News Arno

Russia plans to significantly toughen liability for personal data leaks

A package of bills on tightening liability for personal data leaks is included in the State Duma's work schedule for 2024.

The size of fines for company officials will be from RUB 800,000 to RUB 2 million (approx. from USD 8,800 to USD 22,000), for legal entities from RUB 3 million to RUB 15 million (approx. USD 33,000 to USD 165,000). In some cases, the liability can be up to tens and hundreds of millions of rubles. For data thieves – up to 10 years of imprisonment.

Fines for legal entities and individual entrepreneurs may amount to:

· from RUB 3 million to RUB 5 million if the leak concerns from 1 to 10 thousand subjects of personal data;
· from RUB 5 million to RUB 10 million for the leak of 10 to 100 thousand data subjects;
· from RUB 10 million to RUB 15 million if 100,000 or more data subjects were leaked.

In the event of a repeat offence (1,000 data leaks or more), a fine of RUB 15 to RUB 500 million (approx. USD 5,5 million) will be imposed. The exact figure is proposed to be calculated on the basis of the amount of revenue for the calendar year preceding the violation (from 0.1 to 3%).

For the leakage of special information (for example, medical information), the bill introduces a fine of RUB 10 to 15 million.

The authors of the amendments propose to hold both professional cybercriminals and ordinary employees of companies who decided to earn money by "leaking" information criminally liable. The punishment could be up to 10 years of imprisonment.

Recently, cases of data leaks in Russian companies have increased by a third, according to a study by Kaspersky Lab. There have been a total of 133 cases of leaks, although there have been fewer announcements about them. The volume of published data has increased by 33%.

Nevertheless, the bill has caused a contradictory response from businesses. For example, banks did not support the imposition of turnover fines for personal data leaks. Banks propose to remove turnover fines for repeated leaks from the bill. According to the banks "a large fine can only act as an incentive when organisations can prevent its payment by their good faith actions." The banks propose that fines for repeated leaks should be set at a fixed level – between RUB 15 million (approx. USD 165,000) and RUB 30 million (approx. USD 330,000) depending on the category of data.

The banks also propose that liability should be imposed not for any leakage of personal data, but for leaks resulting in the failure of a bank or any other company that deals with data to fulfil the established information security requirements. In addition, it is proposed to postpone the effective date of the new law after its adoption by one year.

Currently, the draft laws are being actively discussed in the State Duma, as well as within the expert community. We are monitoring the discussions and will keep you informed as new information becomes available.