According to the Group-IB research, last year the amount of publicly released databases of Russian companies six times outnumbered those unlawfully made public in 2021. At the same time, special provisions, regulating liability for personal data leaks, are not foreseen neither in the Code of Administrative Offenses of Russia nor in the Criminal Code.
Therefore, on 4 December 2023, the draft laws No. 502104-8 “On Amendments to the Code of Administrative Offences of the Russian Federation” (“draft law No. 502104-8") and No. 502113-8 “On Amendments to the Criminal Code of the Russian Federation” (“draft law No. 502113-8”), providing toughening liability for personal data leakage, were submitted to the State Duma.
According to the explanatory notes to these draft laws, currently existing liability is disproportional and incomparable to the potential social harm which can personal data leakage result in.
The main amendments to the Code of Administrative Offences of Russia according to the draft law No. 502104-8:
1. It is planned to adopt a progressive scale, providing that the amount of the administrative fine depends on the extent of the leakage. Thus, the amount of the fine for legal entities will be:
Offence |
Liability |
Personal data leakage from thousand 1 to 10 thousand subjects of personal data, or from 10 to 100 thousand unique indications of information about natural persons necessary to identify such persons ("identifiers") |
Administrative fine in the amount of 3 million to 5 million rubles |
Personal data leakage from 10 thousand to 100 thousand subjects of personal data, or from 100 thousand to 1 million identifiers |
Administrative fine in the amount of 5 million to 10 million rubles |
Personal data leakage of more than 100 thousand subjects of personal data, or of more than 1 million identifiers |
Administrative fine in the amount of 10 million to 15 million rubles |
Repeated violation of the abovementioned offenses |
Turnover-based fine in the amount of 1/10 to 3% of the consolidated revenue, but not less than 15 million and not more than 500 million rubles |
2. Leakage of special categories of personal data (including the information about the health of citizens) may entail administrative liability for legal entities in the form of fine from 10 million to 15 million rubles.
If the leakage of the personal data of special categories was predated by bringing the operator-legal entity to administrative liability for one of the administrative offences above, the fine will amount from 1/10 to 3%of the consolidated revenue, but not less than 20 million rubles and not more than 500 million rubles.
3. It is proposed to increase the amount of fines for personal data processing in cases not covered by the current legislation, particularly:
Offence |
Liability |
Failure to fulfill or failure to timely fulfill the operator’s obligation to notify the authorized body of the intention to process personal data |
Administrative fine in the amount up to 300 thousand rubles |
Unlawful transfer of personal data resulting in violation of the rights of personal data subjects (personal data leakage) |
Administrative fine in the amount from 1 million to 3 million rubles |
4. It is also important that the current version of the draft law No. 502104-8 establishes liability for individual entrepreneurs for a number of administrative offenses related to violations in the field of personal data processing, in the same amount as for legal entities.
The main amendments to the Criminal Code of Russia according to the draft law No. 502113-8:
1. Criminal liability according to the draft law No. 502113-8 is provided for illegal usage and (or) transfer (distribution, provision, access), collection and (or) storage of computer information, containing personal data, obtained through unauthorized access to the means of its processing, storage or other interference into its functioning, or by other illegal means.
2. These actions may lead to increased liability if there are constituent elements, in case same acts committed towards a special category of personal data and (or) biometric personal data; acts, associated with trans-border transfer or movement of computer storage media; acts, causing major damage; acts, committed by a group of persons by prior agreement or with the use of official position, as well as by mercenary interest.
3. According to the draft law No. 502113-8, the sanction of introduced article 272.1 provides for both separate application of basic or additional punishments and their combination. For example, a leak aimed at causing harm to the life and health of a person or citizen, damage to the defense and/or security of the state and other protected values, as well as committed by an organized group, is punishable by imprisonment for up to 10 years with a fine in the amount of up to 3 million rubles or other income of the convicted person for a period of up to 4 years, with or without deprivation of the right to hold certain positions for up to 5 years.
4. It is also provided the liability for persons, created Internet resources and programs, allowing an illegal storage and (or) illegal access to computer information containing personal data of subjects. It is punished by the penalty at a rate up to 700 thousand rubles or in the amount of wages or other income of the convicted person for the period up to 2 years with deprivation of the right to hold the certain posts or to engage in the certain activities for the term up to 2 years or without it, or compulsory works for the term up to 5 years with the penalty at a rate up to 700 thousand rub. or other income of the convicted person for a period of up to 2 years with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to 2 years, or imprisonment for a term of up to 5 years with a fine of up to 700 thousand rubles or other income of the convicted person for a period of up to two years with or without deprivation of the right to hold certain positions or engage in certain activities for a term of up to 2 years.
It is noteworthy, that in the official response to the draft law No. 502113-8, the Deputy Chairman of the Supreme Court of the Russian Federation noted the absence of characteristics, allowing to distinguish the crime from the offense under Article 13.11 of the Code of Administrative Offences. Due to the fact that the amount of the fine provided for in the draft law 502104-8 of the Code of Administrative Offences depends on quantitative measures, we assume that the text of the article of the Criminal Code will also be supplemented with a quantitative measures or an indication of another qualifying feature.
It is also worth mentioning that the Federal law No. 589-FZ of 12 December 2023 “On Amendments to the Code of Administrative Offences of the Russian Federation” was adopted, and it will enter into force on 23 December 2023. This law toughens the liability for processing personal data without the written consent of the personal data subject in the form of a fine in the amount of 300 thousand to 700 thousand rubles, and in case of repeated violation – of 1 million to 1.5 million rubles.
It also implements a special liability for violations of requirements in the field of placement of biometric personal data. According to it, placement and updating by banks, MFCs and other organizations of biometric personal data of the personal data subject in GIS “Unified system of identification and authentication of natural persons using biometric personal data” with violation of the law requirements will entail criminal liability in the form of fine in the amount of 500 thousand to 1 million rubles for legal entities.
Toughening of administrative and criminal liability should contribute to the adoption of necessary measures for personal data protection, investing large funds in information security of each company, as well as preventing possible offenses and crimes in the field of personal data processing.