On April 1, 2026, an amendment to Russia's Federal Security Service Act took effect that lets the FSB obtain free copies of the databases of any organization operating in Russia — banks, telecoms, hospitals, universities, scientific institutes, and private firms — without a court order. The provision, slipped into Bill No. 974777-8 (a measure originally about firearms-permit deadlines) and passed in its final reading in December 2025, requires only an administrative directive from the FSB's director, a deputy, or the head of a territorial office. The statutory text is blunt: FSB bodies "have the right to freely obtain copies of databases (or parts of databases) belonging to organizations" that contain information "necessary to fulfill their assigned duties."
This is not a tweak to an existing surveillance regime. It converts a power previously limited to state bodies and extra-budgetary funds into a blanket entitlement over the entire private sector, and it does so by routing around the two legal regimes Russians were told protected them: bank secrecy and Federal Law No. 152-FZ "On Personal Data."
The security case, stated fairly
Every government has a legitimate interest in lawful access to data for counterterrorism, counterintelligence, and serious-crime investigations. In a country facing active drone strikes and sabotage, the FSB's claim that it needs faster access than a contested court process allows is not frivolous on its face. Democracies, too, compel disclosure of records — but through warrants, particularity requirements, judicial review, and after-the-fact transparency. The relevant question is never whether the state may access data, but under what constraints.
By that standard, the April 1 law fails on every axis that matters.
No court, no target, no real oversight
The defining feature of proportionate lawful access is that it is targeted and supervised. This law is neither. There is no judicial authorization, no requirement that the data relate to a specific suspect or offense, and no independent body verifying what is taken or whether it is ever deleted. The statute includes nominal safeguards — copies "must be destroyed once their purpose is achieved," and officials "bear responsibility" for unlawful use. But as Bloomberg reported, there is no oversight mechanism to confirm that deletion happens, and the FSB itself defines the format and conditions of its own directives.
Mikhail Tevs, legal chief at IDX, told CNews that the law does not even name Russia's personal-data statute as a constraint, creating "legal uncertainty" over how it interacts with 152-FZ, banking secrecy, tax secrecy, and attorney-client privilege — and warned that FSB access will "bypass key safeguards of 152-FZ, such as the subject's consent." A data-protection law that any security directive can override is not a data-protection law; it is a formality.
A self-inflicted wound on the data economy
Here the pro-innovation objection is not merely about civil liberties — it is about economics. Modern digital economies run on trust: customers share data with banks and platforms on the implicit promise that it is held securely and disclosed only under law. A regime in which the security service can image an entire customer database on a deputy director's signature destroys that promise wholesale.
The practical effects are predictable. Firms will minimize the data they hold in Russia, encrypt defensively, or route sensitive processing abroad — the opposite of the data localization Moscow has spent a decade demanding. Bulk copies of whole databases are also a security liability in their own right: Russia already suffers a thriving black market in leaked official and corporate records ("probiv"). Concentrating database copies inside an agency with no external audit multiplies the attack surface for exactly the leaks the state claims to fight.
Foreign banks in the crosshairs
The law lands hardest on the foreign institutions still operating in Russia. Raiffeisen Bank International and UniCredit — the two largest Western lenders remaining — must now configure their IT systems to surrender data on demand, and major banks face separate FSB orders to monitor messages inside banking apps. That places them in direct conflict with the GDPR and their home-country supervisors, sharpening an already painful dilemma about whether they can remain at all. Alexander Khurudzhi of the pro-business New People party acknowledged the obvious: this is "a particularly sensitive issue for banks and the financial sector."
The pattern, and the cost
The database law is not isolated. By Bloomberg's count, the FSB's powers were expanded five times in the first quarter of 2026 alone; since February the service can order communications and internet shutdowns on terms set personally by the president, with no obligation to show grounds. As political scientist Ekaterina Schulmann put it, the system is being "built, essentially, for the convenience of the security enforcers."
A proportionate state treats bulk access to private data as an exceptional, judicially supervised act. Russia has made it the default, available on an internal memo. The likely yield — marginal gains the FSB could largely have obtained through targeted, warranted requests — is dwarfed by the cost: a hollowed-out data-protection regime, an accelerated exit of foreign capital, and a domestic data economy taught that nothing it stores is ever truly private. That is not security. It is the methodical dismantling of the trust digital economies are built on.