The government will consider amendments to increase liability for data privacy violations.
On December 4, the State Duma introduced amendments to the Code of Administrative Violations (CAO) and the Criminal Code concerning tougher liability for violations when working with personal data. The amendments were initiated by Senators Andrey Turchak and Andrey Klishas, State Duma deputy Alexander Khinshtein and other United Russia parliamentarians.
According to the State Duma information system, it is proposed to increase fines for legal entities and individual entrepreneurs for personal data leakage, depending on their volume and nature. According to the amendments to the Administrative Code:
It is also planned to increase fines for these violations for individuals and employees of state or municipal organizations.
According to the amendments to the Criminal Code, criminal liability is introduced for those who illegally collect, store, use and (or) transmit computer information with personal data. Liability will be increased if the crime is committed:
Illegal use, transfer or collection of personal data obtained illegally will be punished with a fine of up to 300 thousand rubles. or forced labor / imprisonment for a term of up to four years. Up to five years — if the information contains special categories of personal data and / or biometric personal data.
It is proposed to introduce a penalty of up to six years in prison with a fine of up to 1 million rubles for illegal use of personal data out of self-interest, resulting in major damage, committed by a group of persons by prior agreement or using their official position.
Crimes related to the cross-border transfer of personal data are proposed to be punished by imprisonment for up to eight years with a fine of up to 2 million rubles, with an increase in the term and amount to ten years and 3 million rubles, if there were serious consequences or the crime was committed by an organized group.
Creation of resources on the Internet or computer programs intended for illegal storage or dissemination of personal data is proposed to be punished with forced labor / imprisonment for up to five years with a fine of up to 700 thousand rubles.
The authors of the amendments explain the need for tougher liability by saying that the existing sanctions are not commensurate with the possible consequences of leaks. "Currently, companies that have leaked personal data are involved under Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation (hereinafter referred to as the Administrative Code of the Russian Federation), which provides for a maximum fine of up to 100 thousand rubles for legal entities (if an administrative offense is repeated - up to 300 thousand rubles). At the same time, the specified amount of the fine is not commensurate with the possible consequences of leaks. Once in the hands of attackers, the data can become a tool for spam calls, unsolicited mailings, blackmail, fraudulent schemes and other more serious crimes," the explanatory note says. The purpose of these bills, as noted in the message, is to strengthen the protection of personal data of citizens and encourage businesses to invest in the field of information security.
In the explanatory note attached to the amendments to the Criminal Code, it is reported that at the beginning of 2022, 130 million residents of Russia used the Internet. At the same time, the total volume of officially identified personal data leaks for 2022 amounted to more than 1.13 billion records. "The black market for personal data is constantly growing, and the main sources of leaks are third-party attackers or employees of companies that sell or give away confidential data of their customers for free. According to separate estimates, in 2020, the total damage from personal data leaks exceeded 3 billion rubles, and in 2022, this damage has already exceeded 8 billion rubles," the note says.
The draft laws were submitted to the State Duma after lengthy discussions with representatives of business, government and experts. They were initiated in April last year in connection with the frequent attacks of hackers on Russian companies with a large amount of personal data. Among the victims were Yandex. Food, SDEK, Hemotest and many others. In September, the government commission on legislative activity supported the idea of including provisions on compensation for victims in the draft law.
On December 4, the State Duma introduced amendments to the Code of Administrative Violations (CAO) and the Criminal Code concerning tougher liability for violations when working with personal data. The amendments were initiated by Senators Andrey Turchak and Andrey Klishas, State Duma deputy Alexander Khinshtein and other United Russia parliamentarians.
According to the State Duma information system, it is proposed to increase fines for legal entities and individual entrepreneurs for personal data leakage, depending on their volume and nature. According to the amendments to the Administrative Code:
- If the leak concerns from 1 thousand to 10 thousand subjects of personal data (i.e. citizens), the fine for legal entities and individual entrepreneurs, which are equated to companies in the amendments, will be from 3 million to 5 million rubles. ; For data leakage from 10 thousand to 100 thousand subjects - from 5 million to 10 million rubles.; more than 100 thousand rubles — from 10 million to 15 million rubles.
- For repeated violations with any amount of discredited information from 1 thousand subjects, a fine is offered from 0.1 to 3% of revenue for the calendar year preceding the violation, or for part of the current year, but not less than 15 million rubles and not more than 500 million rubles.
- For leaking information that includes a special category of personal data (for example, medical information), the fine for legal entities will range from 10 million to 15 million rubles.
It is also planned to increase fines for these violations for individuals and employees of state or municipal organizations.
According to the amendments to the Criminal Code, criminal liability is introduced for those who illegally collect, store, use and (or) transmit computer information with personal data. Liability will be increased if the crime is committed:
- committed by a group of persons by prior agreement;
- if it caused major damage;
- if it was committed for the purpose of enrichment or with the use of official position and "spy devices".
Illegal use, transfer or collection of personal data obtained illegally will be punished with a fine of up to 300 thousand rubles. or forced labor / imprisonment for a term of up to four years. Up to five years — if the information contains special categories of personal data and / or biometric personal data.
It is proposed to introduce a penalty of up to six years in prison with a fine of up to 1 million rubles for illegal use of personal data out of self-interest, resulting in major damage, committed by a group of persons by prior agreement or using their official position.
Crimes related to the cross-border transfer of personal data are proposed to be punished by imprisonment for up to eight years with a fine of up to 2 million rubles, with an increase in the term and amount to ten years and 3 million rubles, if there were serious consequences or the crime was committed by an organized group.
Creation of resources on the Internet or computer programs intended for illegal storage or dissemination of personal data is proposed to be punished with forced labor / imprisonment for up to five years with a fine of up to 700 thousand rubles.
The authors of the amendments explain the need for tougher liability by saying that the existing sanctions are not commensurate with the possible consequences of leaks. "Currently, companies that have leaked personal data are involved under Part 1 of Article 13.11 of the Code of Administrative Offenses of the Russian Federation (hereinafter referred to as the Administrative Code of the Russian Federation), which provides for a maximum fine of up to 100 thousand rubles for legal entities (if an administrative offense is repeated - up to 300 thousand rubles). At the same time, the specified amount of the fine is not commensurate with the possible consequences of leaks. Once in the hands of attackers, the data can become a tool for spam calls, unsolicited mailings, blackmail, fraudulent schemes and other more serious crimes," the explanatory note says. The purpose of these bills, as noted in the message, is to strengthen the protection of personal data of citizens and encourage businesses to invest in the field of information security.
In the explanatory note attached to the amendments to the Criminal Code, it is reported that at the beginning of 2022, 130 million residents of Russia used the Internet. At the same time, the total volume of officially identified personal data leaks for 2022 amounted to more than 1.13 billion records. "The black market for personal data is constantly growing, and the main sources of leaks are third-party attackers or employees of companies that sell or give away confidential data of their customers for free. According to separate estimates, in 2020, the total damage from personal data leaks exceeded 3 billion rubles, and in 2022, this damage has already exceeded 8 billion rubles," the note says.
The draft laws were submitted to the State Duma after lengthy discussions with representatives of business, government and experts. They were initiated in April last year in connection with the frequent attacks of hackers on Russian companies with a large amount of personal data. Among the victims were Yandex. Food, SDEK, Hemotest and many others. In September, the government commission on legislative activity supported the idea of including provisions on compensation for victims in the draft law.
