The State Duma has passed laws in the second and third readings that increase administrative penalties for personal data leaks. Operators who fail to notify or delay notifying Roskomnadzor about their plans to process personal data will face fines ranging from 5,000 to 10,000 rubles for citizens, 30,000 to 50,000 rubles for officials, and 100,000 to 300,000 rubles for organizations.
If an operator unlawfully transfers data, fines are set at 50,000 to 100,000 rubles for citizens, 400,000 to 800,000 rubles for officials, and 1 million to 3 million rubles for legal entities. In cases where data transfers affect 1,000 to 10,000 individuals or 10,000 to 100,000 identifiers without signs of criminal activity, fines range from 100,000 to 200,000 rubles for individuals, 200,000 to 400,000 rubles for officials, and 3 million to 5 million rubles for organizations.
If the violation involves transferring data from 10,000 to 100,000 individuals or 100,000 to 1 million identifiers, fines amount to 200,000 to 300,000 rubles for citizens, 300,000 to 500,000 rubles for officials, and 5 million to 10 million rubles for organizations. Violations affecting more than 100,000 individuals or more than 1 million identifiers may result in fines of 300,000 to 400,000 rubles for citizens, 400,000 to 600,000 rubles for officials, and 10 million to 15 million rubles for organizations.
Repeat offenders may face increased penalties, with citizens potentially receiving fines of 400,000 to 600,000 rubles, officials facing penalties of 800,000 to 1.2 million rubles, and organizations being fined 1% to 3% of total revenue or 20 million to 500 million rubles, whichever is higher.
Alexander Khinshtein provided further details on the bills, including mitigating circumstances for violators. The Ministry of Cyphra’s approach, which was agreed upon after lengthy discussions, allows for the mitigation of liability under three conditions: annual investments of at least 0.1% of turnover or revenue in information security for three years, the absence of aggravating circumstances,