Back to list

Personal data leaks will become very expensive

29.02.2024

The State Duma adopted in the first reading amendments to the Code of Administrative Offenses and the Criminal Code to strengthen liability for leakage of personal data.

Individuals, officials and legal entities responsible for the leak will face increased fines, the amount of which depends on the scale of the leak. For the first time offence, the fine amounts for companies will vary from 3 to 15 million rubles. A repeated violation will cost many times more and, in the event of a particularly massive leak, may be punishable by a fine in the amount of 0.1% to 3% of revenue for the calendar year (not less than 15 and not more than 500 million rubles).

The scope of punishable violations provided for by the amendments is far from limited to the actual leak of personal data.

Thus, serious fines are provided for failure to notify or untimely notification of Roskomnadzor (the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications), of the intention to process personal data (from 100 to 300 thousand rubles for legal entities), as well as for failure to notify or for untimely notification of Roskomnadzor about a leak that has occurred (from 1 to 3 million rubles. for legal entities).

The use, transfer, collection and storage of personal data obtained illegally, as well as the creation of information resources that disseminate such data, is considered a criminal offence liable for up to 10 years of prison sentence.

According to Anton Nemkin, a member of the State Duma Committee on Information Policy, the bill has every chance of being approved during the spring session as part of an entire package of measures aimed at digital sovereignty and security, such as the “grounding” of hosting services, the ban on “mirrors” of pirate websites sites, etc. The discussion takes place against the backdrop of growing digital threats: more than 300 leaks occurred only in 2022-23, some - as a result of massive attacks on Russian IT infrastructure.