Tightened liability for breach of personal data laws

01.02.2017

Draft law No. 683952-6 “On Amendments to the Russian Federation Code of Administrative Offences”

Goltsblat BLP advises that, on 27 January 2017, at the third reading, the State Duma adopted draft law No. 683952-6 determining new offences and increasing liability for breach of personal data laws. The law is to take effect on 1 July 2017.

Current Article 13.11 of the Code of Administrative Offences discusses just a single offence, i.e., breach of the statutory procedure for collecting, storing, using or distributing data relating to individuals (personal data), the maximum punishment for legal entities being RUB 10,000 (c. USD 160).

The draft law creates seven new offences with different liability for each, the maximum punishment for a legal entity being as high as RUB 75,000 (c. USD 1200) per offence:

Offence

Fine for officers

Fine for
legal entities

Personal data processing when this is not allowed by law or is incompatible with the purpose of the personal data collection

RUB 5,000–10,000

RUB 30,000–50,000

Personal data processing without written consent or in breach of the requirements on data covered by consent

RUB 10,000–20,000

RUB 15,000–75,000

Failure to publish a document determining the personal data operator’s policy

RUB 3,000–6,000

RUB 15,000–30,000

Failure to furnish a data subject with information pertaining to personal data processing

RUB 4,000–6,000

RUB 20,000–40,000

Failure to meet a personal data subject’s demands for their personal data to be updated, blocked or destroyed

RUB 4,000–10,000

RUB 25,000–45,000

Failure to comply with the requirements on personal data security where data processing is not automated, if this results in personal data being misused

RUB 4,000–10,000

RUB 25,000–50,000

Failure by a state or municipal authority to perform their obligation to anonymise personal data

RUB 3,000–6,000

––

No explanations have been issued so far as to what will constitute an offence. It is conceivable, therefore, that fines might be levied with reference to the number of persons whose personal data were processed in contravention of the law.

These developments tighten liability considerably and are designed to encourage businesses to take extra care when processing personal data.

The new law comes in the tideway of Roskomnadzor’s 1 heightened activity involving large-scale audits of personal data law compliance by various organisations. The regulator has also scheduled a multitude of audits for 2017 (information about those due in the Central Federal District is available at the territorial office website).

Contact details

For all issues related to publications, news and press releases, please contact:

Ksenia Soboleva

Head of PR and Communications

Subscription

If you would like to receive our legal alerts and updates highlighting current legal issues relevant to your areas of interest and providing expert commentary by our lawyers, please click on "Sign Up" and fill out the form.