Update: The draft changes discussed here were signed into law on February 24, 2021, and became effective on March 27, 2021.
The Russian State Duma has approved draft changes to the Russian Code of Administrative Offences that significantly increase monetary fines for violation of the Russian privacy law.
On February 10, 2021, the Russian State Duma has adopted in the third reading the draft law[1] (Draft Law) that proposes to stiffen penalties for violation of rules applicable to personal data processing in Russia, as established by Federal Law No. 152-FZ “On Personal Data” of 27 July 2006 (PD Law).
The Draft Law suggests to amend Article 13.11 of the Code of Administrative Offences, which sets forth administrative liability in the privacy sphere, as follows: (a) to significantly increase the amount of state fines for failure to comply with the requirements of the PD Law; and (b) to impose new types of liability for the repeated offences.
Art. 13.11 |
Type of violation[2] |
Amount of state fine currently effective |
Newly proposed amount of state fine (in US Dollars[3]) |
Part 1 |
Processing of personal data without proper legal grounds, or inconsistently with purposes of data collection |
405 – 675 |
815 – 1,355 |
Part 1.1 (new) |
Repeated offence under |
n/a |
1,355 – 4,065 |
Part 2 |
Processing of personal data without written consent of a data subject (if such consent is required), or failure to comply with requirements to contents of such written consents |
205 – 1,015 |
405 – 2,030 |
Part 2.1 (new) |
Repeated offence under |
n/a |
4,065 – 6,770 |
Part 3 |
Failure to publish (or otherwise provide access to) privacy policy and other information on data processing |
205 – 405 |
405 – 815 |
Part 4 |
Failure to inform a data subject on processing his/her personal data |
270 – 540 |
540 – 1,085 |
Part 5 |
Failure to meet the data subject’s request to amend, block, or destroy his/her personal data |
340 – 610 |
680 – 1,215 |
Part 5.1 (new) |
Repeated offence under |
n/a |
4,065 – 6,770 |
Part 6 |
Failure to ensure protection and confidentiality of physical media bearing personal data |
340 - 675 |
675 – 1,355 |
The law practitioners have expected the Draft Law to mark a decisive end to the long-running discussions on whether the amount of state fines can be multiplied to the number of violations committed by a company. In other words, if violation of privacy rights of 20 data subjects would mean that the amount of state fine is multiplied by 20. Contrary to expectations, the Draft Law is silent in this regard. As before, the mechanism of application of the new fines would depend on the enforcement practice of the Russian Data Protection Authority (a.k.a. Roskomnadzor).
Notably, the Draft Law does not suggest changing penalties for the violation of the so-called “localization requirement.” Penalties under parts 8 and 9 of Article 13.11 remain intact. To remind, failure to comply with localization requirement may entail fines of up to more than $81,000 for the first offence, and up to approximately $244,000 for the second offence.
Also, in contrast to the current version of the Code for Administrative Offences, which allows Roskomnadzor to issue in certain cases a so-called “warning for violations” in order to give a company time to rectify the wrongdoing, the Draft Law now suggests to tighten liability and to allow the authority to impose fines only rather than to issue warnings.
To minimize the risk of penalties, any organization working in Russia or with Russian citizens’ personal data (either having legal presence in Russia or not) must ensure that at all times during processing of data, valid legal grounds for processing of such data exist (including data subjects’ consents in written form, when required by the PD Law) and that all data processing activities are duly formalized, as required by the PD Law (including, any cross-border data transfers). Please refer to one of our recent publications discussing data protection requirements here.
The Draft Law also proposes to increase limitation period for violations of the PD Law up to one year from the date of the violation. Notably, most violations of personal data processing requirements are so-called “continuing offences,” which means that the limitation period shall be calculated from the date when the violation is detected.
To become effective, the Draft Law now must be approved by the Council of the Federation, the upper house of the Russian Parliament, then signed by the Russian president and officially published. It is proposed to become effective after 30 days since the official publication.
It is important to note that in addition to the administrative liability under the Code for Administrative Offences that has been changed by the Draft Law, violation of the PD Law in certain cases may also result in civil or even criminal liability under Russian law.
Trainee solicitor Alena Neskoromyuk contributed to this LawFlash.
[1] Draft law “On the Introduction of Amendments to the Code for Administrative Offences of the Russian Federation.”
[2] For ease of reference, we have reflected penalties applicable to legal entities only. There are also separate state fines imposed on company officials.
[3] Calculated at the EX rate as of February 11, 2021.