence) must record, store, alter and retrieve such personal data with the use of databases physically located in the territory of Russia. There are a few exemptions from the data localisation requirement, such as collecting and processing personal data:
Under an international treaty to which Russia is a party.
For the purposes of rendering justice.
As may be required for the performance of the governmental functions at the federal or local level in Russia.
In the course of journalistic activity, scientific, mass media, or other professional artistic activity, provided in all cases such activity is lawful.
Once the personal data is collected and stored on servers in Russia, its duplication and cross-border transfer are permitted.
No mandatory requirements are set by law in respect of measures to be taken for security of internet transactions between private parties. Certain requirements applicable to security of online payments are set out in the National Payment System Law and corresponding bye-laws and regulations. Among other things, payment systems operators must:
Establish rules and procedures or cyber-security risks assessments.
Form a cyber-security (data protection) department.
Develop and implement data protection systems.
Develop authentication and identification procedures for parties authorised to order and process money transfers.
Detect security breaches, and so on.
For e-money payments, there are thresholds set on the volume of permitted transactions depending on identification level (see Question 21).
Encryption, as in basic or advanced coding, is not regulated in Russia, unlike
cryptographic activity, which is subject to licensing (including the activity of development, production of cryptographic hardware and software, distribution, cryptography services and so on). Licences are issued by the Federal Security Service of Russia. Foreign cryptographic software and hardware must be certified by Russian authorities for importation into the territory of the Russian Federation. For the protection of state secrets, the cryptographic means (including hardware and software) manufactured in Russia must be used.
The use of encryption is not expressly required by the Personal Data Law as an obligatory data protection measure.
Operational units of certain governmental authorities are entitled to request and extract information in the interest of state-defence and protection of citizens and other state interests. The technical means of extraction of information are determined by by-laws and internal regulations developed by relevant authorities. This may include a broad range of measures varying from requests for document disclosure to seizure of media and databases in electronic forms. The Law on Special Investigation Activity No. 144-FZ of 12 August 1995, sets no limitations for access to or extraction of personal data, except that the investigative authorities must maintain the secrecy of the data received during such investigations.
Information can be compelled for disclosure by the court as part of different stages of the investigation process, if it involves intrusion on a person's privacy.
Certain governmental bodies can gain access to a broad range of sensitive information in the course of audits or investigations aimed at supervision over compliance with applicable regulations. The details, authority and rules of carrying out the inspections are set in separate acts pertaining to relevant industries and state bodies. For example, Rospotrebnadzor, a competent authority for most of the trading activities involving consumers, can request data featured in the documents of the company (or entrepreneur) setting out their legal form, rights and obligations, documents used for their activity and related to compliance with mandatory requirements and requests by state and municipal authorities.
Electronic payments are regulated primarily by the National Payment System Law.
Payments can be made only on the client's order. This, if the agreement between the client and the bank so permits, can be confirmed with analogues of handwritten signature, codes, passwords and other means allowing identification of a person authorised to make it (Article 847(3), Civil Code). In practice, such confirmation is usually made in the form of a card verification code (card verification value), a text message confirmation with a pin code or a password attached to a payment application or website.
Electronic money is permitted, subject to the following restrictions:
E-money operators are not allowed to lend money to their clients.
E-money can be used only for payments involving individuals at least on one side of the operation (however, payments between non-identified private individuals are not allowed).
Different thresholds are set for daily balance and monthly volume of e-money payments depending on the identification procedures undergone by the payor. Therefore, for non-identified clients, the daily balance is limited to RUR15,000 and the monthly volume of payments cannot exceed RUR40,000. For clients who have undergone a simplified identification procedure, the limits are RUR60,000 and RUR200,000, respectively. Finally, for fully and formally identified clients, the balance available at any point of time is set at RUR600,000.
E-money payments are subject to the same currency control and regulation rules as regular payments.
The identification process for the purposes of the application of electronic payments thresholds as described above are set out in the Anti-Money Laundering and Terrorism Financing Law No. 115-FZ of 7 August 2001. A simplified identification may take the form of a verification of the person's identity by the bank, through:
A personal appearance with demonstration of original ID documents.
Remote verification by the bank on the basis of name and ID details, mobile phone number and one of the additional identifiers (such as the individual taxpayer's number, social security number or mandatory medical security number).
