Art. 18.5 of Federal Law No. 152-FZ provides that during personal data collection, including through the Internet, the data operator shall ensure that databases located within the Russian Federation are used to record, systematise, accumulate, store, update, modify and retrieve personal data of Russian citizens. However, the requirements do not apply to companies that do not receive the data directly from either data subjects or such third parties or inadvertently in the course of normal business activity. Moreover, provided that personal data, when initially collected, is placed in a primary database located and maintained in Russia, personal data contained in the database may then be transferred abroad and placed in other secondary databases, provided the requirements for data transfers are complied with. As a result, once personal data is collected, it shall be placed in the database located in Russia (i.e., the primary database). All mentioned operations on the data should be carried out locally. Afterwards, the data can be transferred abroad for further processing (i.e., to the secondary database).
It is reported that since 2015, the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) has been active in enforcing the above-mentioned measure. For instance, in November 2016, subject to the claim from Roskomnadzor, the court in Moscow restricted access to the LinkedIn social network due to the breach of the measure. Further cases mostly included administrative fines, which were also issued to major multinational companies, including Meta Platforms, Inc. (formerly Facebook, Inc.), Twitter, Inc. and later WhatsApp LLC, Google LLC, Airbnb, Inc., Apple, Inc., Twitch Interactive, Inc., United Parcel Service, Inc., Pinterest, Inc., Likeme Pte. Ltd., Ookla, LLC., Snap Inc., Match Group, LLC, Hotels.com, L.P., Spotify AB, and Zoom Video Communications, Inc. Some companies also faced repeated higher fines.
The Code of Administrative Offences establishes fines of up to RUB 6 million (approx. USD 64,620) for the first offence and up to RUB 18 million (approx. USD 193,860) for the subsequent offence.

Art. 30.6.4 of Federal Law No. 161-FZ requires that foreign-based credit card companies transmit data for all transactions within Russia through state-owned operators: the National System of Payment Cards. It is reported that this affects the possibility for financial supplies to use their processing facilities located outside of Russia.

Art. 64 of Federal Law No. 126-FZ requires telecom operators to store in the territory of the Russian Federation the following information:
- Information on the facts of reception, transmission, delivery and (or) processing of voice information, text messages, images, sounds, video or other messages of users of communication services - within three years from the moment of the end of such actions;
- Text messages of users of communication services, voice information, images, sounds, video or other messages of users of communication services - up to six months from the moment of termination of their reception, transmission, delivery and (or) processing.
In addition, Art. 10.1 of Law No. 149-FZ requires distributors of information, such as internet and telecom companies, messengers, email services, forums and other platforms that allow the exchange of information on the internet, to store in the territory of the Russian Federation the following information:
- Information on the facts of reception, transmission, delivery and/or processing of voice information, written text, images, sounds, video or other electronic messages of internet users and information about these users for one year after the end of such actions;
- Text messages of internet users, voice information, images, sounds, video and other electronic messages of internet users up to six months from the end of their reception, transmission, delivery and/or processing.

Art. 12 of Federal Law No. 152-FZ prohibits the cross-border transfer of data to countries that do not provide adequate protection of data subjects. However, cross-border transfers of personal data are permitted in the following circumstances: (i) approved by the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) as providing adequate protection, which will include countries party to Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108); or (ii) in cases where such transfer is necessary to protect the life, health, or other vital interests of the data subject or other persons. Starting from 1 March 2023, operators have to notify any cross-border transfers of personal data before such transfers and, for transfers to countries which are not 'adequate', obtain permission from the Roskomnadzor for the transfer, with limited exceptions.

Russia has not joined any agreement with binding commitments to open transfers of data across borders.

Federal Law No. 152-FZ provides a comprehensive regime of data protection in the Russian Federation and follows an approach similar to that of EU Directive 95/46/EC. However, data protection in Russia is regulated by several laws in addition to the Law about Personal Data; other notable laws include the Federal Law No. 149-FZ of 27 July 2006 on Information, Information Technologies and Protection of Information.

Russian news aggregators are required to store the news disseminated, information about the news source, as well as information about the terms of its dissemination for six months and to provide access to such information to the Russian Federal Service for Supervision of Telecom, Information Technologies and Mass Media.

According to Art. 19 of the Law No. 152-FZ, the data operator should take all reasonable organisational and technical measures when processing personal data in order to prevent unauthorised access to personal data, its destruction, alteration, blocking, copying, distribution or conduct of other illegitimate acts.
Art. 22.1 of the Law, which has been in force since 2011, requires the appointment of a person responsible for organising the processing of personal data. This person is responsible for organising the processing of personal data and should:
- exercise internal control over compliance by the operator and its employees with the legislation of the Russian Federation concerning personal data, including requirements relating to the protection of personal data;
- make employees of the operator aware of the provisions of the legislation of the Russian Federation concerning personal data, of by-laws on the processing of personal data and of requirements relating to the protection of personal data;
- organise the acceptance and processing of applications and requests from data subjects or their representatives and (or) exercise control over the acceptance and processing of such applications and requests.

