Up to 3% of revenue: deputies approved tougher liability for personal data leaks

[Brother]

The bill passed its first reading in the State Duma.

The State Duma of the Russian Federation at the plenary session in the first reading adopted a draft law on the introduction of fines for violation of certain requirements of the legislation in the field of personal data. It is assumed that the maximum penalty for legal entities can be up to 3% of their annual revenue.

The document was submitted to the State Duma in December 2023 by a group of senators and deputies led by First Deputy Speaker of the Federation Council, Secretary of the General Council of United Russia, Andrey Turchak.

According to the draft law, it is proposed to introduce new parts to Article 13.11 of the Administrative Code of the Russian Federation (violation of the law on personal data). In particular, it is planned to introduce fines for non-fulfillment or untimely fulfillment by the operator of the obligation to notify Roskomnadzor of the intention to process personal data.:

• For citizens-from 5 to 10 thousand rubles;
• For officials-from 30 to 50 thousand rubles;
• For legal entities-from 100 to 300 thousand rubles.

Fines are also introduced for failure to comply with or late fulfillment of the obligation to notify Roskomnadzor in case of detection of the fact of illegal leakage of personal data. The amount of fines is as follows:

• For citizens-from 50 to 100 thousand rubles;
• For officials-from 400 to 800 thousand rubles;
• For legal entities-from 1 to 3 million rubles.

In addition, fines are imposed if the operator's actions or omissions led to the illegal transfer of information with personal data:

• From 1 to 10 thousand subjects or from 10 to 100 thousand IDs:
  • For citizens-from 100 to 200 thousand rubles;
  • For officials-from 800 thousand to 1 million rubles;
  • For legal entities-from 3 to 5 million rubles.
• From 10 to 100 thousand subjects or from 100 thousand to 1 million IDs:
  • For citizens-from 200 to 300 thousand rubles;
  • For officials-from 1 to 1.5 million rubles;
  • For legal entities-from 5 to 10 million rubles.
• More than 100 thousand subjects or more than 1 million IDs:
  • For citizens-from 300 to 400 thousand rubles;
  • For officials-from 1.5 to 2 million rubles;
  • For legal entities-from 10 to 15 million rubles.

If a person repeatedly commits a violation that resulted in a data leak, the amount of fines is as follows::

• For citizens-from 400 to 600 thousand rubles;
• For officials-from 2 to 4 million rubles;
• For legal entities - from 0.1% to 3% of annual revenue (but not less than 15 million rubles and not more than 500 million rubles).

Fines are also introduced for illegal transfer of special categories of personal data (medical, etc.).:

• For the first time:
  • For citizens-from 300 to 400 thousand rubles;
  • For officials-from 1.5 to 2 million rubles;
  • For legal entities-from 10 to 15 million rubles.
• Again:
  • For citizens-from 500 to 800 thousand rubles;
  • For officials-from 3 to 5 million rubles;
  • For legal entities - from 0.1% to 3% of annual revenue (but not less than 20 million rubles and not more than 500 million rubles).

State Duma Speaker Vyacheslav Volodin noted that information technologies already affect every person and every family. At the same time, the risks of personal data leaks have increased. Many citizens make requests to solve this problem. According to Volodin, the absolute majority of respondents in his Telegram channel were in favor of tougher penalties for leaks.