News Arno

Russia significantly tightened liability for personal data leaks as well as for several related data breaches

News
A package of bills on tightening liability for personal data leaks was signed by Vladimir Putin on 30 November 2024. The new administrative fines will come into effect after 180 from the official publication of the bill (i.e. approximately by the end of May 2025). Another bill which introduced criminal liability for data leaks will become effective already on 11 December 2024.

1.New administrative fines

A. Failure to register with Roskomnadzor as a data operator

  • up to RUB 50,000 (approx. USD 470) for chief company officers;
  • up to RUB 300,000 (approx. USD 2,830) for a legal entity.

B. Failure to notify a data transfer to Roskomnadzor which resulted in a breach of individual rights

  • up to RUB 800,000 (approx. USD 7,550) for chief company officers;
  • up to RUB 3,000,000 (approx. USD 28,300) for a legal entity.

C. Data leak from 1,000 to 10,000 of data subjects or from 10,000 to 100,000 identifiers (actions (inaction) of the operator that resulted in unlawful transfer (provision, dissemination, access) of information, provided this does not qualify as a crime)

  • up to RUB 400,000 (approx. USD 3,800) for chief company officers;
  • up to RUB 5,000,000 (approx. USD 47,200) for a legal entity.

D. Data leak from10,000 to100,000 of data subjects or from100,000 to1,000,000 identifiers (actions (inaction) of the operator that resulted in unlawful transfer (provision, dissemination, access) of information, provided this does not qualify as a crime)

  • up to RUB 500,000 (approx. USD 4,700) for chief company officers;
  • up to RUB10,000,000 (approx. USD 94,000) for a legal entity.

E. Data leak of more than 100,000 of data subjects or of more than1,000,000 identifiers (actions (inaction) of the operator that resulted in unlawful transfer (provision, dissemination, access) of information, provided this does not qualify as a crime)

  • up to RUB 600,000 (approx. USD 5,700) for chief company officers;
  • up to RUB15,000,000 (approx. USD 141,500) for a legal entity.

F. Repeated breach of C – D above and G – I below

  • up to RUB 1,200,000 (approx. USD 11,300) for chief company officers;
  • 1 to 3 percent of the aggregate amount of the amount of revenue received from the sale of all goods (works, services) for the calendar year preceding the year in which the administrative offense was detected, or for the part of the calendar year preceding the date of detection of the administrative offense in which the administrative offense was detected, if the offender was not engaged in the sale of goods (works, services) in the preceding calendar year, or from 1 to 3 percent of the amount of own funds (capital) of a credit organization as of the date of committing an administrative offense, but not less than twenty million rubles and not more than five hundred million rubles.

G. Data leak of special data categories

  • up to RUB1,300,000 (approx. USD12,300) for chief company officers;
  • up to RUB15,000,000 (approx. USD141,500) for a legal entity.

H. Data leak of biometric data

  • up to RUB1,500,000 (approx. USD14,150) for chief company officers;
  • up to RUB 20,000,000 (approx. USD189,000) for a legal entity.

I. Breach of G or H above by a person who was fined under C – H

  • up to RUB 2,000,000 (approx. USD18,900) for chief company officers;
  • 1 to 3 percent of the aggregate amount of the amount of revenue received from the sale of all goods (works, services) for the calendar year preceding the year in which the administrative offense was detected, or for the part of the calendar year preceding the date of detection of the administrative offense in which the administrative offense was detected, if the offender was not engaged in the sale of goods (works, services) in the preceding calendar year, or from 1 to 3 percent of the amount of own funds (capital) of a credit organization as of the date of committing an administrative offense, but not less than twenty million rubles and not more than five hundred million rubles.

Aggravating factors:

  • continued breach ignoring requests of authorities to stop the breach;
  • use of non-certified information security tools;
  • breach of information security requirements.

