Russia Adopts Strict Penalties For Personal Data Leaks

The State Duma has passed a set of laws to increase penalties for personal data leaks, introducing severe administrative and criminal liability. The legislation, approved unanimously in its final readings, is aimed at strengthening data protection and reducing cybercrime.

Significant Fines Based On Leak Size

Under the new laws, fines for legal entities are tied to the scale of the data breach:

  • 1,000 to 10,000 affected individuals: Fines range from 3 to 5 million rubles.
  • 10,000 to 100,000 individuals: Fines range from 5 to 10 million rubles.
  • More than 100,000 individuals: Fines go up to 15 million rubles.

Repeat offenders face turnover-based fines of 1% to 3% of their annual revenue. Biometric data leaks attract the highest penalties, with repeat violations leading to fines of 25 to 500 million rubles.

Mitigating Liability

Companies can reduce their liability if they meet specific criteria:

  • Spending at least 0.1% of their turnover on cybersecurity annually for three years.
  • No previous administrative violations.
  • Documented compliance with personal data protection requirements.

Criminal Penalties For Illegal Data Handling

A new article, 272.1, has been added to the Criminal Code, targeting illegal activities involving personal data. Offenses such as unauthorized storage, collection, or transfer of personal data now carry penalties of up to 10 years in prison. Criminal liability extends to those creating or running platforms for the illegal exchange of personal data.

Protection For Citizens And Specialists

The laws also protect citizens who refuse to provide biometric data, penalizing companies that deny services or fail to secure biometric data in the Unified Biometric System (UBS). Information security professionals investigating breaches are exempt from liability if they operate within the law.

Calls For Accountability

State Duma Deputy Alexander Khinshtein praised the legislation as a critical step toward better data protection. He emphasized the importance of holding businesses accountable to drive investment in cybersecurity and curb cybercrime.

Roskomnadzor, Russia’s communications watchdog, recorded 110 data breaches in the first nine months of 2024, underscoring the need for stricter enforcement.