Advant Beiten writes:
A law increasing administrative liability for personal data leaks was signed on 30 November 2024 (No. 420-FZ) (the “Law“). The Law will enter into force on 30 May 2025.
A new article of the Criminal Code of the Russian Federation also enters into force on 11 December 2024. It establishes liability for the illegal use and/or transfer, collection and/or storage of information on computers that contains personal data.
MAIN PARAMETERS OF THE ONSET OF THE NEW ADMINISTRATIVE LIABILITY FOR LEAKS:
- Applicable not only in instances when personal data entered the public domain illegally, but also when they were transferred illegally to a limited number of persons;
- Applicable only for the actions (inaction) of the data controller which led to the illegal transfer of the personal data. Consequently, liability is not established for the accidental transfer of personal data. At the same time, however, it is sometimes difficult to establish whether the transfer was illegal or accidental. For example, in instances when personal data were sent by mistake to another e-mail address, instead of the intended recipient;
- Fines are differentiated depending on the amount of the “leaked” data and on the specific data categories that were transferred illegally, as well as on whether respective fines had been imposed previously;
- As a general rule, administrative liability is not imposed on the general directors and other officials of private companies for personal data leaks (however, see the note *** in the table below);
- We present in the table below the specific sizes of the fines for companies, depending on the actual circumstances and respective explanations:
See the chart and get additional information at Lexology.