Russia is weaponizing its data laws against foreign organizations 

A view shows a sign at the entrance to a Russian branch of the Jewish Agency for Israel, in Moscow, Russia July 21, 2022. REUTERS/Evgenia Novozhenina

In late July, the Russian government appeared to have turned its data localization laws against an unlikely target: the Jewish Agency for Israel. Concerned that the decades-old nonprofit, which helps Jews emigrate to Israel from around the world, is accelerating the brain-drain of educated professionals from Russia in the aftermath of its disastrous invasion of Ukraine, Russian authorities accused the group of violating privacy laws in its storage of data pertaining to Russian citizens. 

The move against the Jewish Agency for Israel is the latest example of the Kremlin using laws governing online life in Russia to cement power offline, and its deployment against a group with little to no meaningful technology operation illustrates how those laws are being weaponized against groups viewed as a threat to the governing regime. It is hardly a new phenomenon, but its growing frequency underscores that Moscow’s use of online laws to rein in civil society shows no sign of relenting, and, if anything, is only growing more creative.  

During his 2000 presidential campaign, Vladimir Putin infamously described his vision for Russia as a “dictatorship of law.” Putin effectively meant consolidating power and using the legal system to punish the regime’s opponents, via written-down laws and trumped-up charges—a wish that has borne out since his ascendance to power. The Russian government has approached internet control in much the same way, shying away from a Beijing-style model of technical filtering and surveillance in favor of a heavily legalistic approach that emphasizes offline coercion. To be clear, the Kremlin continues to run the SORM-3 internet surveillance system, has expanded its push for companies to install deep packet inspection (DPI) filtering technology, and has blocked many websites since February, even if its capabilities are not nearly as sophisticated as those of the Chinese government. In the absence of a similarly sophisticated regime, Moscow relies heavily on confusing and inconsistently enforced speech laws, threats of arrest, security service harassment (including of foreign tech company employees), police brutality, and outright thuggery and other forms of fear and intimidation. Russian-American journalist Masha Gessen has remarked that the Kremlin’s suppression and shaping of information cannot be understood purely technologically; it also must be understood as part of an “economy of terror.” 

The Russian government’s weaponization of data laws ties into this legalistic approach to cyberspace (or the “information space,” as Moscow calls it). In July 2012, Federal Law No. 139-FZ went into effect, giving the state the ability to place websites on a blocklist and force Russian internet service providers to block access—one of several initiatives to increase the control that Roskomnadzor, Russia’s internet and media regulator, has over information online. In December 2013, Russia adopted Federal Law No. 398-FZ, which let authorities block online sources that disseminate calls for mass riots, participation in unsanctioned mass public events, and “extremist” activities, within 24 hours and without a court order. Russia passed a data localization law in 2014 (forcing anyone with data on Russians to keep a copy in Russia), a stored communications law in 2016 (requiring telecom operators to keep user communications for 30 days), a sovereign internet law in 2019 (envisioning a domestic internet isolatable from the global one), and so on. 

Russia’s 2014 data localization law required all Russian and foreign companies with personal data on Russian citizens to store that information in Russia. In data localization parlance, it is a requirement for “mirroring,” where the principal copy of the information must be stored in Russia but where other copies can exist outside Russia. This is unlike the stricter version of localization, often referred to as “hard localization,” which requires the one and only copy of a piece of information to be stored in-country. Russian businesses know they must obey; in fact, for example, part of Russian tech company Yandex’s cloud pitch is that it can help companies comply with the localization law. However, many foreign companies like Twitter, Google, and Facebook have long just ignored the localization requirements and paid relatively small fines every now and then (sometimes, just tens of thousands of U.S. dollars, a drop in the ocean of their profits) because enforcement wasn’t a top Kremlin priority.  

Dozens of countries have imposed localization restrictions since Russia established its regime for doing so. Some have mimicked or echoed Russia’s mirroring approach, and others have opted for more restrictive laws. The Chinese government’s model, for instance, is far more detailed than Russia’s and involves numerous restrictions on outbound data transfer. Governments have used these measures to boost their domestic surveillance reach, as when the FSB told Russian internet companies in 2019 to install equipment allowing intelligence personnel to access Russians’ data anytime. They have also done so to coerce foreign companies. Proposals for data localization in India, for example, offer another lever with which the government could pressure Facebook, Twitter, and other social media companies to comply with content removal (or restoration) demands.  

