Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
The Ministry of Economic Development insists on reducing the size of sanctions.
Reducing fines for personal data leaks, which have not yet been approved, is unreasonable and will lead to the fact that the initiative will lose its effectiveness. This point of view was expressed by the developers of the bill, which establishes sanctions of up to 500 million rubles for incidents related to personal data leaks. At the same time, business representatives propose to introduce mitigating circumstances that will avoid fines or significantly reduce them. According to the Parliamentary Newspaper, discussions continue.
Since the beginning of 2024, about half a billion records containing personal data of Russians have been in the public domain, Alexander Khinshtein, head of the State Duma Committee on Information Policy, Information Technology and Communications, told the publication. He is a co-sponsor of a bill that introduces severe penalties, including turnover-based fines, depending on the revenue of companies that leaked data. The document was adopted in the first reading in December, and work is currently underway on amendments. One of these amendments was the proposal of the Ministry of Economic Development, based on consultations with the business community.
The department proposed to reduce the amount of fines for legal entities compared to the original provisions of the bill: by half - up to 1.5-2 million rubles if the leak affected from one to ten thousand users; three times - up to 3-5 million rubles, if more than a hundred thousand personal data subjects were affected. However, it is proposed to keep turnover-based fines for repeated leaks in the same range - from 0.1 to 3 percent of the revenue or capital of the credit institution, but with a reduction in the maximum amount of the fine to 50 million rubles.
These proposals will be discussed, but "mitigation is unreasonable and emasculates the very essence of the initiative," Alexander Khinshtein said. According to him, "without the operator realizing his responsibility and understanding that he will have to pay for leaks, no fundamental changes will occur."
From the very beginning, large personal data operators criticized the bill, pointing to too high fines, as Irina Rukavishnikova, first deputy chairman of the Federation Council Committee on Constitutional Legislation, told Parlamentskaya Gazeta. However, she agreed with Khinshtein that it is high fines that should encourage companies to invest in information security. Alexander Khinshtein added that if the fines are too low, "it will become cheaper for companies to buy off than to invest in the creation of information security infrastructure".
In addition to reducing fines, the Ministry of Economic Development proposed to provide for mitigating circumstances for companies. For example, high security costs — at least 0.1 percent of revenue. The Big Data Association (DBA) confirmed to the publication that such proposals are being discussed and supported by large operators. The ABD believes that the bill should clarify the composition of offenses.
In addition, the ABD proposed other measures to mitigate the responsibility of companies, aimed at "encouraging businesses to strengthen data protection and motivate them to invest in security, and not just include fines in the budget."
It is estimated that more than five million legal entities and individual entrepreneurs in Russia are personal data operators. The State Duma Committee on Information Policy is confident that not all companies can independently ensure data protection, especially in the context of cyber war. One of the proposals was the creation of special trusted operators that would be able to store the data of companies unable to ensure its protection.
The creation of professional data operators was also announced by a member of the Human Rights Council, Igor Ashmanov. He added that access to this data will be limited, and other companies will be able to request information if necessary.
The question of whether the amendments on "super operators" will be included in the bill on fines for leaks remains open. However, Alexander Khinshtein hopes that the law will be adopted by the end of 2024.
Source
Reducing fines for personal data leaks, which have not yet been approved, is unreasonable and will lead to the fact that the initiative will lose its effectiveness. This point of view was expressed by the developers of the bill, which establishes sanctions of up to 500 million rubles for incidents related to personal data leaks. At the same time, business representatives propose to introduce mitigating circumstances that will avoid fines or significantly reduce them. According to the Parliamentary Newspaper, discussions continue.
Since the beginning of 2024, about half a billion records containing personal data of Russians have been in the public domain, Alexander Khinshtein, head of the State Duma Committee on Information Policy, Information Technology and Communications, told the publication. He is a co-sponsor of a bill that introduces severe penalties, including turnover-based fines, depending on the revenue of companies that leaked data. The document was adopted in the first reading in December, and work is currently underway on amendments. One of these amendments was the proposal of the Ministry of Economic Development, based on consultations with the business community.
The department proposed to reduce the amount of fines for legal entities compared to the original provisions of the bill: by half - up to 1.5-2 million rubles if the leak affected from one to ten thousand users; three times - up to 3-5 million rubles, if more than a hundred thousand personal data subjects were affected. However, it is proposed to keep turnover-based fines for repeated leaks in the same range - from 0.1 to 3 percent of the revenue or capital of the credit institution, but with a reduction in the maximum amount of the fine to 50 million rubles.
These proposals will be discussed, but "mitigation is unreasonable and emasculates the very essence of the initiative," Alexander Khinshtein said. According to him, "without the operator realizing his responsibility and understanding that he will have to pay for leaks, no fundamental changes will occur."
From the very beginning, large personal data operators criticized the bill, pointing to too high fines, as Irina Rukavishnikova, first deputy chairman of the Federation Council Committee on Constitutional Legislation, told Parlamentskaya Gazeta. However, she agreed with Khinshtein that it is high fines that should encourage companies to invest in information security. Alexander Khinshtein added that if the fines are too low, "it will become cheaper for companies to buy off than to invest in the creation of information security infrastructure".
In addition to reducing fines, the Ministry of Economic Development proposed to provide for mitigating circumstances for companies. For example, high security costs — at least 0.1 percent of revenue. The Big Data Association (DBA) confirmed to the publication that such proposals are being discussed and supported by large operators. The ABD believes that the bill should clarify the composition of offenses.
In addition, the ABD proposed other measures to mitigate the responsibility of companies, aimed at "encouraging businesses to strengthen data protection and motivate them to invest in security, and not just include fines in the budget."
It is estimated that more than five million legal entities and individual entrepreneurs in Russia are personal data operators. The State Duma Committee on Information Policy is confident that not all companies can independently ensure data protection, especially in the context of cyber war. One of the proposals was the creation of special trusted operators that would be able to store the data of companies unable to ensure its protection.
The creation of professional data operators was also announced by a member of the Human Rights Council, Igor Ashmanov. He added that access to this data will be limited, and other companies will be able to request information if necessary.
The question of whether the amendments on "super operators" will be included in the bill on fines for leaks remains open. However, Alexander Khinshtein hopes that the law will be adopted by the end of 2024.
Source
