On November 30, 2024, the President signed laws on amendments to the Code of Administrative Offenses (CAO) and the Criminal Code (CC)[1], establishing liability for violations in the field of personal data processing.
Administrative liability
According to the above-mentioned law, increased administrative fines for violations in the field of personal data processing (PD) will take effect on May 30, 2025.
The fine established by Article 13.11 of the Administrative Code for processing PD in cases not provided for by law (for example, in the absence of consent) will be significantly increased:
The grounds for liability | Fine for companies before May 30, 2025 | Fine for companies after May 30, 2025 |
Processing PD in cases not provided for by law | From 60 000 to 100 000 rubles | from 150 000 to 300 000 rubles |
Repeated violation | From 100 000 to 300 000 rubles | From 300 000 to 500 000 rubles |
In addition, Article 13.11 of the CAO will be supplemented by parts 10-18, providing for new fines.
There will be established a separate fine for not notifying the Roskomnadzor about the commencement of PD processing. The obligation to send such notifications was established back in 2023, but responsibility for the violation has only now been provided:
- Non–fulfillment or untimely fulfillment by the operator of the obligation to notify the RKN of the intention to process PD –
the fine for legal entities will range from 1 00 000 to 300 000 rubles.
A number of fines related to PD leaks have been established. The law defines the leak of personal data as the unlawful transfer (provision, dissemination, access) of information including PD. There is no more detailed definition of leakage in the legislation.
However, it follows from judicial practice that the operator will be responsible for the leakage of PD if:
1) did not take sufficient technical measures to protect databases from hacker attacks;
2) the operator’s employees intentionally / inadvertently put the confidentiality of users’ PD at risk (placed them on an unsecured platform; sold PD databases).
The courts specify that the operator is exempt from liability if it is proved that the leak was caused by the PD subject[2]. This may be, for example, a situation where the subject posted his PD on a publicly available platform, or independently reported the data to fraudsters. The PD operator processing the PD of such a subject must prove the guilt of the PD subject.
So, the following penalties related to PD leaks have been established:
- Failure or untimely fulfillment by the operator of the obligation to notify the RKN of a PD leak –
the fine for legal entities will range from 1 000 000 to 3 000 000 rubles.
- Actions (inaction) of the operator that resulted in the leakage of PD of 1000 to 10 000 PD subjects and (or) from 10 000 to 100 000 identifiers[3] –
the fine for legal entities will be from 3 000 000 to 5 000 000 rubles.
- Actions (inaction) of the operator that resulted in the leakage of PD from 10 000 to 100 000 subjects and (or) from 100 000 to 1 000 000 identifiers –
the fine for legal entities will range from 5 000 000 to 10 000 000 rubles.
- Actions (inaction) of the operator that resulted in the leakage of personal data of more than 100 0000 entities and (or) more than 1 000 000 identifiers –
the fine for legal entities will range from 10 000 000 to 15 000 000 rubles.
- Actions (inaction) of the operator that caused repeated leakage of PD –
the fine for legal entities will be from 1 to 3% of revenue for the previous calendar year.
- Actions (inaction) of the operator that caused the leakage of special categories[4] of PD –
the fine for legal entities will range from 10 000 000 to 15 000 000 rubles.
- Actions (inaction) of the operator that caused the leakage of biometric personal data[5] –
the fine for legal entities will range from 15 000 000 to 20 000 000 rubles.
- Actions (inaction) of the operator that resulted in repeated leakage of biometric or special categories of PD –
the fine for legal entities from 1 to 3% of the revenue received for the previous calendar year.
Article 4.1 of the CAO will also be supplemented with new mitigating circumstances. Penalties for repeated data leakage can be reduced if the following circumstances are present at the same time:
- annual expenses (for the previous 3 years before the detection of an offense) for information security measures of at least 0.1% of the annual amount of revenue or the amount of the credit institution’s own funds;
- operator or the organization involved by him having a license for the provision of services in the field of information encryption or for activities related to technical protection of information;
- documentary evidence of compliance with the requirements for the protection of PD during their processing in the information systems for 1 year before the detection of an offense;
- absence of aggravating circumstances.
Criminal liability
In addition, Law No. 421-FZ of 30.11.2024 establishes new criminal liability measures related to the illegal processing of personal data, which will be applied from December 11, 2025. Here are some new crime compositions:
- illegal use, transfer, collection, distribution and storage of personal data obtained by illegal means entail liability in the form of a fine of up to 300 000 rubles, or the salary of a convicted person for a period of up to a year, or forced labor or imprisonment for up to 4 years;
- the same actions committed with the PD of minors, biometric PD or special categories of PD
are punishable by a fine of up to 700 000 rubles, or in the amount of the salary of the convicted person for a period of up to 2 years with deprivation of the right to hold certain positions or engage in certain activities for up to 2 years, or forced labor or imprisonment for up to 5 years;
- The same acts involving the cross-border transfer of PD or the material carriers containing PD,
are punishable by imprisonment for up to 8 years with a fine of up to 2 000 000 rubles. or in the amount of the salary of the convicted person for a period of up to 3 years and with deprivation of the right to hold certain positions or engage in certain activities for up to 4 years.
So, changes in legislation are related to recent cases of large-scale leaks of PD, as well as the storage and sale of PD obtained illegally.
In the near future, operators need to check the PD protection systems against leaks and unauthorized access. In addition, it is recommended to check whether the operator companies have notified RKN about the start of PD processing.
[1] Federal Law of 30.11.2024 No. 420-FZ “On Amending the Code of the Russian Federation on Administrative Offenses”; Federal Law of 30.11.2024 No. 421-FZ “On Amending the Criminal Code of the Russian Federation”.
[2] Ruling of the Second Cassation Court of General Jurisdiction of 09.11.2023 N 88-29173/2023.
[3] An identifier means a unique designation of information about an individual contained in the operator’s personal data information system and relating to such individual.
[4] Special categories of personal data are information that relates to race, nationality, political views, religious or philosophical beliefs, health status, and intimate life.
[5] Biometric Personal Data is information that characterizes the physiological and biological features of a person, on the basis of which his/her identity can be established and which is used by the operator to establish the identity of the subject of Personal Data (for example, a photograph in a pass).