No decisions involving legal consequences for individuals can be taken exclusively on the basis of automated processing of their personal data, unless the data subject provides his express written consent to it (Article 16, Personal Data Law).
There is a list of accredited registrars of domain names available at www.cctld.ru/en/registrators. Most commonly, registration of domain names is done via RU-Center (Joint Stock Company Regional Network Information Centre). Russian country-specific domains .RU and .РФ can be registered with non-residents.
A designation cannot be registered as a trade mark in case it is identical or confusingly similar to a trade name or brand (commercial designation) already recognised and protected in Russia or an element of it (Article 1483(8), Civil Code). Given that domain names in most cases represent corporate or trade names, the recognition of the designation gained since the start of the commercial activity under such name may be successfully brought to court as evidence of an earlier priority date, therefore opposing third parties' actions aimed at obtaining trade mark protection in respect of similar designations.
On the reverse side, the use of a trade mark on the internet, including in the domain name, is one of the means of its exploitation. Accordingly, a trade mark owner holding the trade mark with an earlier priority date is entitled to oppose the use by third parties of identical or confusingly similar domain names for the same categories of goods or services.
A company's registered business name (called "firm name" under Russian laws) comprises two elements:
The designation of its corporate form (for example, limited liability company or joint stock company).
The name itself.
The firm name is protected from the date of the company registration with the tax authority (the official registrar for legal entities). However, the name as such may enjoy separate protection as an IP right.
There are two options available in this regard:
Trade mark registration
Commercial designation (trade name or brand) protection.
The trade name does not require registration and formally enjoys the protection on the beginning of its use. Another positive trait of the trade name protection is the opportunity to automatically use it in respect of more than one company. Unlike the firm name, the trade name option is also available to individual entrepreneurs. Quite frequently, trade names used by businesses differ substantially from their registered firm names.
However, in practice, the absence of any registration may result in vulnerability of the designation in the case of a dispute where the prior use and recognition gained by the trade name may be extremely difficult to prove. For this reason, businesses predominantly opt for the trade mark registration to support the firm name or trade name use.
In the selection of a firm name, it is important to bear in mind that it is prohibited to use the name identical or confusingly similar to a pre-existing name of a similar business.
Special rules apply if a company intends to use the words "Russian Federation", "Russia" or their parts and derivations (for example, "Russian") as part of its firm name. The permission has to be solicited from the Russian Government and may be issued only to key market players (such as parties having branches in 50% or more of the constituent subjects of the Russian Federation, or parties qualifying as major taxpayers, or those holding at least a 35% market share) or to companies in which the Russian Federation holds over 25% of the share capital.
Full or abbreviated names of Russian state authorities cannot be used in the business names.
Jurisdiction and governing law
There are two branches of civil courts in Russia, namely courts of general jurisdiction (that try civil disputes and disputes arising from public law) and commercial (arbitrazh) courts. The latter have jurisdiction over disputes between businesses (both corporate and individual) related to commercial activity. Therefore, business-to-business disputes will logically fall into the competence of arbitrazh courts, while a court of general jurisdiction will sit on a business-to-customer matter.
Both branches of civil courts may establish jurisdiction over disputes involving foreign parties. Russian commercial courts have jurisdiction over disputes in the following cases, among others (Article 247(1), Arbitrazh Procedure Code):
The defendant is located or resides in Russia, or has assets in Russia.
A management body or a branch of the foreign entity is located in Russia.
The dispute has arisen from a contract performed or to be performed in Russia wholly or partially.
The claim arises from damage caused to property by an act or circumstance that took place in Russia.
Unjust enrichment took place in Russia.
A plaintiff in a defamation case is located in Russia.
The dispute has arisen from the state registration of names and other objects and provision of services on the internet in the territory of the Russian Federation.
In other cases, if there is a strong tie between the matter in dispute and the territory of the Russian Federation.
Both arbitrazh procedure and civil procedure permit the application of foreign law by Russian courts.
General provisions on conflicts of laws are set out in Section VI of the Civil Code. The party autonomy principle is recognised in commercial relationships and the parties are free to choose the law to govern their contract. In cases where the choice of law was not agreed between the parties and cannot be made on the basis of international treaties, Russian laws, or custom, the court will apply the law of the country the matter is most closely connected to (Article 1186).
