Russia is tightening penalties in the field of personal data protection. The potentially significant fines that lay ahead go to confirm that Russian companies and foreign companies which are active on the Russian market should take personal data compliance seriously.
On 24 February 2015, the State Duma passed in the first reading, a bill amending the Russian Code on Administrative Offences (the “Bill”) (the Bill is available here in Russian). The Bill proposes to (i) replace the generally worded administrative offence of breach of personal data law by several more clearly defined offences and (ii) substantially increase the corresponding fines. As can be seen from the summary table below, more serious breaches may automatically give rise to fines when the infringement is detected, whilst for less serious breaches a warning may first be served on the offending company. Corporate officials may also be held liable for the breaches of the personal data operator (however, we have not included the applicable fine ranges in our summary table).
Click here to view table.
In the event that several data subjects are affected by a particular data processing non-compliance, the liability of the personal data operator is not entirely clear from the wording of the Bill. Specifically, the question is whether the relevant amounts set out in the above table are to be applied strictly ‘per breach’, or alternatively, whether a series of breaches discovered in a single investigation may in fact constitute one breach for the purposes of the application of sanctions if those breaches are essentially the same but have been carried out in respect of several data subjects. One cannot rule out that the ‘per breach’ approach will be applied strictly. Fines could therefore be substantial. In order to mitigate the risk of liability, we recommend companies review their existing personal data processing and protection policies and procedures without delay.
The Bill is likely to undergo some further changes before it is finally implemented. In particular, the introduction of an additional offence covering any failure to localise databases containing Russian citizens’ personal data in Russia is a distinct possibility (click here to see the previous alerts on the database localisation requirement). That said, the Bill already gives an insight to companies as to which aspects of data protection requirements they should be concentrating on at this stage.