Locations Media Center Subscribe Contact Us

Select your language

Select your location

We use cookies to give you the best possible experience with b1.ru. By continuing to browse this site you are agreeing to our use of cookies. Read our Cookie Policy.
View all publications

Law Messenger

New sanctions for personal data breaches

28.11.2024

Share

On 27 November 2024 the Federation Council approved two bills, No. 502104-8 and No. 502113-8, which substantially change the sanctions that may be imposed for personal data breaches. The proposed amendments are expected to put into effect the large-scale reform of liability for personal data processing violations which Roskomnadzor announced last year.

These developments make it all the more important for data operators to pay close attention to compliance with regulatory requirements relating to data protection and ensure the effective organization of internal processes within their companies.

Administrative sanctions

In its current wording Bill № 502104-8 establishes new offenses under Article 13.11 of the Administrative Offences Code, which are summarized below.

OffenseMaximum fine for legal entities

 

Failure to notify Roskomnadzor of the intention to carry out personal data processing or violation of the time limits for such notification

 

300,000 rubles

 

Failure to notify Roskomnadzor of a personal data leakage, or violation of the time limits for such notification

 

3,000,000 rubles

 

Leakage of personal data of from 1,000 to 10,000 data subjects and (or) from 10,000 to 100,000 identifiers*

*An identifier is a unique piece of data about an individual which is contained in the information system of a personal data operator

 

5,000,000 rubles

 

Leakage of personal data of from 10,000 to 100,000 data subjects and (or) from 100,000 to 1,000,000 identifiers

 

10,000,000 rubles

 

Leakage of personal data of more than 100,000 data subjects and (or) more than 1,000,000 identifiers

 

15,000,000 rubles

 

Leakage of special category personal data

 

15,000,000 rubles

 

Leakage of biometric personal data

 

20,000,000 rubles
Repeated leakage of personal data

 

Up to 3% of aggregate revenue for the preceding calendar year or the amount of a credit organization’s equity capital, but not less than 20,000,000 rubles and not more than 500,000,000 rubles

 

Repeated leakage of biometric personal data and (or) special category personal data

 

Up to 3% of aggregate revenue for the preceding calendar year or the amount of a credit organization’s equity capital, but not less than 25,000,000 rubles and not more than 500,000,000 rubles

 

The bill also lays down mitigating circumstances, which include the following:

  • The operator’s annual expenditure on information security measures carried out by an organization in accordance with an appropriate license has for 3 years amounted to at least 0.1% of annual revenue or the amount of the equity capital of a credit organization;
  • There is documentary evidence that the operator has complied with personal data protection requirements for 12 months;
  • There are no aggravating circumstances.

Aggravating circumstances include the continuation of unlawful behavior and the previous imposition of administrative sanctions for personal data processing and information security breaches.

If the bill is passed in its current wording, it will enter into force 180 days after publication.

Criminal liability

Bill № 502113-8 proposes to insert in the Criminal Code an Article 272.1 devoted to the unlawful processing of personal data.

The unlawful use and (or) transmission, collection and (or) storage of information containing personal data, which was obtained through unlawful access to, or other interference in, means for the processing and storage of such information or by other unlawful means, may result in sanctions up to and including imprisonment for up to 4 years.

Where such actions involve the cross-border transmission of personal data, sanctions may take the form of imprisonment for up to 8 years with a fine of up to 2,000,000 rubles and deprivation of the right to hold certain positions or engage in certain activities for up to 4 years.

The current version of the bill does not specify a date of entry into force, which means that, if passed, it would take effect 10 days from the date of official publication.

 *  *  *

The proposed amendments have a significant bearing on the assessment of risks associated with personal data processing. Given that there is time before the new rules on administrative and criminal liability for personal data breaches come into effect, we advise companies to focus on auditing their own activities to ensure that they are compliant with the law and best practices.

 

B1 Legal Services

The B1 team has substantial experience of advising international and Russian clients on matters related to personal data processing and would be happy to provide you with support in this area.

Details

Authors

Vasily Makovkin

Vasily Makovkin

B1 Partner

Legal Services

Contact

Anton Sidnin

Anton Sidnin

B1 Senior Associate

Legal Services

Contact

Polina Bychenok

Polina Bychenok

B1 Associate

Legal Services

Contact

OTHER PUBLICATIONS
View all