* * *
On 26 November 2024, the draft law on turnover-based fines for personal data leaks (“Amendments to the Administrative Offences Code”) and the draft law on criminal liability for personal data leaks (“Amendments to the Criminal Code”) were passed in the second and third readings at once.
Both documents have been amended since the publication of our previous legal update.
Amendments to the Administrative Offences Code
We remind you that the Amendments to the Administrative Offences Code are primarily aimed at combating personal data “leaks,” but also refer to other violations of laws in the field of personal data legislation, and the main new feature of the draft articles is the introduction of so-called “turnover-based” fines for personal data “leaks.” The draft law caused a lively discussion and was criticised by the business community, therefore it was substantially refined and a number of amendments have been made since its introduction to the State Duma.Despite the fact that these amendments to the Administrative Offences Code need no introduction, we would like to remind you that they introduce new types of liability for violations of personal data legislation (including a failure to notify personal data processing and a failure to notify personal data leaks), increase existing fines for violations of personal data legislation, and introduce “turnover-based” fines for repeated “leaks” of personal data.
The Denuo team has reviewed the draft law passed in the third reading and notes the following key innovations compared to the original text:
Turnover-based fines
- the scale of “turnover-based” fines calculated on the basis of the aggregate amount of revenue received “from the sale of all goods (work, services)” has been changed and now ranges from 1 to 3 percent (instead of the previously discussed 0.1 to 3 percent);
- for credit organisations, the amount of fines may range from 1 to 3 percent of the amount of “own funds (capital) of a credit organisation as at the date of the offence”;
- the lower limit of “turnover-based” fines has been increased and amounts to RUB20 million (previously it was RUB15 million), and RUB25 million in case of leaks of special categories of personal data and/or biometric data;
- “aggravating circumstances” were announced:
- in case of a continuation of unlawful conduct (paragraph 1 of part 1 of article 4.3 of the Administrative Offences Code); as well as
- if the person at the time of the offence or the ruling on the case concerning the offence was subjected to administrative punishment for violating legislation on personal data or information protection;
- “mitigating circumstances” were announced — if all the following conditions are met simultaneously:
- the operator’s expenses in the previous 3 (three) years for cybersecurity measures carried out by a licenced organisation amounted to at least 0.1% of its revenue;
- compliance with the requirements for personal data protection during their processing in information systems in the previous 12 months is documented; and
- there were no “aggravating circumstances” as mentioned above;
- the concept of “identifier” used to define the scope of “leak” was specified — now it is understood as “a unique designation of information on an individual contained in the personal data information system of the operator and related to such person.”
- new fines — for leaks of biometric personal data (up to RUB20 million), in case of repeated leaks — “turnover-based” fines (but no less than RUB25 million);
- failure to notify accidental leaks may now also result in the imposition of fines (previously this rule was only applied to unauthorised leaks);
- fines for officials have been reduced by 50% on average;
- the transitional period before the amendments to the Administrative Offences Code enter into force has been increased to 180 days (previously it was 30 days).
The final version of the draft law did not include the previously discussed rules on insurance and monetary compensation for users whose personal data were leaked. The total limit of insurance coverage of such risks was discussed in the range of from RUB5 million to RUB1 billion, depending on the volume of processed personal data, and the amount of compensation to users was supposed to be from RUB1,000 to RUB5,000 per subject.
Amendments to the Criminal Code
The authors of the amendments to the Criminal Code also propose to add article 272.1 (“draft article”) to the Criminal Code, establishing new corpus delicti for personal data crimes.We remind you that the draft article penalises the illegal use, transfer, collection and storage of “computer information containing personal data obtained through unauthorised access to the means of its processing, storage or other interference in its functioning or by other illegal means.”
The Denuo team has reviewed the draft passed in the third reading and notes the following key innovations compared to the original text:
- In the text of the first part of the draft article of the Amendments to the Criminal Code, “for the unlawful use and/or transfer, collection and/or storage of computer information containing personal data,” as an alternative fine, now a fine in the amount of “salary or other income for a period of up to one year” is provided for;
- Part two of the draft article, which establishes increased liability for leaks of special categories of personal data and biometric personal data, has been supplemented with a new category — now increased liability is also provided for the personal data of minors;
- The third part of the draft article now provides for an increased fine in the amount of salary or other income for a period of up to three years (previously — up to two years).
We continue to follow the news and will prepare a final review of the amendments when both draft laws are signed by the President.