Member Article

The Russian government has approved draft amendments to the Russian Criminal Code that increase the severity of punishment for leaks of personal data (“PD”)

The amendments have changed slightly compared with the version adopted in the first reading. The Ministry of Internal Affairs (MVD) proposed mitigating liability for leaks and editing the wording so that penalties are imposed only in the event of the leakage of (1) data of 50 or more PD subjects, or (2) information about people’s private life, personal or family secrets, special categories of PD, or biometric PD.

The Ministry of Justice opposed such amendments, arguing that restricting the number to 50 PD subjects would result in attackers intentionally splitting up databases with leaked PD, while those who leak the PD of fewer people would be able to avoid criminal punishment.

Under the draft law, if a violation results in severe consequences, the guilty parties may be punished with a fine of up to 3 million RUB (approximately 32,730 USD or 30,476 EUR) and maximum prison sentence of up to 10 years, as well as forced labour and deprivation of the right to hold certain positions or engage in certain activities.

We are closely monitoring the consideration of this draft law and will keep you posted about the latest news.

Russia may soon have a mechanism to compensate for damages caused by the leakage of PD

The Federation Council has drafted a bill on mandatory insurance for PD leaks.

The law would clearly specify not only the insurance amount, limits and list of risks, but also a list of exceptions that should not be set by the actual insurance companies.

We understand that the legislators’ main goal is to encourage companies to pay closer attention to their IT infrastructure, in part to ensure the best possible protection of stored PD or to refuse to process it if it is not required for business.

Growing number of PD-related legal disputes

The number of disputes over the illegal use of PD is on the rise in Russia: since the start of 2024, their number has already increased by 17% compared with the beginning of 2023. There were a total of 17,400 cases across the country in 2023, an increase of 23% from 2022.

Last year, the greatest dynamics in this regard were seen in administrative and criminal cases. The disputes under the Russian Criminal Code concern the illegal receipt of PD about a particular person, which is due to increased attention to the problem of growing terrorist threats. Businesses, in turn, face claims from employees about the reliable storage of their information and the legality of processing their PD. On the one hand, this poses reputational risks, while, on the other hand, it attracts the attention of the Russian PD authority (Roskomnadzor).

We recommend that data controllers regularly conduct an audit of the processes of PD processing to bring them into compliance with the requirements of law and minimize financial, operational and reputational risks.

 

Link to article