LEGISLATION TOUGHENS LIABILITY FOR PERSONAL DATA LEAKAGE

Download.pdf

On November 30, 2024, the President of the Russian Federation signed amendments tightening liability for personal data leakage.
The amendments were introduced in:

It should be noted that it was not a simple tightening of administrative responsibility by increasing fines for certain offenses. A fundamental innovation was the fact that the legislation introduced a system of negotiable fines. Also, an innovation was the introduction of criminal liability for violation of legislation on personal data. This is especially important since the amendments to the CC RF have already entered into force. The amendments to the CAO RF will come into force on May 30, 2025.
It is obvious that the legislation has "allocated" to the companies, whose activities are related to the processing of personal data, a six-month period to audit their internal systems for possible vulnerabilities and to take, if such vulnerabilities are identified, all possible actions to mitigate such risks and to strengthen the control over the processing of personal data.

More on the rest of the story below.
What has changed in the CAO RF?

The fines under the general composition (paragraph 1) of Article 13.11 of the CAO RF have been increased, namely, now the upper limit of liability for an official (for example, the CEO of the company or the head of the HR department, provided that he is responsible for the processing of personal data in the company) is 100,000 (one hundred thousand) rubles, and for the company itself - 300,000 (three hundred thousand) rubles.

New elements of offenses (parts 10-18 of Article 13.11 of the CAO RF) have also been introduced. From May 30, 2025, only companies (not their officials) and individual entrepreneurs will be punished under separate offenses for:

  • failure to notify Roskomnadzor, if such notification is mandatory, including on the fact of unlawful or accidental transfer of personal data with fine of up to 3,000,000 (three million) rubles;
  • unlawful dissemination of personal data:
  • (up to) 10,000 (ten thousand) subjects or (up to) 100,000 (one hundred thousand) identifiers (e.g., passport number and series, telephone number, e-mail address, and so on) shall be fined up to 5,000,000 (five million) rubles;
  • (up to) 100,000 (one hundred thousand) subjects or (up to) 1,000,000 (one million) identifiers shall entail a fine of up to 10,000,000 (ten million) rubles;
  • (from) 100,000 (one hundred thousand) subjects or (from) 1,000,000 (one million) identifiers shall entail a fine of up to 15,000,000 (fifteen million) rubles;
  • if the person was previously held liable for illegal dissemination of personal data, shall be fined up to 3% (three percent) of the total revenue for the year preceding the violation, or for the specific period (e.g., quarter) in which the violation was committed, or of the amount of own funds, but not more than 500,000,000 (five hundred million) rubles;
  • unlawful dissemination of special categories and biometric personal data entails a fine of up to 20,000,000 (twenty million) rubles, and for a person previously prosecuted for unlawful dissemination of special categories and biometric personal data, there is also a revolving fine as for unlawful dissemination of personal data (see above).
And a little about the changes in the CC RF

The legislation introduced a separate article (Article 272.1 of the CC RF), which provides criminal liability to a person who has committed a particularly serious violation of the legislation on personal data, expressed in the illegal processing of computer information containing personal data (including special categories and biometric personal data), which were obtained illegally.

It also provides for criminal liability for the creation or operation of information resources (e.g., a website, information system, program, etc.) knowingly intended for illegal processing of computer information containing personal data obtained illegally.

A separate liability for the above-mentioned infringements is provided for the transborder transfer or movement of personal data obtained illegally.

In the most extreme case, there may be liability the form of imprisonment for up to 10 (ten) years and a fine of up to 3,000,000 (three million) rubles with deprivation of the right to engage in certain activities for up to 5 (five) years.