NEWS & INSIGHTS
3 December 2024
Significant Increase in Liability for Personal Data Processing Offences

On 30 November 2024, laws were published substantially increasing liability in the field of personal data processing.

Turnover-based Fines and New Administrative Offences

The first law¹ concerns administrative liability.

It introduces substantial fines for acts (or omissions) by a data operator resulting in the unlawful transfer (provision, dissemination, access) of information containing personal data — so-called “data leaks”².

The amount of the fine depends on the number of affected data subjects, the volume of compromised data, and its sensitivity. For companies, fines may be:

  • from RUB 3 million to RUB 5 million where the leak affects between 1,000 and 10,000 subjects (and/or between 10,000 and 100,000 identifiers³);
  • from RUB 5 million to RUB 10 million where the leak affects between 10,000 and 100,000 subjects (and/or between 100,000 and 1 million identifiers);
  • from RUB 10 million to RUB 15 million where the leak concerns more than 100,000 subjects (and/or over 1 million identifiers), or involves a special category of personal data (e.g. health-related data);
  • from RUB 15 million to RUB 20 million for leaks of biometric personal data.

For repeat offences, the fine will be between 1% and 3% of the company’s total revenue⁴ for the calendar year preceding the year in which the offence was detected, but not less than RUB 20 million (RUB 25 million if the leak involves a special category of personal data or biometric personal data) and not more than RUB 500 million.

A more lenient fine (from RUB 15 million to RUB 50 million) may be imposed for repeat offences if all of the following mitigating factors are present before the ruling on the fine is issued:

  • in each of the three years preceding the year of detection of the offence, the operator incurred annual expenditure on information security measures⁵ of at least 0.1% of its annual total revenue⁶;
  • the operator complied with personal data protection requirements in its information systems, with such compliance documented within the 12 months preceding the detection of the administrative offence;
  • there are no aggravating circumstances — namely, the operator has ceased the unlawful conduct and, at the time of the offence and at the time of the ruling, was not (and is not) subject to an administrative penalty for personal data-related offences⁷.

The law also introduces additional, separate administrative offences, including:

  • failure (or untimely action) to notify Roskomnadzor of the intention to process personal data, or of an unlawful or accidental data leak (fine for companies: up to RUB 300,000 and up to RUB 3 million, respectively);
  • breach of rules for processing biometric personal data in the Unified Biometric System (UBS), biometric data, or UBS vectors in information systems of public authorities, the Central Bank of Russia, accredited organisations performing biometric authentication, or in respect of requirements for IT systems and equipment used for processing biometric data and UBS vectors for identification and/or authentication (fine for companies: up to RUB 1 million);
  • failure to take organisational and technical measures to secure biometric personal data when processed in the UBS, when the UBS interacts with other systems, or when processed in systems enabling biometric authentication (fine for companies: up to RUB 1.5 million);
  • processing biometric personal data or UBS vectors for authentication in state authorities’ information systems, corporate systems, or the Central Bank’s systems without accreditation, or when accreditation has been suspended or revoked (fine for companies: up to RUB 2 million).

The law enters into force 180 days after its official publication.

New Criminal Offences

The second law⁸ adds Article 272.1 to the Criminal Code, introducing new criminal offences:

  • unlawful use and/or transfer (dissemination, provision, access), collection and/or storage of computer information containing personal data obtained unlawfully. Penalties (with aggravating factors) include up to 10 years’ imprisonment, a fine of up to RUB 3 million (or equivalent to the offender’s income for up to 4 years), and/or disqualification from certain positions or activities for up to 5 years;
  • creation and/or operation of information resources (e.g. websites, information systems, software) knowingly intended for the unlawful storage or transfer (dissemination, provision, access) of computer information containing personal data obtained unlawfully. Penalties include up to 5 years’ imprisonment, a fine of up to RUB 700,000 (or equivalent to the offender’s income for up to 2 years), and/or disqualification from certain positions or activities for up to 2 years.

Recommendations

  • Review business processes and information systems for compliance with personal data legislation, in particular the existence of a lawful purpose for data collection and valid consent for processing.
  • Ensure that the organisation implements adequate information security measures in light of current risks, including the risk of data leaks. Allocate budgetary resources accordingly.
  • Review and, if necessary, update documentation confirming compliance with personal data protection requirements during processing.

¹ Federal Law of 30 November 2024 No. 420-FZ «On Amendments to the Code of Administrative Offences of the Russian Federation».
² New parts 12–18 of Article 13.11 of the Code of Administrative Offences.
³ «Identifier» means a unique designation of information relating to an individual, contained in the operator’s personal data information system and linked to that individual (e.g. passport series and number, SNILS, TIN).
⁴ Where a company did not engage in the sale of goods (works, services) in the preceding calendar year, the fine is calculated on revenue for the portion of the current calendar year before detection of the offence. For credit institutions, the fine is calculated on own funds (capital) as at the date of the offence.
⁵ Measures may be implemented internally or outsourced, but in both cases require a licence under paragraph 1 or 5 of part 1, Article 12 of Federal Law No. 99-FZ of 4 May 2011 «On Licensing Certain Types of Activity».
⁶ For credit institutions, at least 0.1% of own funds (capital).
⁷ For offences under parts 1–11 of Article 13.11 and/or Articles 13.6, 13.12 of the Code of Administrative Offences.
⁸ Federal Law of 30 November 2024 No. 421-FZ «On Amendments to the Criminal Code of the Russian Federation».

More>>

__________

This material has been prepared solely for informational and/or educational purposes and does not constitute legal advice or a legal opinion. EPAM Law, its management, lawyers, and staff cannot guarantee the applicability of such information to your specific circumstances and accept no liability for any decisions you make, or for any direct or indirect losses and/or damages arising from the use of the information contained in these materials, in whole or in part.

Practices

Key contacts

Elena Agaeva

Elena
Agaeva

Back to media coverage
The contents of this information resource (www.epam.ru website‎), including any information and intellectual property, are protected by the Russian legislation and international treaties. All and/or any information and materials may only be used, copied, reproduced or distributed upon prior consent of the titleholder or shall otherwise involve use of remedies.

Lawyers’ comments, presentations and articles posted at or accessible through www.epam.ru represents their personal opinions and findings that may be different from the view taken by EPAM Law.

The information and materials contained in www.epam.ru is for general information purposes only and should not be taken as legal advice or opinion. EPAM Law, its management team, attorneys and employees cannot guarantee that such information is applicable to your purposes and shall not be responsible for your decisions and related eventual direct or consequential loss and/or damage resulting from the use of all or any information contained in www.epam.ru.
Privacy Policy Terms of Personal Data Processing for Attorneys and Employees of EPAM Law
© EPAM Law. 1993-2025. All rights reserved.
Website development – amigo.studio
Write to us

Fields marked with * are required