Data-Retention

Russia’s Yarovaya Law, passed in 2016 as anti-terrorism legislation, imposes extensive surveillance requirements. Communications providers must retain the content of all communications (voice, text, images, video) for 6 months and metadata for 3 years. When requested, providers must assist the FSB with decrypting communications. Messaging services using encryption must provide the government with decryption keys or face blocking. Several services including LinkedIn and Telegram have been blocked for non-compliance (Telegram was later unblocked after cooperation). The storage requirements are massive, requiring providers to build significant infrastructure. Combined with SORM and data localization requirements, the Yarovaya Law ensures Russian authorities have comprehensive access to communications occurring within Russia.

The Investigatory Powers Act 2016, nicknamed the ‘Snoopers’ Charter’, consolidates and expands UK surveillance powers. Intelligence agencies (GCHQ, MI5, MI6) can conduct bulk interception of communications, retain bulk datasets, and hack devices (equipment interference). ISPs must retain ‘internet connection records’ showing which websites users visit for 12 months. The law requires communications providers to assist authorities in removing encryption where feasible and maintain permanent interception capabilities. Warrants for targeted interception require judicial approval, but bulk powers have less oversight. The law applies to both domestic and foreign communications accessible from UK territory. While the UK has strong data protection through UK GDPR, the IPA creates significant surveillance exposure, particularly for communications transiting UK infrastructure or stored with UK-accessible providers.