Member Article

The Presidential Administration has not approved amendments to the second reading of the draft law on turnover fines for personal data (“PD”) leaks

Despite the positive review of the draft law from the Government Commission, the State Legal Department of the President has prepared a ****negative review**** of the draft law on ****turnover fines**** for businesses for ****PD leaks****.

The Presidential Administration did not support the proposal of the Ministry of Digital Development, Communications and Mass Media of the Russian Federation to introduce ****mitigating circumstances for companies****, noting also that the definition of an identifier that will determine the size of the leak should be contained in the ****law on PD****, and not in the Code of Administrative Offences, as is currently proposed, and compensation ****should be appointed by the court****. In addition, the review says that the composition of the offense should be clearly defined, now it is described as “an act or omission of a person that led to the unlawful transfer of information”.

We are closely monitoring the consideration of this draft law and will keep you up with the latest news.

A draft law has been submitted to the State Duma on revoking consent to the processing of PD given by the subject through the website

The draft law proposes to provide for the mandatory possibility of ****revoking consent**** to the processing of PD ****in electronic form****, that is, through sites where the subject previously consented to access such information.

It is proposed to amend Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data”, fixing the need to provide a way to revoke the user's consent to the processing of their PD ****in the same form in which it was received****.

The draft law provides for the need to fix in the content of the consent to the processing of PD an indication of the ****method of its withdrawal****. According to the authors of the draft law, this will allow citizens to significantly simplify the possibility of exercising their right to revoke consent to the processing of PD in a form convenient for them.

For data controllers, the conversion of this draft law into law will entail the need to post additional information on Internet resources (websites) and their technical adjustment.

Attempts to recover damages from a former employee for reputational damage ended in the Supreme Court of the Russian Federation, which ruled that media reports about the leakage of PD do not indicate harm to business reputation

The Supreme Court of the Russian Federation considered the dispute between PJSC Sberbank of Russia and a former employee of LLC National Recovery Service.

In 2019, an employee copied ****clients data**** from their corporate laptop, which was a ****bank secret****, and tried to sell them for a ****monetary reward**** on an Internet forum “Dublik.at”. These illegal actions were discovered by specialists of the recovery service, who, on the instructions of the bank, monitored and identified such cases.

As a result, the former employee was found guilty of ****illegally disclosing information constituting a banking secret****, without the consent of their owner, by a person to whom it was entrusted for work, out of self-interest (Part 3 of Article 183 of the Criminal Code of the Russian Federation).

The incident became known to the ****media****. The bank considered that it had suffered ****reputational damage**** in this way and demanded that the culprit pay more than RUB 3.5 million. The courts of three instances supported this position and recovered ****RUB 1.5 million**** from the former employee.

However, the Supreme Court of the Russian Federation clarified that ****media reports**** about the leakage of PD of clients of a credit institution ****do not**** in themselves ****indicate harm to business reputation****. When applying to the court, the bank must provide evidence of a ****causality**** between the employee's illegal act, media reports and the occurrence of adverse consequences in the form of loss or decrease in credibility in the bank's business reputation.

The Supreme Court of the Russian Federation also indicated that a legal entity or a citizen compensates for damage caused by its employee in the performance of job duties (in accordance with Article 1068 of the Civil Code of the Russian Federation). Therefore, since the disclosure was made using official position, the court should have discussed the ****possibility of replacing the defendant with their employer****.

 

Link to article