Importantly, the choice of foreign law does not affect the application of mandatory rules of Russian law that apply directly.
In practice, Russian courts predominantly lack sophistication and desire to apply foreign law, which in most cases induces parties to agree on the application of Russian laws if the matter is agreed to be subjected to the jurisdiction of Russian courts. If the agreement is to be governed by foreign laws, choosing arbitration or an ADR procedure is a recommended option.
For matters involving consumers, the choice of law applicable to the contract may not deprive the consumer of the remedies available to him under the:
Mandatory rules of the law of the consumer's country of residence if the commercial counterparty to the contract in its activity in any way targets
the territory of the consumer's country (except for transportation contracts or service contracts performed entirely outside the consumer's country).
Mandatory rules that would apply to the relationship in the absence of a choice of law agreement.
Russian legislation allows the parties to refer virtually any dispute or controversy to a settlement procedure.
Mediation is one of the ADR procedures recognised by Russian law. However, its practical application, specifically in respect of e-commerce, remains relatively limited and most disputes tend to be resolved in courts.
The regulatory framework for advertising activities is formed by the Advertising Law No. 38-FZ of 13 March 2006. The law sets virtually no rules specifically for advertising online or in social media (the only rule explicitly set for advertising on the internet is the ban on alcohol advertising set by Article 21(2)(8)). Accordingly, advertising online should:
Comply with general requirements, that is:
be fair and accurate;
contain no elements infringing on public moral or potential harmful for children; and
contain no hidden elements that are not perceived by the audience but influence the decision-making.
Observe the requirements and restrictions as set by the law in respect of specific goods and services.
There is some uncertainty in the implementation practice regarding the information on goods and services placed online. Some courts have held that rules applicable to advertising of distantly sold goods should apply to information available online, in which case the advertiser is required to provide full information about the seller, including its name, business address and state registration details. However, this has not become a consistent approach. In practice, the distinction is made between information about the goods manufactured and offered for sale online.
There are two principal categories of goods and services to be mindful of with respect to online advertising or sales, namely, goods and services prohibited for advertising or sales and restricted goods and services.
Advertising of the following goods and services is banned:
Narcotics, psychotropic substances and their precursors.
Explosives (except for pyrotechnics).
Human organs and tissue.
Tobacco and goods for tobacco smoking.
Goods subject to state registration in the absence of the required registration (for example, chemicals of potential danger to human beings and certain food products first imported into Russia).
Goods subject to mandatory certification and goods and services subject to licensing (meaning both production and sales licences) in the absence of the required certification or licence.
Goods prohibited from sales in Russia.
The restricted categories of goods and services include, above all, alcohol (prohibited from advertising on the internet by Article 21(2) of the Advertising Law). Further, under the Distance Sales Rules, alcohol and other goods limited or restricted for sale (such as prescription medications, weapons, tobacco) cannot be sold by way of distance sales, which naturally bans their online sales.
Further restrictions and special rules exist for advertising of medications, dietary and nutritional supplements, weapons, gambling and betting, financial services, securities, services for entering into annuity agreements, invitations to individuals to invest in construction of multi-flat buildings and mediation services.
Advertising via electronic communication networks is permitted only as long as the recipient has expressed prior consent to receive such communications. The party distributing the information bears the burden of proving the recipient's consent (Article 18, Advertising Law). The law does not prescribe any form of the recipient's consent. However, in the light of the burden of proving vested in the advertiser, it is prudent to obtain the consent in a durable and traceable form.
For text messages circulated in telephone services networks, similar rules are set by Article 44.1 of the Communications Law. Prior consent of the intended recipient is required, and must be obtained in a form permitting accurate identification of the recipient and his intent to receive such communications.
Circulation of advertising in communications networks involving automated means (automatic dial or message circulation) is prohibited.
In contrast to the opt-in approach in the above laws, the Information Law sets out an opt-out rule for distribution of information by means allowing the identification of sender, including postal messages and emails (Article 10, Information Law). The sender must provide the recipient with the option to refuse such information.
The Federal Law on State Language sets a general requirement on the use of the Russian language and the languages of peoples of the Russian Federation. The law contains an obligation to use Russian language in cases required by specific regulation. Therefore, the Russian language must be used in mass media, advertising, public performances and official paperwork in the Russian Federation. Trade marks and other designations pertaining to goods and services may be used in foreign languages if protected in Russia by domestic or international registrations.
