Tightened liability for breach of personal data laws
Draft law No. 683952-6 “On Amendments to the Russian Federation Code of Administrative Offences”
Goltsblat BLP advises that, on 27 January 2017, at the third reading, the State Duma adopted draft law No. 683952-6 determining new offences and increasing liability for breach of personal data laws. The law is to take effect on 1 July 2017.
Current Article 13.11 of the Code of Administrative Offences discusses just a single offence, i.e., breach of the statutory procedure for collecting, storing, using or distributing data relating to individuals (personal data), the maximum punishment for legal entities being RUB 10,000 (c. USD 160).
The draft law creates seven new offences with different liability for each, the maximum punishment for a legal entity being as high as RUB 75,000 (c. USD 1200) per offence:
Fine for officers
Fine for legal entities
Personal data processing when this is not allowed by law or is incompatible with the purpose of the personal data collection
Personal data processing without written consent or in breach of the requirements on data covered by consent
Failure to publish a document determining the personal data operator’s policy
Failure to furnish a data subject with information pertaining to personal data processing
Failure to meet a personal data subject’s demands for their personal data to be updated, blocked or destroyed
Failure to comply with the requirements on personal data security where data processing is not automated, if this results in personal data being misused
Failure by a state or municipal authority to perform their obligation to anonymise personal data
No explanations have been issued so far as to what will constitute an offence. It is conceivable, therefore, that fines might be levied with reference to the number of persons whose personal data were processed in contravention of the law.
These developments tighten liability considerably and are designed to encourage businesses to take extra care when processing personal data.
The new law comes in the tideway of Roskomnadzor’s 1 heightened activity involving large-scale audits of personal data law compliance by various organisations. The regulator has also scheduled a multitude of audits for 2017 (information about those due in the Central Federal District is available at the territorial office website).
For all issues related to publications, news and press releases, please contact:
If you would like to receive our legal alerts and updates highlighting current legal issues relevant to your areas of interest and providing expert commentary by our lawyers, please click on "Sign Up" and fill out the form.