Personal data taken into circulation

Two bills have been submitted to the State Duma to tighten the procedure for working with personal data. The first introduces turnover fines of up to 500 million rubles. for companies and individuals involved in information leaks. The second is criminal liability for disseminating such information with a penalty of up to five years in prison. Data operators criticize the documents for the lack of mitigating circumstances. Government agencies are drawing attention to unclear wording, refusal to support victims and the independence of the fine from the scale of the leak, and are already proposing clarifications for the second reading.

A group of senators and deputies led by the head of the State Duma Committee on Information Policy, Communications and IT, Alexander Khinshtein, introduced two bills that would tighten the circulation of personal data of Russians. The first amends the Code of Administrative Offenses and establishes turnover fines for leaking personal data. The second introduces criminal liability for illegal storage and distribution of personal data and makes amendments to the Criminal Code of the Russian Federation.

According to the draft amendments to the Administrative Code, fines for legal entitiesthat allowed data leakage will be:

• from 3 million to 5 million rubles, if the leak contained data from 1 thousand to 10 thousand personal data subjects;
• from 5 million to 10 million rubles, if the volume of data was from 10 thousand to 100 thousand subjects;
• from 10 million to 15 million rubles – if there are more than 100 thousand subjects.

The maximum fine for legal entities will be 0.1–3% of revenue for a calendar year, but not more than RUB 500 million.

Also installed fines for officials and ordinary citizensleaked:

• 100–200 thousand rubles. for individuals, maximum 300–400 thousand rubles;
• 0.8–1 million rub. for officials, maximum 1.5–2 million rubles.

The bill includes fines for failure to comply with notification requirements to Roskomnadzor about data leak incidents:

• up to 100 thousand rubles. for citizens;
• up to 800 thousand rubles. for officials;
• up to 3 million rubles for legal entities.

The law comes into force 30 days after its official publication.

Initiative is being discussed from the summer of 2022: after the outbreak of hostilities in Ukraine there was a sharp height cyber attacks on Russian infrastructure, resulting in massive data leaks. But the problem is not just hackers. “Many companies perceive people’s personal information as a way to make money and do not protect it properly,” emphasizes First Deputy Chairman of the Federation Council Andrei Turchak in his Telegram channel“As a result, today on the black market the volume of databases with personal data is estimated at 20 thousand, this is information about approximately 80% of the Russian population.” According to Roskomnadzor, there are now more than 929 thousand personal data operators in Russia.

The amendments to the Criminal Code are due to “the growth of illegal actions in relation to personal data, as well as their illegal use in the commission of crimes,” follows from the explanatory note to the project.

The document proposes the introduction of criminal liability for the “collection, use and transfer” of personal data of citizens:

• a fine of up to 300 thousand rubles. or forced labor for a term of up to four years, or imprisonment also for up to four years.

Separate punishment provided for the illegal use of data relating to race and nationality, political opinions, religious or philosophical beliefs, health status, and biometric personal data.

• Such a violation may result in a fine of up to 700 thousand rubles. or forced labor for a term of five years or imprisonment for the same term.
• Creating resources for storing and selling personal data also faces a fine of up to 700 thousand rubles. and imprisonment for up to five years.
• The effective date of the amendments is not specified.

“The project provides for criminal liability for both cybercriminals and company employees, but its introduction is unlikely to stop the former,” emphasizes Roman Vlasov, a lawyer at the technology, media, telecommunications practice of Melling, Voitishkin and Partners.

Along with turnover fines, the introduction of compensation victims of data leaks – people whose information ended up online.

Current bills do not provide for this possibility. But in the official review of Deputy Prime Minister Dmitry Grigorenko, published along with the documents, it is said that the measure should be considered on a “voluntary basis for companies that have leaked in order to reduce administrative liability.”

Kommersant’s interlocutors in the IT market claim that the State Legal Administration of the President, even before the document was introduced, recommended that it be finalized for the second reading. Among the main issues is the “formal uncertainty” of the offense as a whole – that is, from the current version of the documents it is unclear what exactly liability entails, explains one of Kommersant’s sources, as well as the need to determine the amount of the fine depending on the amount of data in the leak.

The Association of Big Data (ABD, unites VK, Sberbank, MegaFon, etc.) told Kommersant that business is “dissatisfied with the absence of mitigating circumstances for companies in the text of the bill.” “The operator bears responsibility regardless of the presence of fault and the measures he took to prevent a leak,” the ABD emphasizes. They also note that the documents “do not provide any justification for the amounts of fines themselves.”

Tatiana Isakova