On November 27, 2024 the Federation Council approved laws amending the Criminal Code of the Russian Federation and the Code of Administrative Offences of Russia to and toughening liability for violations of law in the area of personal data (in accordance with the previously introduced Draft Laws: No. 502104-8 “On Amending the Code of Administrative Offences of the Russian Federation” and No. 502113-8 “On Amending the Criminal Code of the Russian Federation”).
According to the explanatory memorandum, the current liability is disproportionate and incommensurate with the potential socially dangerous consequences that a personal data leakage may entail. Toughening the liability will help to encourage operators to invest in the development of information security infrastructure and personal data protection.
The main amendments to the Code of Administrative Offences of the Russian Federation
1. Depending on the amount of leaked information, it is proposed to establish the following gradation of liability for legal entities:
|
Offence |
Liability |
|
Personal data leakage from thousand 1 to 10 thousand subjects of personal data, or from 10 to 100 thousand unique indications of information about natural persons necessary to identify such persons ("identifiers") |
Administrative fine in the amount of 3 million to 5 million rubles |
|
Personal data leakage from 10 thousand to 100 thousand subjects of personal data, or from 100 thousand to 1 million identifiers |
Administrative fine in the amount of 10 million to 15 million rubles |
|
Personal data leakage of more than 100 thousand subjects of personal data, or of more than 1 million identifiers |
Administrative fine in the amount of 5 million to 10 million rubles |
|
Repeated violation of the abovementioned offenses |
Turnover-based fine in the amount of 1/10 to 3% of the consolidated revenue, but not less than 15 million and not more than 500 million rubles |
2. Leakage of special categories of personal data (including information on the health status of citizens) may lead to administrative liability for legal entities in the form a fine in the amount of 10 million to 15 million rubles.
If the leakage of special categories of personal data was preceded by bringing the operator-legal entity to administrative responsibility for one of administrative violations mentioned above, the amount of the fine will be from 1/10 to 3% of the consolidated revenue, but not less than 25 million and not more than 500 million rubles.
3. It is proposed to increase the amount of fines for personal data processing in cases not covered by the current legislation, particularly:
|
Offence |
Liability |
|
Failure to fulfill or failure to timely fulfill the operator’s obligation to notify the authorized body of the intention to process personal data |
Administrative fine in the amount up to 300 thousand rubles |
|
Unlawful transfer of personal data resulting in violation of the rights of personal data subjects (personal data leakage) |
Administrative fine in the amount from 1 million to 3 million rubles |
4. It is also important that the current version of the draft law No. 502104-8 establishes liability for individual entrepreneurs for a number of administrative offenses related to violations in the field of personal data processing, in the same amount as for legal entities.
5. In addition amendments mentioned above, some liability issues have already undergone changes - thus, on December 12, 2023, Federal Law No. 589 FZ “On Amendments to the Code of Administrative Offences of the Russian Federation” was adopted, which will come into force on December 23, 2023. This law toughens liability for processing personal data without the consent of the subject of personal data in writing (part 2 of Article 13.11 of the Code of Administrative Offences of the Russian Federation) in the form of a fine from 300 thousand to 700 thousand rubles, and in case of repeated violation - from 1 million to 1.5 million rubles. The new amendments make changes to the amount of sanctions under part 1 of article 13.11 of the Code of Administrative Offences of the Russian Federation
|
Offence |
Liability |
|
Processing of personal data in cases that are not provided for by the Russian legislation in the field of personal data. Processing of personal data incompatible with the purposes of its collection |
Administrative fine in the amount from 150 thousand to 300 thousand rubles
Administrative fine in the amount from 300 thousand to 500 thousand rubles for repeated violation |
6. Special cases establishing liability for violations of requirements in the field of biometric personal data processing (BPDn) are also introduced:
-
violation of the procedure for processing of personal data - administrative fine in the amount of 500 thousand to 1 million rubles (part 2 of article 13.11.3 of the Code of Administrative Offences of the Russian Federation);
-
failure to take organizational and technical measures to ensure the security of personal data during their processing - an administrative fine in the amount of 1 million rubles to 1.5 million rubles (part 3 of Article 13.11.3 of the Code of Administrative Offences of the Russian Federation);
-
processing of personal data without accreditation - an administrative fine of 1 million rubles to 2 million rubles (part 4 of Article 13.11.3 of the Code of Administrative Offences of the Russian Federation), as well as
operator's action (inaction) resulting in unlawful transfer (provision, distribution, access) of information including PDDn - administrative fine in the amount of 15 to 20 million rubles (part 3 of article 13.11.3 of the Code of Administrative Offences of the Russian Federation);
The law provides for a number of mitigating circumstances, taken into account in case of committing offenses provided for by paragraphs 15 and 18 of Article 13.11 of the Code of Administrative Offences of the Russian Federation, if the operator complies with the conditions mentioned above in the aggregate:
|
1) Annual investments of the operator (in the amount of at least 0.1% of turnover/revenues) in information security measures |
- within 3 years preceding the time of discovery of the offense; |
|
2) Documentary confirmation of compliance with the requirements to personal data protection during their processing in ISPDNs |
- within 12 years preceding the time of discovery of the offense; |
3) Absence of aggravating circumstances - (a) continuation of unlawful behavior despite the requirement of authorized persons to stop it; (b) failure to bring to administrative responsibility under a number of cases, including violation of information protection rules (article 13.12 of the Code of Administrative Offences of the Russian Federation), etc.
The main amendments to the Criminal Code of Russian Federation
A new offense (Article 272.1) has been added to the Criminal Code of the Russian Federation, which provides for liability for illegal collection and/or storage and/or transfer of personal data obtained without legal grounds. The sanction for this offense provides for a fine of up to 300 thousand rubles, or four years of compulsory labor, or imprisonment for a similar term.
Qualifying features of the said corpus delicti are the same acts committed:
-
in relation to personal data belonging to minors, special or biometric personal data. The guilty in this case may be fined up to 700 thousand rubles, or forced labor for up to five years, or imprisoned for the same period;
-
out of self-interest, or by a group of persons by prior conspiracy, or causing major damage, or by using an official position. Under such circumstances, the perpetrator faces a fine of up to 1 million rubles, or compulsory labor for up to 5 years, or imprisonment for up to 6 years;
-
In case of cross-border transfer. Such an act is punishable by imprisonment for up to 8 years and a fine of up to 2 million rubles;
-
by an organized group or entailing grave consequences. Punishable by imprisonment of up to 10 years and a fine of up to 3 million rubles.
Separate liability in the form of a fine of up to 700 thousand rubles, or compulsory labor up to 5 years, or imprisonment for the same term is provided for the creation and / or ensuring the functioning of a site on the Internet and / or a page of the site, the purpose of which is knowingly illegal storage, transfer of personal data obtained without legal grounds.
The mentioned case does not apply to the cases of personal data processing by natural persons, conditioned exclusively for personal and family needs.
Toughening administrative and criminal liability should encourage taking necessary measures for personal data protection, investing more money in the information security of each company, as well as preventing possible offenses and crimes in the field of personal data processing.