
On 27 November 2024 the Federation Council approved two bills, No. 502104-8 and No. 502113-8, which substantially change the sanctions that may be imposed for personal data breaches. The proposed amendments are expected to put into effect the large-scale reform of liability for personal data processing violations which Roskomnadzor announced last year.
These developments make it all the more important for data operators to pay close attention to compliance with regulatory requirements relating to data protection and ensure the effective organization of internal processes within their companies.
Administrative sanctions
In its current wording Bill № 502104-8 establishes new offenses under Article 13.11 of the Administrative Offences Code, which are summarized below.
Offense | Maximum fine for legal entities |
Failure to notify Roskomnadzor of the intention to carry out personal data processing or violation of the time limits for such notification
| 300,000 rubles |
Failure to notify Roskomnadzor of a personal data leakage, or violation of the time limits for such notification
| 3,000,000 rubles |
Leakage of personal data of from 1,000 to 10,000 data subjects and (or) from 10,000 to 100,000 identifiers* *An identifier is a unique piece of data about an individual which is contained in the information system of a personal data operator
| 5,000,000 rubles |
Leakage of personal data of from 10,000 to 100,000 data subjects and (or) from 100,000 to 1,000,000 identifiers
| 10,000,000 rubles |
Leakage of personal data of more than 100,000 data subjects and (or) more than 1,000,000 identifiers
| 15,000,000 rubles |
Leakage of special category personal data
| 15,000,000 rubles |
Leakage of biometric personal data
| 20,000,000 rubles |
Repeated leakage of personal data |
Up to 3% of aggregate revenue for the preceding calendar year or the amount of a credit organization’s equity capital, but not less than 20,000,000 rubles and not more than 500,000,000 rubles
|
Repeated leakage of biometric personal data and (or) special category personal data |
Up to 3% of aggregate revenue for the preceding calendar year or the amount of a credit organization’s equity capital, but not less than 25,000,000 rubles and not more than 500,000,000 rubles
|
The bill also lays down mitigating circumstances, which include the following:
- The operator’s annual expenditure on information security measures carried out by an organization in accordance with an appropriate license has for 3 years amounted to at least 0.1% of annual revenue or the amount of the equity capital of a credit organization;
- There is documentary evidence that the operator has complied with personal data protection requirements for 12 months;
- There are no aggravating circumstances.
Aggravating circumstances include the continuation of unlawful behavior and the previous imposition of administrative sanctions for personal data processing and information security breaches.
If the bill is passed in its current wording, it will enter into force 180 days after publication.
Criminal liability
Bill № 502113-8 proposes to insert in the Criminal Code an Article 272.1 devoted to the unlawful processing of personal data.
The unlawful use and (or) transmission, collection and (or) storage of information containing personal data, which was obtained through unlawful access to, or other interference in, means for the processing and storage of such information or by other unlawful means, may result in sanctions up to and including imprisonment for up to 4 years.
Where such actions involve the cross-border transmission of personal data, sanctions may take the form of imprisonment for up to 8 years with a fine of up to 2,000,000 rubles and deprivation of the right to hold certain positions or engage in certain activities for up to 4 years.
The current version of the bill does not specify a date of entry into force, which means that, if passed, it would take effect 10 days from the date of official publication.
* * *
The proposed amendments have a significant bearing on the assessment of risks associated with personal data processing. Given that there is time before the new rules on administrative and criminal liability for personal data breaches come into effect, we advise companies to focus on auditing their own activities to ensure that they are compliant with the law and best practices.
B1 Legal Services
The B1 team has substantial experience of advising international and Russian clients on matters related to personal data processing and would be happy to provide you with support in this area.
Details
Authors

Vasily Makovkin
B1 Partner
Legal Services
Contact
.jpg)
Anton Sidnin
B1 Senior Associate
Legal Services
Contact
.jpg)
Polina Bychenok
B1 Associate
Legal Services
Contact

Increased responsibility of EU operators to ensure that Russian companies under their control comply with restrictive measures
On 24 June 2024 the EU passed a 14th package of sanctions which significantly increased the responsibility of EU companies to ensure that Russian companies under their control comply with restrictive measures. Specifically, the newly inserted Article 8a of Council Regulation (EU) 833/2014 requires such companies to undertake their best efforts to ensure that their subsidiaries outside the EU do not participate in activities that undermine the application of restrictive measures imposed by the EU. However, the Regulation does not specify precisely what measures must be taken to comply with these requirements, thus causing uncertainty as to what actions may be considered adequate from an EU law perspective.
16.12.2024

Transactions under economic restrictive measures: overview for clients
This overview summarizes the key Restrictive Measures in relation to transactions with real estate, shares / participatory interests in the authorized capitals of joint stock companies/limited liability companies. We hope that you will find this overview useful in evaluating the applicability of the Restrictive Measures to transactions you are planning to enter into.
10.12.2024

New sanctions for personal data breaches
On 27 November 2024 the Federation Council approved two bills, No. 502104-8 and No. 502113-8, which substantially change the sanctions that may be imposed for personal data breaches. The proposed amendments are expected to put into effect the large-scale reform of liability for personal data processing violations which Roskomnadzor announced last year.
28.11.2024

Overview of US sanctions against Belarus
2024 saw sanctions against Belarus being widened and more Belarusian individuals and entities being added to sanctions lists. We propose to provide a full and detailed picture of sanctions in place against Belarus, starting with US sanctions.
18.11.2024
.jpg)
Presidential Decree No. 767: key changes
New Presidential Decree No. 767 On Amendments to Certain Decrees of the President of the Russian Federation was published on 9 September 2024 to amend three regulatory acts. The main changes relate to transaction procedures, accounting for and performance of obligations under Eurobonds and replacement bonds which had persons from unfriendly states in their holding chain, as well as the procedure for permits to be obtained by Russian companies to pay profits to persons from unfriendly states.
17.09.2024

IP owners from “unfriendly” states may soon be deprived of their rights
On 19 June 2024, a bill was introduced to the Russian State Duma to revoke intellectual property rights held by owners from so-called “unfriendly” states.
10.07.2024

New EU ban: summary of restrictions on intellectual property rights
On 24 June 2024, the European Union launched its 14th package of restrictive measures against Russia. This package imposes new intellectual property restrictions that significantly affect the interests of Russian businesses with an international presence and must be considered when planning operations in the EU.
26.06.2024