The need to increase the level of protection of citizens' biometric personal data (PD), as well as to prevent the leakage of their personal information, were the prerequisites for introducing amendments to the current legislation. The authorities have repeatedly emphasized the need to toughen sanctions for the leakage of personal data, and in June this year the State Duma considered and passed in the first reading the bill, which toughens penalties for illegal processing and leakage of biometric personal data. At the moment, the bill is being prepared for the second reading, and if the proposed version of the Code of Administrative Offences is adopted, fines for personal data leakage may increase significantly.
Along with the processing of personal data without consent (in writing), the draft law proposes to establish administrative liability for placing biometric personal data in the unified biometric system, in other information systems providing identification and (or) authentication using biometric personal data of individuals, in violation of the established requirements, as well as to increase the existing liability for the illegal processing of personal data, both for the initial and repeated commission of such administrative offenses.
Thus, processing of personal data without written consent of the subject of personal data in cases when such consent must be obtained in accordance with the legislation of the Russian Federation, as well as placement of biometric personal data in the unified biometric system, in other information systems that provide identification and (or) authentication using biometric personal data of individuals, in violation of the requirements established by the legislation of the Russian Federation in the field of personal data will entail the imposition of administrative sanctions.
And the repeated commission of the specified administrative offense will entail the imposition of an administrative fine:
According to the media, the authors of the bill in the second reading also propose to significantly increase fines for processing personal data without written consent and for citizens – up to 15 thousand rubles (currently: from 6 to 10 thousand rubles).
It is also worth noting the position of the Government of the Russian Federation, according to which the liability proposed by the draft law should be established by introducing Article 13.112 in the Code of Administrative Offences, allocating in an independent part of the responsibility for officials of credit organizations. This proposal is likely to be discussed in the course of further work on the draft law.
Along with the processing of personal data without consent (in writing), the draft law proposes to establish administrative liability for placing biometric personal data in the unified biometric system, in other information systems providing identification and (or) authentication using biometric personal data of individuals, in violation of the established requirements, as well as to increase the existing liability for the illegal processing of personal data, both for the initial and repeated commission of such administrative offenses.
Thus, processing of personal data without written consent of the subject of personal data in cases when such consent must be obtained in accordance with the legislation of the Russian Federation, as well as placement of biometric personal data in the unified biometric system, in other information systems that provide identification and (or) authentication using biometric personal data of individuals, in violation of the requirements established by the legislation of the Russian Federation in the field of personal data will entail the imposition of administrative sanctions.
- on officials – from 100 to 300 thousand rubles (currently: from 20 to 40 thousand rubles);
- for legal entities – from 300 to 700 thousand rubles (currently: from 30 to 150 thousand rubles).
And the repeated commission of the specified administrative offense will entail the imposition of an administrative fine:
- on officials – from 300 to 500 thousand rubles (currently: from 40 to 100 thousand rubles);
- on individual entrepreneurs – from 500 thousand rubles to 1 million rubles (currently: from 100 to 300 thousand rubles);
- on legal entities from 1 to 1.5 million rubles (currently: from 300 to 500 thousand rubles).
According to the media, the authors of the bill in the second reading also propose to significantly increase fines for processing personal data without written consent and for citizens – up to 15 thousand rubles (currently: from 6 to 10 thousand rubles).
It is also worth noting the position of the Government of the Russian Federation, according to which the liability proposed by the draft law should be established by introducing Article 13.112 in the Code of Administrative Offences, allocating in an independent part of the responsibility for officials of credit organizations. This proposal is likely to be discussed in the course of further work on the draft law.