If the online business targets the audience in the territory of the Russian Federation, it may be expected to comply with the requirements of the Consumer Protection Law to provide the customers with detailed and accurate information on the manufacturer, producer or seller of relevant goods and their business hours in the Russian language or languages of peoples of the Russian Federation (Article 8, Consumer Protection Law).
A company or an individual entrepreneur are automatically registered as value added tax (VAT) payers at the moment of state registration. However, if the respective business is eligible for a simplified tax regime, it is exempt from VAT, apart from VAT payable in connection with the importation of goods to the territory of Russia and in connection with certain types of relationship (such as investment partnership) set out in the Tax Code.
For VAT, the basic rule is that VAT is payable in respect of goods sold or services provided in Russia. The Russian Tax Code provides a detailed list of criteria applicable to the determination of the place of sale of goods or the provision of services for the purposes of VAT application.
Protecting an online business
Liability for content online
The following laws form the principal regulatory framework in respect of restricted content:
The Information Law sets the definition of the blacklist of websites held to be containing information banned for distribution in Russia, the key grounds for the qualification of a website and the procedures from the inclusion of a website into the blacklist. A website can be included in the register on a court decision, or on a decision by a relevant competent authority for featuring the following information:
child pornography materials;
information on the methods of production or use of drugs;
information on ways of committing suicide or calling for commitment of suicide;
information on underage victims of unlawful actions (omissions); or
information in violation of gambling, betting and lottery regulation.
The Child Protection Law No. 436-FZ of 29 December 2010 introduces age-rating of information distributed in any media and restricts distribution of certain information among children and teenagers. Information banned for distribution among children includes, among other things, the controversial and poorly defined concept of "propaganda of non-traditional sexual relationships" (often referred to as the "gay propaganda ban").
The Anti-Extremist Activity Law No. 114-FZ of 25 July 2002 prohibits distribution of extremist materials by any means in the territory of the Russian Federation. Extremist materials are recognised as such by a court decision. In practice, the concept of extremist information and extremist activity has lately been applied broadly and inconsistently.
If a website is registered as a network media (this registration is optional), it will also fall under the rules set by the Mass Media Law, which include the following:
Ban on the use of obscene language.
Prohibition on the use of mass media for criminal purposes, and for disclosure of confidential and secret information.
Prohibition on the display of information calling for or justifying extremism and terrorism, and promoting pornography, violence or cruelty.
Prohibition on the use of any subliminal messages.
Prohibition on the distribution of information on drug use.
Requirements applicable to broadcasting from the site of a counter-terrorist attack.
Registered mass media are subject to a stricter responsibility for violation of anti-extremist and child protection laws.
Registered network media must provide on its website complete and accurate information on its owner and mass media registration. For information distributed outside the mass media framework, the new amendment to the Information Law (in force since 1 May 2015) requires the party distributing such information to provide the details in the scope and form sufficient for its identification. Specifically, the website owner must place on the website its name, address and email address. This is designed for the purposes of extra-judicial settlement with third parties in case of claims arising from alleged infringement of copyright and related rights (Article 10(2), Information Law). However, in the absence of liability set by law for the failure to provide the website owner's details, the practical implementation of this rule remains limited at the moment.
Consumer-facing websites must provide customers with information on their name, address and the name and address of manufacturers and producers of sold goods and services (see Question 7).
Other specific requirements are set for blogs. Blogs are defined by the Information Law as websites (or web pages) holding no mass media registration, but containing publicly available information and having at least 3,000 hits per day. A blogger must place on the website his name and contact details, get registered with the regulator as a blogger and in posting any information on the blog, check its accuracy effectively in the same way as registered mass media are required to. In reality, in the light of a broad and unclear definition that may apply to virtually any website owner, most parties do not volunteer any information or registration as a blogger; rather, they act only on the receipt of an express request from the regulator to get on the bloggers' list.
The prevailing approach is to vest the liability for the content on a party that actively placed it, rather than the website owner. The party whose functions are limited to the transmission of information provided by third parties without alterations, or to the storage of information and provision of access to it, bears no liability for the content provided that such intermediary service provider is unaware of the unlawfulness of the information (Article 17(3), Information Law).
