The legislator continues to toughen penalties for personal data (PD) leakage, which should become a significant incentive for PD operators to invest in information security. Along with Bill No. 353266-8, adopted by the State Duma on November 30, 2023 in the second reading, which toughens penalties for illegal processing and leakage of biometric personal data, the Duma will consider Bill No. 502104-8 “On Amending the Code of Administrative Offences of the Russian Federation”, as well as Bill No. 502113-8 “On Amending the Criminal Code of the Russian Federation”, which provides for a significant increase in criminal liability for crimes related to the illegal trafficking of personal data. Both bills were registered and sent to the State Duma on December 4, 2023 and aim to significantly reduce the number of PD leaks in the Russian Federation.
If the first bill is adopted, the processing of personal data in cases not stipulated by law or the processing of personal data incompatible with the purposes of its collection will entail an administrative fine:
And the repeated commission of the specified administrative offense will entail the imposition of an administrative fine:
The Russian Code of Administrative Offences has also been supplemented with liability for failure and untimely fulfillment by the operator of the obligation to notify Roskomnadzor of the intention to process personal data or in case of establishing the fact of unlawful transfer of personal data, as well as the following fines for leakage of citizens' data depending on the number of victims.
Thus, for actions resulting in the leakage of PD:
The authors of the second bill propose to supplement the Criminal Code with Article 272.1 “Illegal use and (or) transfer, collection and (or) storage of computer information containing personal data, as well as creating and (or) ensuring the functioning of information resources intended for its illegal storage and (or) dissemination”. The minimum penalty for such a violation will be a fine of 300 thousand rubles (for biometric personal data – up to 700 thousand rubles), and the maximum – imprisonment for up to 10 years with a fine of up to 3 million rubles or in the amount of wages or other income of the convicted person for a period of up to 4 years with deprivation of the right to hold certain positions or engage in certain activities for up to 5 years.
The creation of information resources (a site on the Internet, information system, program) knowingly intended for illegal storage, transfer (distribution, provision, access) of computer information containing personal data will be singled out separately. The sanction will provide for a minimum penalty in the form of a fine of up to 700 thousand rubles to the maximum – imprisonment for up to 5 years with a fine of up to 700 thousand rubles or other income of the convicted person for a period of up to 2 years with deprivation of the right to hold certain positions or engage in certain activities for up to 2 years.
If the first bill is adopted, the processing of personal data in cases not stipulated by law or the processing of personal data incompatible with the purposes of its collection will entail an administrative fine:
- for citizens – from 10 to 15 thousand rubles (currently: from 2 to 6 thousand rubles),
- for officials – from 50 to 100 thousand rubles (currently: from 10 to 20 thousand rubles),
- for legal entities – from 150 to 300 thousand rubles (currently: from 60 thousand to 100 thousand rubles).
And the repeated commission of the specified administrative offense will entail the imposition of an administrative fine:
- on citizens – from 15 to 30 thousand rubles (currently: from 4 to 12 thousand rubles),
- on officials – from 100 to 200 thousand rubles (currently: from 20 to 50 thousand rubles),
- on legal entities – from 300 to 500 thousand rubles (currently: from 100 thousand to 300 thousand rubles).
The Russian Code of Administrative Offences has also been supplemented with liability for failure and untimely fulfillment by the operator of the obligation to notify Roskomnadzor of the intention to process personal data or in case of establishing the fact of unlawful transfer of personal data, as well as the following fines for leakage of citizens' data depending on the number of victims.
Thus, for actions resulting in the leakage of PD:
- from 1,000 to 10,000 subjects and (or) from 1,000 to 100,000 unique designations of information about individuals (identifiers) necessary to identify such persons the fine for citizens will be from 100 to 200 thousand rubles, for officials – from 800 thousand to 1 million rubles; for legal entities – from 3 to 5 million rubles.
- from 10,000 to 100,000 subjects and (or) from 100,000 to 1 million identifiers: the fine for citizens will amount from 200 to 300 thousand rubles; for officials – from 1 to 1.5 million rubles; for legal entities – from 5 to 10 million rubles.
- more than 100,000 subjects and (or) more than 1 million identifiers: the fine for citizens will amount from 300 to 400 thousand rubles; for officials – from 1.5 to 2 million rubles; for legal entities – from 10 to 15 million rubles.
The authors of the second bill propose to supplement the Criminal Code with Article 272.1 “Illegal use and (or) transfer, collection and (or) storage of computer information containing personal data, as well as creating and (or) ensuring the functioning of information resources intended for its illegal storage and (or) dissemination”. The minimum penalty for such a violation will be a fine of 300 thousand rubles (for biometric personal data – up to 700 thousand rubles), and the maximum – imprisonment for up to 10 years with a fine of up to 3 million rubles or in the amount of wages or other income of the convicted person for a period of up to 4 years with deprivation of the right to hold certain positions or engage in certain activities for up to 5 years.
The creation of information resources (a site on the Internet, information system, program) knowingly intended for illegal storage, transfer (distribution, provision, access) of computer information containing personal data will be singled out separately. The sanction will provide for a minimum penalty in the form of a fine of up to 700 thousand rubles to the maximum – imprisonment for up to 5 years with a fine of up to 700 thousand rubles or other income of the convicted person for a period of up to 2 years with deprivation of the right to hold certain positions or engage in certain activities for up to 2 years.