On 30 November 2024, Laws No. 420* and No. 421* were enacted, tightening administrative liability as well as introducing criminal liability for violations in the field of personal data.
The changes regarding administrative liability will come into force on 30 May 2025, while the new criminal offences have taken effect on 11 December 2024.
Administrative Liability for Businesses
Violation | Previous Fines (RUB) | New Fines (RUB) |
---|---|---|
Unauthorised processing or processing of personal data incompatible with the purpose of collection (First violation) | 60,000 – 100,000 | 150,000 – 300,000 |
Unauthorised processing or processing of personal data incompatible with the purpose of collection (Repeated violation) | 100,000 – 300,000 | 300,000 – 500,000 |
Failure to notify Roskomnadzor of personal data processing | 3,000 – 5,000 | 100,000 – 300,000 |
Failure to notify Roskomnadzor of personal data leakage | 3,000 – 5,000 | 1m – 3m |
Data leakage (1,000 – 10,000 users; or 10,000 – 100,000 identifiers) | 60,000 – 100,000 | 3m – 5m |
Data leakage (10,000 – 100,000 users; or 100,000 – 1m identifiers) | 60,000 – 100,000 | 5m – 10m |
Data leakage (more than 100,000 users; or more than 1m identifiers) | 60,000 – 100,000 | 10m – 15m |
Repeated leakage of “ordinary” data | 100,000 – 300,000 | 1–3% of last year's revenue (min 20m, max 500m) |
Leak of special categories of personal data | 60,000 – 100,000 | 10m – 15m |
Leakage of biometric personal data | 60,000 – 100,000 | 15m – 20m |
Repeated leakage of special or biometric personal data | 100,000 – 300,000 | 1–3% of last year's revenue (min 25m, max 500m) |
Individual entrepreneurs are subject to the same fines as companies for most of the above violations.
Additionally, new fines have been introduced for violations related to the processing of biometrics within the unified biometric system.
Furthermore, the law introduces amendments to various procedural matters, specifically:
Mitigating circumstances for repeated data leakage
Amendments to the Code of Administrative Offences also provide for a reduction of the fine for repeated data leakage for diligent personal data operators if they simultaneously meet the following conditions:
If these conditions are met, the fine will be set at 0.1 of the minimum established fine, but no less than RUB 15m and no more than RUB 50m.
Criminal liability
Law No. 421* introduces new criminal offences for the unlawful processing of personal data, specifically:
Violation | Liability |
---|---|
Unlawful use of personal data obtained by illegal means | A fine of up to RUB 300,000, compulsory works, or imprisonment for up to 4 years |
Unlawful use of minors' data, “special” categories, or biometrics | A fine of up to RUB 700,000, compulsory works, or imprisonment for up to 5 years |
Unlawful use of data associated with cross-border transfer | Imprisonment for up to 8 years, a fine of up to RUB 2m, and a possible ban on certain activities |
Creation/provision of resources for unlawful data processing | A fine of up to RUB 700,000, compulsory works, or imprisonment for up to 5 years with a ban on certain activities |
Thus, as per the new laws, liability for violations in the field of personal data has been significantly toughened. In view of this, to avoid liability, we recommend conducting an audit of the company’s internal processes related to personal data processing and confidentiality and bringing them into compliance with the law.
* In Russian
The publication is also available in Russian.