According to Art. 1253, intermediaries are not liable for third-party content unless they knew or ought to have known that infringing material was being used illegally on their service. It is reported that the article contains a “constructive knowledge” clause, that may incentivize intermediaries to monitor their services in order to locate “illegal” material.

Amendments introduced by Federal Law No. 241 prohibit the anonymous use of instant message (“IM”) services. Providers are obliged to identify users of the instant messaging service by the subscriber number of the mobile radiotelephone operator in the manner established by the Government of the Russian Federation, on the basis of an identification agreement concluded by the organizer of the instant messaging service with the mobile radiotelephone operator.

While there is a safe harbor for copyright infringement under Federal Law No. 187-FZ "On Amendments to Certain Legislative Acts of the Russian Federation on the Protection of Intellectual Property Rights in Information and Telecommunication Networks", the country lacks a safe harbor for activities other than copyright infringement. In fact, according to the Article 13.34 of Federal Law No. 18-FZ "On Amendments to the Code of the Russian Federation on Administrative Offenses" (introduced in 2017), ISPs that do not block banned sites according to the information received from state regulator Roskomnadzor would be liable and required to pay between 100,000-500,000 Rubles (1600 USD - 8500 USD) penalty. The officials of those legal entities (ISPs) will face fines of 5,000-30,000 Rubles (85 USD - 500 USD) for failing to implement Roskomnadzor’s instructions. If the actions are repeated during the year the amount of penalties will be 30,000-50,000 Rubles (500 USD - 850 USD) for officials and 500,000-800,000 Rubles (8500 USD - 13500 USD) for ISPs.

Law No. 97-FZ and the corresponding government decrees, Decree No. 758 and Decree No. 801, have established several requirements regarding the identification of Wi-Fi users in public places, such as parks, hotels, cafeterias, restaurants, clubs, cinemas and shopping malls, among others. The Act and the decrees require that
- ISPs must identify Internet users by means of identity documents (such as passports);
- ISPs must identify terminal equipment by determining the unique hardware identifier of the data network;
- All legal entities in Russia must provide ISPs on a monthly basis with the list of persons connecting to the Internet using their network.

The so-called “Anti-Piracy Law” establishes a safe harbor for Internet Service Providers (ISPs) in certain cases. According to Art. 1253.1 introduced by this Law to Part IV of the Civil Code, an information intermediary transferring material in an information and telecommunication network is not responsible for the violation of IP rights resulting from this transfer, provided that the following conditions simultaneously exist: (i) he is not the initiator of this transfer and does not determine the recipient of the specified material; (ii) he does not change the specified material when providing communication services, with the exception of changes made to ensure the technological process of transferring the material; (iii) he did not know and should not have known that the use of the corresponding result of intellectual activity or means of individualization by the person who initiated the transfer of material containing the corresponding result of intellectual activity or means of individualization is illegal.
In addition, according to the Article, an information intermediary providing the possibility of posting material in an information and telecommunications network is not responsible for the violation of IP rights that occurred as a result of posting of materials in the network by a third party or at his direction, while the intermediary observes the following conditions: (i) he did not know and should not have known that the use of the corresponding result of intellectual activity or means of individualization contained in such material is illegal; (ii) in case of receiving in writing a statement of the copyright holder about the infringement of intellectual rights with an indication of the website page and (or) the network address on the Internet on which such material is posted, he took the necessary and sufficient measures in a timely manner to stop the infringement of intellectual rights. (the so-called "Notice and takedown" rule).
The information intermediary who is not held responsible for the violation of IP rights accordingly, may be subject to claims for the protection of IP rights including the removal of information that violates exclusive rights, or restricting access to it.

According to Art. 19 of the Law No. 152-FZ, the data operator should take all reasonable organizational and technical measures when processing personal data in order to prevent unauthorized access to personal data, its destruction, alteration, blocking, copying, distribution or conduct of other illegitimate acts.
Art. 22.1 of the Law, which has been in force since 2011, requires appointment of a person responsible for organizing the processing of personal data. This person is responsible for organizing the processing of personal data and should:
- exercise internal control over compliance by the operator and its employees with the legislation of the Russian Federation concerning personal data, including requirements relating to the protection of personal data;
- make employees of the operator aware of the provisions of the legislation of the Russian Federation concerning personal data, of by-laws on the processing of personal data and of requirements relating to the protection of personal data;
- organize the acceptance and processing of applications and requests from data subjects or their representatives and (or) to exercise control over the acceptance and processing of such applications and requests.