Authorities in Russia often use these internet laws instrumentally, as a means to an end. Passing confusing speech laws, like those with vague language that criminalize posting “fake news” online, enables the state to intimidate citizens unsure about what they can say—and to punish those who say anything the government dislikes. A “foreign agent” law signed into law by Putin in July, that enters into force in December, will expand the definition of foreign agents to include anyone “under foreign influence” and the definition of political activities to include any actions that “contradict the national interests of the Russian Federation.” Moscow has used this foreign agent designation to raid media offices, open criminal investigations into journalists, and otherwise weaponize the legal system against news websites, enabling the Kremlin to absurdly brand independent journalism as foreign interference.  

Data laws are another way in which the Kremlin weaponizes the Russian legal system against its perceived enemies. While the exact nature of the Jewish Agency for Israel’s alleged violation of Russian law is unclear, it likely refers to data localization requirements that would require information on Russians be stored in Russia. Data localization requirements have an immediate purpose: keeping data on Russians in Russia so law enforcement can more easily access it. But they also have instrumentalist uses. Moscow courts have for years fined companies like Twitter, Google, and Facebook for refusing to localize their data on Russians. Historically, these fines have been low, but as tech companies have opposed the war in Ukraine, the fines have sharply increased. With Google refusing to comply with data localization requirements and limiting the reach of Russian state media in the aftermath of the invasion, Russian authorities slapped the company with a $345 million fine in July, following a $98 million fine in December—compared to a fine of just $7,530 in 2018. Using the data law as a legal justification for expelling the Jewish Agency for Israel isn’t anomalous—it’s part and parcel of why the Kremlin introduces these regulations in the first place. 

Laws are just one of the tools in Moscow’s toolkit, and where the internet is concerned, these tools are a key part of constructing the Russian government’s model of online control. The Wikimedia Foundation, for example, the California-based nonprofit that owns Wikipedia, has been under continuous Kremlin attack, especially since the Putin regime launched its illegal war in Ukraine. Multiple editors have been doxxed (had their information leaked online), an intimidation tactic that could also expose them to violence. In March, the Belarusian security services arrested a Wikipedia editor who had worked on articles about Russia’s Ukraine invasion. The Russian government has also pointed to its local office law for overseas tech companies—a tool of blatant coercion already used to threaten employees with violence and arrest—to attempt to get the Wikimedia Foundation to put people on the ground in Russia, where the Russian security services can reach them. 

Foreign organizations of all stripes in Russia should pay attention to these laws. The Russian government is using all means available to cement power at home, crack down on dissent, and control the information space through blocking, expelling, and coercing tech firms. Yet the ongoing episode with the Jewish Agency for Israel underscores that it’s not just tech companies who may become the targets of Russia’s data laws—and these organizations must pay attention. For now, the Israeli government is reportedly in conversation with Russian counterparts about maintaining the organization’s presence in Russia, though the group’s future is uncertain. 

The Russian government does not hesitate to wield the legal system against opponents or even those who irritate it, no matter the dubiousness of the claims or the obvious nature of the coercion. Any group assessing their legal and operational risk vis-à-vis Russia must also evaluate their exposure to these kinds of legal arguments, like those pertaining to data localization. The growing number of legal restrictions in Russia on internet speech, data storage, and online communication, among others, increases the likelihood that foreign organizations, from media websites to NGOs, could find themselves in Russian legal crosshairs around the internet, data, and technology broadly. 

For their part, U.S. policymakers should consider the treatment of the Jewish Agency for Israel an important case study in the world of tech restrictions. It’s all too easy for policymakers to see a technology issue and flatten the issue to technology—that is, perform a technocentric analysis that cuts out social, political, offline, and other factors. For instance, many policy discussions of data localization focus on digital considerations such as the cybersecurity of the information in question and the technical compliance measures that companies would need to carry out on their data infrastructure. However, data localization can have many other effects, including escalating state access to information on dissidents, serving as a means of economically coercing foreign companies, and serving as a means of politically coercing organizations that do not toe the regime line. All of these are motivations for data localization and other data-restrictive laws. In the case of Russia and techno-centric analysis broadly, news of website blocking earlier this year prompted numerous headlines and policy discussions of a “Russian Great Firewall” (as in, China’s Great Firewall)—a conversation in Washington that somewhat glossed over the physically coercive aspects of Russian internet and information control. On the flip side, U.S. policymakers did a better job with exempting internet services from sanctions against Russia (even though some companies pulled out anyway), as they looked beyond the technology entanglements themselves and weighed the importance of trying to provide open information to the Russian people. 

As the Russian case underscores, if policymakers forget about these coercive aspects of internet regulation, they will miss a key driver of foreign government behavior entirely.  

Justin Sherman is a fellow at the Atlantic Council’s Cyber Statecraft Initiative. 

Google and Facebook provide financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.