On 24 February, the Russian State Duma (the lower chamber of the Russian Parliament) adopted in the first reading a draft law introducing amendments to the Russian Code on Administrative Offences (the Draft Law) that would increase the amount of the fines imposed for violating Russian data protection laws and introducing a differentiation of the relevant offences’ types. Notably, the Draft Law does not introduce any separate fine for violating Russia’s new Data Localization Law, although there is still a possibility that this could be modified as the legislative process progresses.
Russian policymakers have long discussed the potential increase of fines for violating data protection rules, but no such reforms have been enacted. As of today, the liability that may be imposed on legal entities for violating the general rules regulating the collection, storage, use, or distribution of personal data under Russian data protection law amounts to RUB 10,000 (currently approx. USD 160). The Draft Law’s explanatory note states the drafters’ opinion that the current liability clause does not effectively protect data subjects’ personal data, and that the increased fine amounts are intended to ensure the protection of data subjects’ rights. A representative from the Russian Data Protection Authority, Roskomnadzor, also commented that due to the amount of the current fines, data operators choose to knowingly violate the law and pay the relatively insignificant fine instead of complying with Russian data protection rules. These findings follow consistent calls from consumer advocates and others that the fines should be increased to increase compliance.
The current version of the Draft Law would increase the amounts of fines and differentiate the types of offences as follows:
- Processing sensitive personal data related to a data subject’s racial and/or national background, political views, religious or philosophical convictions, state of health, private life, or criminal background without legal basis may entail a fine up to RUB 300,000 (approx. USD 5,000) for legal entities.
- Processing personal data without including required information in a written consent form may entail a fine up to RUB 50,000 (approx. USD 800) for legal entities. Processing personal data without a data subject’s consent or other legal basis may entail a fine up to RUB 50,000 (approx. USD 800) for legal entities.
- Unlawful non-automatic processing of personal data may entail a fine up to RUB 50,000 (approx. USD 800) for legal entities.
- Non-compliance with a data subject’s request to detail, block, or delete personal data when the personal data are incomplete, out of date, incorrect, illegally received, or not needed for the claimed type of processing may entail a fine up to RUB 45,000 (approx. USD 720) for legal entities.
- Non-compliance with the obligation to provide data subjects with notice about the processing of their personal data may entail a fine up to RUB 40,000 (approx. USD 650) for legal entities.
The Draft Law, as is the case with current Russian data protection laws, does not clarify whether the fines would be imposed per investigation or per data subject. Currently, in practice, Roskmonadzor imposes fines per investigation. However, given the ambiguity in the law, there is a chance that regulator may change this position and seek to impose the maximum fine per data subject whose privacy was violated.
This initiative also was widely anticipated due to the recent change in the effective date of the Russian Data Localization Law from September 2016 to 1 September 2015. Under that law, businesses collecting data about Russian citizens, including on the Internet, are required to record, systematize, accumulate, store, update, change, and retrieve the personal data of Russian citizens in databases located within the territory of the Russian Federation. While many expected the Russian Parliament would introduce a law that would not only increase the fines for violations of Russian data protection laws, but also introduce separate significant fines for violating the Data Localization Law, the Draft Law does not provide any, although the State Duma could certainly change this in future readings. Others have commented that the increased fines under the Draft Law are still low and are not comparable with those imposed in Europe or the U.S., so those could be increased in future readings as well.
To become law, the Draft Law still needs to be adopted by the State Duma (after future readings) and approved by the Federation Council (the upper chamber of the Russian Parliament) and the Russian President.
For unofficial insights on the Data Localization Law from Roskomnadzor’s November conference on personal data protection please see our previous Data Privacy Alert. And for more information on the law’s requirements, please see our recent webinar and slide deck (which took place before the amendment moving the effective date to September 2015).