Mitigating factors:

  • annual expenses of the operator during the three calendar years preceding the year in which the administrative offense was detected, on information security measures (either by a certified information security company or independently, provided the operator has such a certification), were not less than one tenth of one percent of the annual aggregate amount of the amount of revenue received from the sale of all goods (works, services), or the amount of equity (capital) of the credit institution;
  • the operator complied with the existing data protection requirements for the past 12 months prior to the offense, subject to documentary confirmation of this fact;
  • there are no aggravating factors.

2.New criminal liability

A. Illegal use and (or) transfer, collection and (or) storage of computer information containing personal data, as well as creation and (or) ensuring the functioning of information resources intended for its illegal storage and (or) dissemination

  • a fine in an amount of up to RUB 300,000 (approx. USD 2,830); or
  • the amount of the wages or other income of the convicted person for a period of up to 1 year, or
  • compulsory labor for a term of up to 4 years, or
  • imprisonment up to 4 years.

B. The same as A above if concerns personal data of minors

  • a fine up to RUB 700,000 (approx. USD 6,600), or
  • the amount of wages or other income of the convicted person for the period up to 2 years with deprivation of the right to hold the certain positions or to engage in certain activities for the term up to 2 years or without it,
  • or compulsory labor for the term up to 5 years,
  • or imprisonment up to 5 years.

C. A or B above if performed a) out of self-interest, or b) causing major damage, or c) by a group of persons by prior conspiracy, or d) using official position

  • a fine in an amount of up to RUB 1,000,000 (approx. USD 9,400), or
  • in the amount of the wages or other income of the convicted person for a period of up to 3 years with or without deprivation of the right to hold certain positions or to engage in certain activities for a period of up to 3 years, or
  • compulsory labor for a term of up to 5 years with a fine in an amount of up to RUB 1,000,000 (approx. USD 9,400) or in the amount of the wages or other income of the convicted person for a period of up to 3 years and with or without deprivation of the right to hold certain positions or to engage in certain activities for a term of up to 3 years, or
  • deprivation of the right to hold certain positions or to engage in certain activities for a term of up to three years.

D. A – C above associated with cross-border transfer of information or import/export of data carriers containing personal data

  • imprisonment for a term of up to 8 years with a fine of up to RUB 2,000,000 (approx. USD 18,900), or
  • the amount of the wages or other income of the convicted person for a period of up to 3 years and with or without deprivation of the right to hold certain posts or engage in certain activities for a term of up to 4 years.

E. A – D above if resulted in grief consequences

  • imprisonment for a term of up to 10 years with a fine of up to RUB 3,000,000 (approx. USD 28,300), or
  • the amount of the wages or other income of the convicted person for a period of up to 4 years and with or without deprivation of the right to hold certain posts or engage in certain activities for a term of up to five years.

F. Creation and (or) ensuring the operation of an information resource (Internet site and (or) page of an Internet site, information system, software) knowingly designed for illegal storage, transmission (distribution, provision, access) of computer information containing personal data obtained by illegal means

  • a fine up to RUB 700,000 (approx. USD 6,600), or
  • the amount of wages or other income of the convicted person for the period up to 2 years with deprivation of the right to hold the certain posts or to engage in the certain activities for the term up to 2 years or without it, or
  • compulsory labor for the term up to 5 years with the fine up to RUB 700,000 (approx. USD 6,600) or other income of the convicted person for a period of up to 2 years and with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 2 years, or
  • imprisonment for a term of up to 5 years with a fine of up to RUB 700,000 (approx. USD 6,600) or other income of the convicted person for a period of up to 2 years and with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to 2 years.

The above criminal liability does not apply in cases of personal or family use.

In general, the above legislation is a major increase of pressure on business. The overall possibility of being fined even without a fault (if the system is hacked) was negatively received by the business society. Furthermore, some articles are not entirely correctly drafted and can be interpreted sometimes in a fairly strict way, e.g. transfer of data without a consent may also be interpreted to lead to criminal liability under 2A above. As usual, it remains to be seen how the new laws are enforced in practice.