Russia is tightening penalties in the field of personal data protection. The potentially significant fines that lay ahead go to confirm that Russian companies and foreign companies which are active on the Russian market should take personal data compliance seriously.
On 24 February 2015, the State Duma passed in the first reading, a bill amending the Russian Code on Administrative Offences (the “Bill”) (the Bill is available below in Russian). The Bill proposes to (i) replace the generally worded administrative offence of breach of personal data law by several more clearly defined offences and (ii) substantially increase the corresponding fines. As can be seen from the summary table below, more serious breaches may automatically give rise to fines when the infringement is detected, whilst for less serious breaches a warning may first be served on the offending company. Corporate officials may also be held liable for the breaches of the personal data operator (however, we have not included the applicable fine ranges in our summary table).
Breach | Administrative sanctions | Warning | Fine range for legal entities |
|
|
Illegal processing of sensitive personal | N/A | RUB 150,000 - 300,000 (approx. EUR 2,270 - 4,540) |
|
Personal data processing without the consent of the relevant person or persons (“data subjects”) | N/A | RUB 30,000 - 50,000 (approx. EUR 455 - 760) |
|
Breach of the secure storage rules for tangible media objects (where personal data is processed otherwise than by automatic means) | N/A | RUB 25,000 - 50,000 (approx. EUR 380 - 760) |
|
Failure to comply with the requirements on written consent to personal data processing | Applicable | RUB 15,000 - 50,000 (approx. EUR 230 - 760) |
|
Failure to amend, block access to or destroy personal data at the legitimate request of a data subject or competent authority | Applicable | RUB 25,000 - 45,000 (approx. EUR 380 - 680) |
|
Failure to provide a data subject with information on the processing of his/her personal data | Applicable | RUB 20,000 - 40,000 (approx. EUR 300 - 600) |
|
Failure to publish or otherwise make publicly available the personal data processing policy or information on its implementation | Applicable | RUB 15,000 - 30,000 (approx. EUR 230 - 460) |
|
In the event that several data subjects are affected by a particular data processing non-compliance, the liability of the personal data operator is not entirely clear from the wording of the Bill. Specifically, the question is whether the relevant amounts set out in the above table are to be applied strictly ‘per breach’, or alternatively, whether a series of breaches discovered in a single investigation may in fact constitute one breach for the purposes of the application of sanctions if those breaches are essentially the same but have been carried out in respect of several data subjects. One cannot rule out that the ‘per breach’ approach will be applied strictly. Fines could therefore be substantial. In order to mitigate the risk of liability, we recommend companies review their existing personal data processing and protection policies and procedures without delay.
The Bill is likely to undergo some further changes before it is finally implemented. In particular, the introduction of an additional offence covering any failure to localise databases containing Russian citizens’ personal data in Russia is a distinct possibility. That said, the Bill already gives an insight to companies as to which aspects of data protection requirements they should be concentrating on at this stage.
13/03/2015
Russia is tightening penalties in the field of personal data protection. The potentially significant fines that lay ahead go to confirm that Russian companies and foreign companies which are active on the Russian market should take personal data compliance seriously.
On 24 February 2015, the State Duma passed in the first reading, a bill amending the Russian Code on Administrative Offences (the “Bill”) (the Bill is available below in Russian). The Bill proposes to (i) replace the generally worded administrative offence of breach of personal data law by several more clearly defined offences and (ii) substantially increase the corresponding fines. As can be seen from the summary table below, more serious breaches may automatically give rise to fines when the infringement is detected, whilst for less serious breaches a warning may first be served on the offending company. Corporate officials may also be held liable for the breaches of the personal data operator (however, we have not included the applicable fine ranges in our summary table).
Breach
Administrative sanctions
Warning
Fine range for legal entities
Illegal processing of sensitive personal
N/A
RUB 150,000 - 300,000
(approx. EUR 2,270 - 4,540)
Personal data processing without the consent of the relevant person or persons (“data subjects”)
N/A
RUB 30,000 - 50,000
(approx. EUR 455 - 760)
Breach of the secure storage rules for tangible media objects (where personal data is processed otherwise than by automatic means)
N/A
RUB 25,000 - 50,000
(approx. EUR 380 - 760)
Failure to comply with the requirements on written consent to personal data processing
Applicable
RUB 15,000 - 50,000
(approx. EUR 230 - 760)
Failure to amend, block access to or destroy personal data at the legitimate request of a data subject or competent authority
Applicable
RUB 25,000 - 45,000
(approx. EUR 380 - 680)
Failure to provide a data subject with information on the processing of his/her personal data
Applicable
RUB 20,000 - 40,000
(approx. EUR 300 - 600)
Failure to publish or otherwise make publicly available the personal data processing policy or information on its implementation
Applicable
RUB 15,000 - 30,000
(approx. EUR 230 - 460)
In the event that several data subjects are affected by a particular data processing non-compliance, the liability of the personal data operator is not entirely clear from the wording of the Bill. Specifically, the question is whether the relevant amounts set out in the above table are to be applied strictly ‘per breach’, or alternatively, whether a series of breaches discovered in a single investigation may in fact constitute one breach for the purposes of the application of sanctions if those breaches are essentially the same but have been carried out in respect of several data subjects. One cannot rule out that the ‘per breach’ approach will be applied strictly. Fines could therefore be substantial. In order to mitigate the risk of liability, we recommend companies review their existing personal data processing and protection policies and procedures without delay.
The Bill is likely to undergo some further changes before it is finally implemented. In particular, the introduction of an additional offence covering any failure to localise databases containing Russian citizens’ personal data in Russia is a distinct possibility. That said, the Bill already gives an insight to companies as to which aspects of data protection requirements they should be concentrating on at this stage.