In a bid to combat the increasing threat posed by cyber attacks, the President of Russia has signed new laws that strengthen liability for leaks and illegal turnover of personal data. The laws introduce both administrative and criminal measures to deter such activities.
Under the new regulations, administrative fines will be determined based on the volume of leaked data. Fines for leaks involving 1,000 to 10,000 subjects can go up to 5 million rubles, while leaks affecting 10,000 to 100,000 subjects or 100,000 to 1 million identifiers may result in fines of up to 10 million rubles. For leaks involving more than 100,000 subjects or 1 million identifiers, fines can be up to 3% of the company’s annual revenue, with a minimum of 20 million and a maximum of 500 million rubles.
Fines for leaks of data from a special category could reach up to 15 million rubles, with higher penalties for repeated incidents. Operators are mandated to inform regulatory authorities promptly about plans for processing personal data, with violations punishable by fines of up to 300 thousand rubles for legal entities.
Moreover, fines ranging from 50 thousand rubles for individuals to 3 million rubles for organizations will be imposed for the unlawful or accidental transfer of data. The laws also establish penalties for companies that refuse to enter into contracts with consumers who decline to provide biometric data.
Notably, a new article in the legislation introduces penalties for the illegal use of personal data. Offenders may face fines of up to 300 thousand rubles or their annual income, with the maximum penalty being up to 10 years in prison for cross-border data leaks leading to severe consequences.
While these measures aim to tighten regulations on personal data and prevent leaks, concerns remain about their effectiveness in addressing cybersecurity issues and international data breaches.