Nevertheless, a working group of State Duma deputies and Federation Council senators still managed to finalise the amendments — on 4 December 2023, two draft laws on amendments to the Administrative Offences Code of the Russian Federation (“Russian Administrative Code”) and the Criminal Code of the Russian Federation (“Russian Criminal Code”) were finally submitted to the State Duma.
One of the most important amendments to the Russian Administrative Code is the introduction of liability measures for “leaks” of personal data.
Therefore, according to the new paragraphs 12-14 of article 13.11 of the Russian Administrative Code, a large administrative fine may be imposed for actions (inaction) of an operator that resulted in the unlawful transfer (provision, distribution, access) of information including personal data, the amount of which will depend on the number of affected personal data subjects. Therefore, if the “leak” affects:
- from 1,000 to 10,000 subjects, or from 10,000 to 100,000 identifiersAccording to the draft law, identifiers are understood to mean unique designations of information on individuals necessary to identify such persons., the fine for legal entities will be from RUB3 million to RUB5 million;
- from 10,000 to 100,000 subjects, or from 100,000 to 1,000,000 identifiers — from RUB5 million to RUB10 million;
- more than 100,000 subjects, or more than 1,000,000 identifiers — from RUB10 million to RUB15 million;
If a legal entity operator within a year of being brought to liability commits such a violation, a “turnover-based” fine may be imposed on it in the amount of from 0.1 to 3% of the aggregate amount of revenue received from the sale of all goods (work, services) for the calendar year preceding the year in which the administrative offence was revealed, or the relevant part of the calendar year, if the offender did not carry out activities on the sale of goods (work, services) in the preceding calendar year. However, such fine in any case may not be less than RUB 15 million or more than RUB 500 million.
If the actions (inaction) of the operator entail the unlawful transfer (provision, distribution, access) of information including a special category of personal dataPersonal data relating to race, national origin, political opinions, religious or philosophical beliefs, health status, intimate life, the operator may be subject to an administrative fine (for legal entities in the amount of from RUB 10 to 15 million) regardless of the number of affected subjects. For a repeated violation, the operator may also be ordered to pay a “turnover-based” fine according to the same logic.
However, the authors of the new draft laws did not stop only at administrative liability. In particular, it is proposed to introduce into the Criminal Code of the Russian Federation article 272.1, which establishes new corpus delicti of crimes.
Thus, for the illegal use and/or transfer, collection and/or storage of computer information containing personal data, a fine of up to RUB 300,000 may be imposed, or the violator may be sentenced to compulsory labour or imprisonment for up to four years.
In a situation where such a violation is associated with a cross-border data transfer or a cross-border movement of media, the term of imprisonment may increase up to eight years with a fine of up to RUB 2 million.
If such a violation entails grave consequencesThese will include the temporary suspension or disruption of the personal data operator's work, violation of the integrity of the personal data information system, dissemination of computer information containing personal data to an unlimited number of persons and/or provision or access to it to third parties with the purpose of causing harm to life, health, property, rights and legitimate interests of a person and citizen, damage to the defence and/or security of the state, protection of public order and other values protected by federal laws. or is committed as part of an organised group, the punishment may be up to 10 years of imprisonment with a fine of up to RUB 3 million.
The second type of crime introduced by this article is the creation and/or operation of information resources (website and/or a page of a website, information system, program for electronic computers) knowingly intended for the illegal storage, transmission (distribution, provision, access) of computer information containing personal data.
Different types of criminal liability are established for this violation, the strictest of which is imprisonment for up to five years with a fine of up to RUB 700,000 and with deprivation of the right to engage in certain activities or hold certain positions for up to two years.
The new liability measures introduced by the draft laws under consideration significantly increase the need to implement and maintain a full-fledged compliance system by personal data processors. In this case, it does not merely concern the implementation of technical measures of information protection, but also the maintenance of the relevant business processes within the company, minimising the risk of human factors when working with personal data. Such a compliance system includes not only the formal adoption of policies and other internal documents, but also training for employees, control over the implementation of relevant policies and documents, clear instructions for employees in case of various information security incidents, etc.
In our next publications we will tell you what you should pay attention to when developing such a compliance system and how to develop it in your company.
