Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On 7 February 2017, the Russian President signed into law a bill (link in Russian) introducing amendments to the Russian Code on Administrative Offences that increases the amount of the fines imposed for violating Russian data protection laws and differentiates the relevant offences’ types. The greatest increase raises maximum fines for certain violations from RUB 10,000 to 75,000 (approx. USD 170 to 1,260). The law will come into force on 1 July 2017.
The increase of fines for violating data protection rules has been long discussed due to the relatively low maximum fines available under current law: RUB 10,000 (approx. USD 170) for legal entities. Critics commented that data operators often chose to knowingly violate the law and pay the relatively insignificant fine instead of complying with Russian data protection rules.
The Law increases the amounts of fines and differentiate the types of offences as follows:
processing personal data in cases not provided by the Russian data protection laws, or processing personal data that is incompatible with the purposes of collecting personal data may entail a fine up to RUB 50,000 (approx. USD 840) for legal entities unless such offence constitutes a crime;
processing personal data without a data subject’s written consent when it is necessary under law, or processing personal data without including required information into a written consent form may entail a warning or a fine up to RUB 75,000 (approx. USD 1,260) for legal entities unless such offence constitutes a crime;
non-compliance with the obligation to publish a privacy policy or required information on the data security measures used may entail a warning or a fine up to RUB 30,000 (approx. USD 500) for legal entities;
non-compliance with the obligation to provide data subjects with information about the processing of their personal data may entail a warning or a fine up to RUB 40,000 (approx. USD 670) for legal entities;
failure to timely satisfy a data subject’s request to detail, block, or delete personal data when the personal data are incomplete, out of date, incorrect, illegally received, or not needed for the stated purpose of processing may entail a warning or a fine up to RUB 45,000 (approx. USD 760) for legal entities;
failure to comply with requirement to keep personal data secure and to prevent unauthorized access to such personal data while storing it using material media when no automated means of processing are used, if this has led to illegal or accidental unauthorized access to or destruction, modification, blocking, copying, provision, or distribution of personal data or other illegal actions, may entail a fine up to RUB 50,000 (approx. USD 840) for legal entities.
The law, as is the case with current Russian data protection law, does not clarify whether the fines would be imposed per investigation or per data subject. Currently, in practice, the fines are imposed per investigation. Therefore, this practice should continue to prevail.
Notably, while the new law introduces a differentiation of the offences, it does not provide for an offence for “other violation of Russian data protection laws”. This means that certain violations, which are not expressly listed, may fall out of scope of administrative offences. For instance, the new law does not introduce any separate fine for violating Russia’s new data localization requirement under which businesses collecting data about Russian citizens, including on the Internet, are required to record, systematize, accumulate, store, update, change, and retrieve the personal data of Russian citizens in databases located within the territory of the Russian Federation. This means that fines may no longer be available for violations of the data localization law. However, the possibility for the Russian Data Protection Authority (Roskomnadzor) to block the access to a website is still in place, as it did in its recent action against LinkedIn.
Additionally, the new law provides Roskomnadzor with powers to initiate administrative proceedings without having to involve state prosecutors. Such new powers would allow Roskomnadzor to react to potential violations it discovers and initiate administrative cases more quickly because Roskomnadzor would not have to gather and send evidence to the State Prosecutor and request that the State Prosecutor initiate the case. This affects all market sectors.
In general, these developments – the diversification of violations, the possibility for Roskomnadzor to initiate administrative cases on their own, and increased fines – provide Roskomnadzor with more robust and effective tools to enforce obligations under Russian data protection law.
Authored by Natalia Gulyaeva, Maria Sedykh, and Bret Cohen