The legislatures in Russia and China took steps this month to tighten regulations over Internet companies with access to user data. In Russia, President Vladmir Putin signed a law ensuring a “right to be forgotten” reminiscent of the European Court of Justice’s ruling in May 2014. And in China, the National People’s Congress released a draft cybersecurity bill that would formalize and strengthen the State’s long-standing regulation of websites and network operators.
On July 14th, 2015, Russian President Vladmir Putin signed into law a piece of legislation that guarantees Russian citizens a so-called “right to be forgotten,” allowing them to selectively edit the history that is unearthed when internet users search for their names. Beginning on January 1, 2016, Russian citizens can request that a search engine remove a link if it (1) reveals information that “violates their personal data, (2) contains ‘unverified information’, or (3) contains information that is ‘no longer relevant.’” Affected websites include any search engines that serve targeted advertisements to Russian citizens, such as Google, Yahoo! and Yandex. Search engines will have up to ten days to respond to takedown requests, and failure to respond to requests within the time frame, or an erroneous refusal to remove content, will result in litigation and potential fines.
Google is no stranger to right to be forgotten litigation. In May of last year, a European Court of Justice ruling granted EU citizens a right to compel search engines to remove links to outdated or irrelevant web content. As a result of the European Court’s ruling, Google has fielded more than a million takedown requests, and has been forced to remove more than 285,000 search results. The Russian legislation, bearing striking resemblance to the ECJ’s ruling, will require similar efforts from search engines operating in Russia.
Both the EU ruling and the Russian law have received criticism from Internet companies and from those who advocate for open and uncensored Internet. In the wake of the European Court’s decision, Harvard Law Professor Jonathan Zittrain told the New York Times that the ruling was “a bad solution to a very real problem, which is that everything is now on our permanent records.” Similarly, Galina Arapova of the Center for Media Rights and the International Media Lawyers Association at Oxford told Russia Beyond the Headlines that the Russian legislation is “in conflict with the constitution … [and] incompatible with the international standards established by the European Convention of Human Rights.”
In China, where websites have long been subjected to State regulation, the National People’s Congress (NPC) released a draft of a new law addressing cybersecurity. In the draft law, open for public comment until August 5th, the NPC claims a need for heightened network security, preservation of cyberspace sovereignty, and protection from cyber attacks. To achieve this, the NPC delegates broad powers to the Chinese Cyberspace Administration to regulate network providers. For example, the draft law requires network providers to mimic the State’s existing tiered network security protection system to ward off cyber attacks and data leaks. The law also requires all sensitive data collected about Chinese citizens to be stored in servers located within China, and subjects those servers to security checks from state regulators.
Some commenters believe that this new legislation does little more than solidify pre-existing regulations. According to Austin Ramzy of the New York Times, “[e]ven the most aggressive measures discussed in the draft, restricting Internet access in a particular region … have been used [in the past].” However, businesses operating within China should pay close attention to how this new law might impact their activities there, particularly as it pertains to the use and storage of user data: the draft bill grants the Chinese Cyberspace Administration broad jurisdiction to regulate such activities.
Brittany Doyle is a 2L at the Harvard Law School.