Similarly, the information intermediary is exempt from liability for intellectual property infringement by distribution of the content, if both of the following conditions are met:
The information intermediary is not and cannot be aware of the infringement.
If requested by a rightholder, the information intermediary has timely taken sufficient measures to cease the infringement.
The primary tool used against websites held to contain restricted content is blocking access to the website. The procedure involves several levels of interaction between the competent bodies, hosting provider, website owner and communication operators.
Websites that may face blocking include ones that:
Are held by a competent body or the court to contain banned information and materials (see Question 34). These websites are included in the blacklist (including domain names, URLs and IP addresses) maintained by Roskomnadzor. The competent bodies for the purposes of forming the blacklist of websites are Roskomnadzor (on child pornography matters), Federal Service on Control of Narcotics Turnover (on drug-related issues) and Rospotrebnadzor (on information relating to suicides).
Contain material infringing on third parties' copyright or related rights other than in respect of photographs and works resulting from analogous methods (as confirmed by a court order, including a preliminary injunction).
Are determined by the General Prosecutor's office to contain calls for extremist activities, riots and participation in unauthorised mass (public) events.
Qualify as an administrator of information distribution on the internet (see Question 3) in the case of a failure to provide the regulator with information as prescribed by law.
Breach the personal data processing rules, as confirmed by a court order.
The procedure differs slightly depending on the specific statutory ground. However, in most cases, the hosting provider gets notified about the unlawful consent spotted on a website and has one to three days (24 hours in the case of "blacklist materials") to liaise with the website owner, who in turn must remove the information or web page in question within 24 hours. If the website takes no action, the hosting provider is required to block access to the website. If the hosting provider remains similarly unresponsive, the competent body (Roskomnadzor) notifies communications operators who are then obliged to block access to the website for their subscribers.
A different approach applies to websites identified as containing extremist materials and to administrators of information distribution on the internet. In these cases, the regulator immediately orders telecom operators to block access to the website while simultaneously notifying the hosting providers to that effect.
Importantly, websites held by a court to have repeatedly placed materials infringing on third parties' copyright or related rights are to be blocked permanently without the option to lift the ban. This rule entered into effect on 1 May 2015, but, there are already reported cases of permanent website-blocking.
Russian laws do not contain provisions on mandatory insurance.
E-commerce risks are not at the moment most frequently insured, and the risk assessment remains difficult. However, major insurance companies already offer a range of policies relevant for online businesses. For companies operating specific and sensitive electronic equipment, electronic equipment insurance is recommended. Databases and electronic financial assets can be insured against loss or damage (the latter is particularly relevant for parties operating e-payments). Finally, liability insurance, including, above all, insurance of liability relating to the unauthorised disclosure of, or damage to third party data, is becoming increasingly demanded.
Russian legislation has been undergoing substantial changes over the last few years aimed at the expansion of the state control over mass media, communications networks and related business. Due to limited (and unclear in many cases) wording of the new rules, which is grossly insufficient for the determination of practical aspects of the new obligations imposed on the market players, it is expected that an extensive number of by-laws and regulations clarifying the implementation of the new laws will appear in the near future.
Description. Official website operated by state authorities. It is updated regularly and available in Russian only.
Description. Online version of an unofficial but accurate and reliable service widely employed by most consulting companies and in-house lawyers. It is regularly updated. Full version is available online from 8 pm to 12 am Moscow time on weekdays and 24 hours a day on weekends. Latest documents adopted within the last 14 days are available 24 hours a day every day. Available in Russian only.
Description. Online version of another unofficial commercial legal reference system. Requires registration and fee. Three days' free trial is available. Most recent documents are available online for free and without registration. It is regularly updated and available in Russian only.
Garant (English version)
Description. Garant's English version accessible online. Contains a limited list of available documents. The commercial version of the program is the largest English language database of Russian legislation. The translation is unofficial and serves for information purposes only.
Alla Naglis, Partner
King & Spalding LLP
Professional qualifications. Russia, Attorney, 1997
Areas of practice. Corporate law; M&A; telecom, media and technology; e-commerce; data privacy and cybersecurity; intellectual property.
Xenia Melkova, Associate
King & Spalding LLP
Professional qualifications. Russia, Attorney, 2007
Areas of practice. Corporate law; telecom, media and technology; data privacy; intellectual property; e-commerce.