Federal Law No. 374-FZ provides that Internet and telecommunications companies are required to disclose communications and metadata, as well as “all other information necessary,” to authorities on request and without a court order. The law penalises companies that fail to disclose requested information with fines of up to one million rubles (approx. USD 16,500) (Arts. 11, 13, 15).

Federal Law of July 29, 2004, on Commercial Secrecy and Russian Civil Code provide a framework for the effective protection of trade secrets. The Civil Code (Part 4) regulates issues associated with trade secrets. Any unlawful use of a trade secret, including unlawful receipt or disclosure of the trade secret, constitutes trade secret infringement. Additionally, the Federal Law of July 29, 2004, on Commercial Secrecy defines trade secrets as any type of information (e.g. production, technological, economic, organisational, etc.) that is not generally known to which the general public does not have open access, and with respect to which the owner of such information has instituted the regime of trade secrecy.

The so-called “Anti-Piracy Law” establishes a safe harbour for Internet Service Providers (ISPs) in certain cases. According to Art. 1253.1 introduced by this Law to Part IV of the Civil Code, an information intermediary transferring material in an information and telecommunication network is not responsible for the violation of IP rights resulting from this transfer, provided that the following conditions simultaneously exist: (i) he is not the initiator of this transfer and does not determine the recipient of the specified material; (ii) he does not change the specified material when providing communication services, with the exception of changes made to ensure the technological process of transferring the material; (iii) he did not know and should not have known that the use of the corresponding result of intellectual activity or means of individualisation by the person who initiated the transfer of material containing the corresponding result of intellectual activity or means of individualisation is illegal.
In addition, according to the Article, an information intermediary providing the possibility of posting material in an information and telecommunications network is not responsible for the violation of IP rights that occurred as a result of the posting of materials in the network by a third party or at his direction, while the intermediary observes the following conditions: (i) he did not know and should not have known that the use of the corresponding result of intellectual activity or means of individualisation contained in such material is illegal; (ii) in case of receiving in writing a statement of the copyright holder about the infringement of intellectual rights with an indication of the website page and (or) the network address on the Internet on which such material is posted, he took the necessary and sufficient measures in a timely manner to stop the infringement of intellectual rights. (the so-called "Notice and takedown" rule).
The information intermediary, who is not held responsible for the violation of IP rights accordingly, may be subject to claims for the protection of IP rights, including the removal of information that violates exclusive rights or restricting access to it.

Russia is not a party to the World Trade Organization (WTO) Agreement on Government Procurement (GPA). However, the country has been an observer of the WTO GPA since 2013.

Under Art. 2 of Federal Law No. 57, foreign states, international organisations, and entities under their control — including those established in Russia — are prohibited from entering into transactions that would grant them a majority interest in business entities deemed strategically important for national defence and state security. Consequently, foreign state-controlled investors are restricted from acquiring more than 50% of shares or majority voting rights in such companies.
According to Art. 6 of the law business strategically important for national defence and state security include those involved in the development and production of encryption tools, maintenance of cryptographic systems, and provision of encryption services, as well as activities such as detecting covert information-gathering devices.

The Law on Mass Media, initially enacted in 1991 and subsequently amended multiple times, underwent significant revisions in January 2016 concerning foreign ownership regulations. According to Art. 19-1, foreign entities such as foreign states, international organisations, entities under their control, foreign legal entities, Russian legal entities with foreign participation, foreign citizens, stateless persons, and Russian citizens holding dual citizenship are prohibited from acting as founders or participants of mass media organisations, editorial offices of mass media, or entities engaged in broadcasting. Additionally, Art. 19-1 prohibits direct or indirect possession, management, or control by the aforementioned foreign entities or individuals of more than 20% of shares in the authorised capital of entities involved in mass media or broadcasting activities. This has led to large-scale redistribution of property in the media market and the departure from Russia of a number of major international publishers (e.g. Finnish Sanoma, Axel Springer, the German, the American Dow Jones and FT Group). Other foreign shareholders in the Russian media either reduced their stakes in Russian media or re-registered their ownership in the Russian jurisdiction.

According to Art. 6 of Federal Law No. 160-FZ (amended in 2017), transactions involving Russian business entities by foreign investors require prior approval under Art. 57 of Federal Law No. 57 on "Procedures for Foreign Investments in Companies Having Strategic Importance for National Security and Defence". This law aims to safeguard national defence and security interests. Following the 2017 amendments, the Government Commission for Control over Foreign Investments, as outlined in Art. 12 of Federal Law No. 57, has the authority to impose additional conditions on foreign investors seeking approval for transactions deemed critical to protect national defence and state security.