Putin instructed to deal with turnover fines for data breaches by July

President Vladimir Putin instructed the government by July 1, 2023 to consider introducing turnover fines for companies that have leaked personal data (PD) of Russians. The instruction was given following the meeting of the Council for the Development of Civil Society and Human Rights, held on December 7, 2022. The list of instructions was published on January 13, 2023 on the Kremlin website.

“The Government of the Russian Federation should consider establishing turnover fines for companies that leak personal data, increase liability for their illegal circulation and other violations of legislation in the field of personal data, and submit proposals for making appropriate changes to the legislation,” the document says.

The order must be executed by July 1, 2023, and Prime Minister Mikhail Mishustin has been appointed responsible for it.

Since the president’s order obliges only to “consider issues” on the introduction of turnover fines and “submit proposals” for amendments to the legislation, this does not mean at all that the law should be adopted by this date, Karen Ghazaryan, director of the Internet Research Institute, notes. According to the instructions, it is Mishustin who will have to report on the advisability of adopting this law, the expert explained.

The Mintsifra has been discussing the idea of ​​introducing turnover fines for leaks since April 2022. In July, the ministry announced that it had begun preparing a relevant bill and plans to submit it to the fall session of the State Duma. It involves the introduction of amendments to the Code of Administrative Offenses, according to which the company where the leak occurred can be fined 1% of the annual turnover. The amount of the fine will rise to 3% if the company tried to hide the problem. Now the Code of Administrative Offenses provides for fines for data leakage for legal entities in the amount of 60,000 to 100,000 rubles, in case of a repeated offense – up to 500,000 rubles.

The Ministry of Digital Development also worked out mitigating circumstances for the guilty, Minister Maksut Shadayev said in December 2022. For example, the penalty may be lower if the company certifies its infrastructure in accordance with security requirements. The issue of compensation for damage to two-thirds of those affected by the leak was also considered. To do this, the Ministry of Digital Development planned to create a fund of material compensation, which will be replenished from funds received in the form of turnover fines.

Vedomosti sent a request to the Ministry of Digital Development.

The bill is still under discussion, says leading expert on the protection of personal data of the consulting company B-152 Maxim Lagutin. “There is already a certain texture, but important details remain,” he said. “For example, the Ministry of Digital Development is promoting the idea of ​​creating a fund or other means of compensation for individuals, but they are difficult to implement, and businesses have questions about them.”

The main problem that primarily slows down the movement of the bill is the development of reasonable criteria for holding liable (for example, the number of users whose data was leaked; the amount of leaked data; the amount of harm caused to the subjects), says Angelina Balakina, FBK Legal Leading Legal Counsel. In addition, turnover fines should have reasonable limits, upper thresholds, which are also not currently defined, she adds.

Also, the procedure for investigating the leak itself is still not obvious, says a Vedomosti source in a company in the cybersecurity market. Now, within the framework of the Code of Administrative Offenses, there is no procedure for conducting such a check, it is not clear how the fact of a leak, its relevance, etc., will be proved, neither the Ministry of Digital Transformation nor Roskomnadzor has the authority to do this, he continued. “Hence the Mintsifra’s doubts about the wording,” the source argues. “They don’t want to pass a bill that will become dead.” The most logical way out of the situation, according to him, is to transfer the issue to a criminal plane, then investigators will conduct an investigation as part of the trial. However, this is a completely different chain of adoption of regulations, the interlocutor notes.

There is serious resistance to this project, says Vladimir Arlazarov, CEO of Smart Engines. Many companies, after its adoption, will have to increase investments in their information security and rebuild their processes for processing PD. For example, the procedure for interacting with contractors due to the risks of leaks on their part, he explained.

According to Roskomnadzor, in less than a year, 60 major incidents occurred in Russia, containing more than 230 million records with personal information of citizens. The list of companies that leaked this year included telecom operators (“Rostelecom“,”Beeline“and” Tele2 “), online stores and delivery services (“Yandex.Food”, CDEK), medical centers (“Hemotest”), online cinemas and video hosting sites (Start, Yappi), carriers (“Victory”, AzurAir, Russian Railways) and etc.