Increased liability for personal data violations
On 30 November 2024, Federal Law No. 420-FZ (“Law 420”), which exacerbates administrative liability for violations in the field of personal data, and Federal Law No. 421-FZ (“Law 421”), which introduces criminal liability in this area, were adopted.
New administrative fines
|
Old fines |
New fines |
|
Part 1 Article 13.11 Processing of personal data in cases not provided for by legislation in the field of personal data, or processing of personal data that is incompatible with the purposes of collecting personal data. |
|
|
Individuals – from RUB 2 000 to RUB 6 000 Officials – from RUB 10 000 to RUB 20 000 Legal entities – from RUB 60 000 to RUB 100 000 |
Individuals – from RUB 10 000 to RUB 15 000 Officials – from RUB 50 000 to RUB 100 000 Legal entities – from RUB 150 000 to RUB 300 000 |
|
! For repeated violations: |
|
|
Individuals – from RUB 4 000 to RUB 12 000 Officials – from RUB 20 000 to RUB 50 000 Individual entrepreneurs – from RUB 50 000 to RUB 100 000 Legal entities – from RUB 100 000 to RUB 300 000 |
Individuals – from RUB 15 000 to RUB 30 000 Officials – from RUB 100 000 to RUB 200 000 Legal entities (+Individual entrepreneurs) – from RUB 300 000 to RUB 500 000 |
|
Part 10 Article 13.11 Failure to notify or untimely notification of Roskomnadzor of the intention to process personal data. |
|
|
Article 19.7 of the Code of Administrative Offenses of the Russian Federation (the “Code”) is applied |
Individuals – from RUB 5 000 to RUB 10 000 Officials – from RUB 30 000 to RUB 50 000 Legal entities – from RUB 100 000 to RUB 300 000 |
|
Part 11 Article 13.11 Violation of the requirement to notify about a personal data breach. |
|
|
Article 19.7 of the Code is applied |
Individuals – from RUB 50 000 to RUB 100 000 Officials – from RUB 400 000 to RUB 800 000 Legal entities – from RUB 1m to RUB 3m |
|
Scale of the leak |
New fines |
|
Parts 12, 13, 14 of Article 13.11 Leakage of personal data. |
|
|
from 1 000 to 10 000 personal data subjects and (or) from 10 000 to 100 000 identifiers |
Individuals – from RUB 100 000 to RUB 200 000 Officials – from RUB 200 000 to RUB 400 000 Legal entities – from RUB 3m to RUB 5m |
|
from 10 000 to 100 000 personal data subjects and (or) from 100 000 to 1m identifiers |
Individuals – from RUB 200 000 to RUB 300 000 Officials – from RUB 300 000 to RUB 500 000 Legal entities – from RUB 5m to RUB 10m |
|
more than 100 000 personal data subjects and (or) more than 1m identifiers |
Individuals – from RUB 300 000 to RUB 400 000 Officials – from RUB 400 000 to RUB 600 000 Legal entities – from RUB 10m to RUB 15m |
|
New fines |
|
Part 15 Article 13.11 Repeated leakage of personal data. |
|
Individuals – from RUB 400 000 to RUB 600 000 Officials – from RUB 800 000 to RUB 1,2m Legal entities – from 1% to 3% of the total amount of revenue for the calendar year preceding the year in which the administrative offense was identified, or the amount of equity (capital) of the credit institution on the date of the administrative offense, but from RUB 20m to RUB 500m |
|
Part 16 Article 13.11 Leakage of special categories of personal data. |
|
Individuals – from RUB 300 000 to RUB 400 000 Officials – from RUB 1m to RUB 1,3m Legal entities – from RUB 10m to RUB 15m |
|
Part 17 Article 13.11 Leakage of biometric data. |
|
Individuals – from RUB 400 000 to RUB 500 000 Officials – from RUB 1,3m to RUB 1,5m Legal entities – from RUB 15m to RUB 20m |
|
Part 18 Article 13.11 Repeated leakage of special categories of personal data or biometric personal data. |
|
Individuals – from RUB 500 000 to RUB 800 000 Officials – from RUB 1,5m to RUB 2m Legal entities – from 1% to 3% of the total amount of revenue for the calendar year preceding the year in which the administrative offense was identified, or the amount of equity (capital) of the credit institution on the date of the administrative offense, but from RUB 25m to RUB 500m |
In addition to the increased and new fines described above, Law 420 also introduces a number of additions to the existing articles of the Code and provides for a number of new offences as well as establishes “mitigating circumstances” that must be taken into account when assessing violations and assigning penalties for the leakage of personal data.
Mitigating circumstances that may be taken into account when calculating the fine for repeated leaks data are affixed in Article 4.1 of the Code, which establishes the general sentencing rules for administrative offenses.
Mitigating circumstances:
- annual expenses (for the 3 years preceding the violation) related to ensuring information security are no less than 0.1% of total annual revenue from sales (work, services) or the amount of the credit institution’s own funds (capital)
- possession by the controller or the organization engaged by the controller of a mandatory license for performing work / providing services related to data encryption or for taking technical measures aimed at protecting confidential information
- documentation confirming compliance with the requirements for protecting personal data throughout their processing in personal data information systems for the year preceding the violation
- absence of aggravating factors
Fines can be significantly reduced if all of the abovementioned mitigating circumstances are met simultaneously.
Mitigating circumstances and new offenses
In Article 3.5 of the Code, clarifications are listed regarding the amount of fines applicable to credit institutions, namely: the amount of the administrative fine calculated from the amount of the credit institution’s own funds (capital) is set at no more than 3% of the amount of the credit institution’s own funds (capital).
Criminal liability
Law 421 introduces criminal liability for special offenses in the sphere of personal data (Article 272.1 of the Criminal Code of the Russian Federation).
Illegal use / transfer / collection / storage of information containing personal data obtained illegally: a fine of up to RUB 300 000 or earnings for a period of up to 1 year / forced labor or imprisonment for up to 4 years
Moreover, more severe penalties (up to 10 years of imprisonment) are provided for in the following cases:
- similar actions in relation to data of minors/special categories of personal data/biometrics
- vested interest
- the presence of major damage or serious consequences
- crimes committed by a group of persons, an organized group or using the position of an official
- illegal cross-border data transfer
Creation and maintenance of a resource for the deliberately illegal storage / transfer of illegally obtained personal data: among other penalties, imprisonment for up to 5 years and a fine of up to RUB 700 000
Open PDF