Federal Law No. 374-FZ provides that Internet and telecommunications companies are required to disclose communications and metadata, as well as “all other information necessary,” to authorities on request and without a court order. The law penalises companies that fail to disclose requested information, with fines of up to one million rubles (approx. USD 16,500) (Arts. 11, 13, 15).

Federal Law No. 152-FZ provides a comprehensive regime of data protection in the Russian Federation and follows an approach similar to that of EU Directive 95/46/EC. However, data protection in Russia is regulated by several laws in addition to the Law about Personal Data; other notable laws include the Federal Law No. 149-FZ of 27 July 2006 on Information, Information Technologies and Protection of Information.

Russian news aggregators are required to store the news disseminated, information about the news source, as well as information about the terms of its dissemination for six months, and to provide access to such information to the Russian Federal Service for Supervision of Telecom, Information Technologies and Mass Media.

Russia has not joined any agreement with binding commitments to open transfers of data across borders.

Art. 12 of the Federal Law No. 152-FZ prohibits the cross-border transfer of data to countries that do not provide an adequate protection of data subjects. However, cross-border transfers of personal data are permitted in the following circumstances: (i) approved by the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) as providing adequate protection, which will include countries party to Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108); or (ii) in cases where such transfer is necessary to protect the life, health, or other vital interests of the data subject or other persons. Starting from 1 March 2023, operators have to notify any cross-border transfers of personal data before such transfers and, for transfers to countries which are not 'adequate', obtain permission from the Roskomnadzor for the transfer, with limited exceptions.

Art. 30.6.4 of Federal Law No. 161-FZ requires that foreign-based credit card companies transmit data for all transactions within Russia through state-owned operator: the National System of Payment Cards. It is reported that affect the possibility for financial supplied to use their processing facilities located outside of Russia.

Art. 64 of Federal Law No. 126-FZ requires telecom operators, to store in the territory of the Russian Federation the following information:
- Information on the facts of reception, transmission, delivery and (or) processing of voice information, text messages, images, sounds, video or other messages of users of communication services - within three years from the moment of the end of such actions;
- Text messages of users of communication services, voice information, images, sounds, video or other messages of users of communication services - up to six months from the moment of termination of their reception, transmission, delivery and (or) processing.
In addition, Art. 10.1 of Law No. 149-FZ requires distributors of information, such as internet and telecom companies, messengers, email services, forums and other platforms that allow the exchange information on the internet, to store in the territory of the Russian Federation the following information:
- Information on the facts of reception, transmission, delivery and/or processing of voice information, written text, images, sounds, video or other electronic messages of internet users and information about these users for one year after the end of such actions;
- Text messages of internet users, voice information, images, sounds, video and other electronic messages of internet users up to six months from the end of their reception, transmission, delivery and/or processing.

Art. 18(5) of Federal Law No. 152-FZ provides that during personal data collection, including through the Internet, the data operator shall ensure that databases located within the Russian Federation are used to record, systematise, accumulate, store, update, modify and retrieve personal data of Russian citizens. However, the requirements do not apply to companies that do not receive the data directly from either data subjects or such third parties, or inadvertently in the course of normal business activity. Moreover, provided that personal data when initially collected is placed in a primary database located and maintained in Russia, personal data contained in the database may then be transferred abroad and placed in other secondary databases, provided the requirements for data transfers are complied with. As a result, once personal data is collected, it shall be placed in the database located in Russia (i.e., the primary database) and all mentioned operations on the data should be carried out locally. Afterwards, the data can be transferred abroad for further processing (i.e., to the secondary database).
It is reported that since 2015, the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) has been active in enforcing the above-mentioned measure. For instance, in November 2016 subject to the claim from Roskomnadzor the court in Moscow restricted access to the LinkedIn social network due to the breach of the measure. Further cases mostly included administrative fines which were issued also to major multinational companies, including Meta Platforms, Inc. (formerly Facebook, Inc.), Twitter, Inc. and later WhatsApp LLC, Google LLC, Airbnb, Inc., Apple, Inc., Twitch Interactive, Inc., United Parcel Service, Inc., Pinterest, Inc., Likeme Pte. Ltd., Ookla, LLC., Snap Inc., Match Group, LLC, Hotels.com, L.P., Spotify AB, and Zoom Video Communications, Inc. Some companies also faced repeated higher fines.
The Code of Administrative Offences establishes fines of up to RUB 6 million (approx. USD 64,620) for the first offence and up to RUB 18 million (approx. USD 193,860) for the subsequent offence.

Russia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.