The main articles are:
2024
Ministry of Digital Development of the Russian Federation will introduce mandatory informing of citizens about data leakage
The Ministry of Digital Development, Communications and Mass Media of Russia plans to introduce mandatory notification of citizens about cases of leakage of their personal data. This initiative is being discussed after the adoption of a law that toughens the penalties for such incidents. This was announced at the end of May 2024 by the Deputy Chairman of the Council for the Development of the Digital Economy under the Federation Council, Senator Artem Sheikin.
Earlier, he sent to Ministry of Digital Development of an appeal with a proposal to oblige operators to inform citizens about the illegal transfer of their personal data to third parties, regardless of the decision on voluntary compensation. The bill on tightening sanctions for data leaks was submitted to the State Duma in December 2023 and adopted in the first reading in January 2024. The document provides for a maximum fine of up to three percent of the company's annual revenue.
 | In response to my appeal, Ministry of Digital Development proposed to discuss the introduction of mandatory informing of personal data subjects about leaks that occurred after testing the proposed mechanism, - said Sheikin. The ministry is also considering the need to allocate additional budget funds for the implementation of this requirement. |  |
The Ministry of Digital Industry has prepared amendments to the second reading of the Ministry of Digital Development, proposing a reduction in the amount of the revolving fine when the operator fulfills certain conditions. In particular, the operator must annually spend funds on information security measures, compensate for losses of at least 80% of affected citizens and comply with data protection requirements, which must be documented.
Sheikin stressed that in order to reduce the fine, the operator should also avoid aggravating circumstances. According to the proposed amendments, the amount of the revolving fine can be reduced only if all of the above conditions are met.
Deputy Minister of Digital Development Alexander Shoitov noted that the implementation of cash payments will require notification of citizens about the incident and the possibility of receiving compensation.[1]
Russian banks ask Ministry of Digital Development to cancel negotiable fines for repeated information leakage
In early March 2024 Association of Banks of Russia (ADB) , she appealed Ministry of Digital Development to the proposal to cancel negotiable fines for information leakage in case of repeated violation. Market participants call this measure discriminatory, since state institutions have no turnover, and therefore the punishment for them is not effective.
Revolving penalties are large monetary penalties calculated by a certain share of the turnover of a company or organization for a particular period. ADB believes that such a punishment is a violation of the constitutional principle of equality of all before the law and the court. The fact is that state institutions have no turnover, unlike commercial structures. And therefore, it is simply impossible to collect such a fine from state organizations. At the same time, the ADB circulation gives examples when leaks occurred precisely from state and municipal institutions.
It also says that revolving fines "can have negative consequences for information security companies and the IT industry as a whole." The fact is that banks interact with many services and in all cases files are exchanged automatically. Thus, when one of the exchange participants enters the system, "the likelihood of infection or theft of data from other participants is high."
Acting ADB President Alexei Voilukov says that the situation when responsibility for leaks is significantly tightened for commercial organizations, and state institutions remain virtually unpunished, "seems unfair." Moreover, an organization, having received a similar fine, can send a regressive lawsuit to the supplier company from which the software that caused the leak was purchased. Huge fines for such companies can turn into bankruptcy.[2]
How to oblige data operators to insure the risks of leaks without "killing" the business. The Federation Council discussed a new bill
In Russia, a bill is being developed on the insurance system in case of personal data leaks. The document is aimed at combating leaks: according to the authors' idea, it will oblige companies that deal with data to have financial support to compensate for damage to citizens in case of leaks.
| | The main essence, the purpose of this bill, first of all, is to financially ensure the payment of damage to personal data subjects, to increase the level of protection of their rights, to make companies more serious about protecting their information resources. And an important detail is to prevent companies from unnecessarily collecting personal data that they, in principle, do not need, - explained one of the authors of the bill, a member of the Federation Council Committee on Constitutional Legislation and State Building, Deputy Chairman of the Council for the Development of the Digital Economy Artem Sheikin. | |
Good intentions are clear to everyone, but regulators and market players have a different vision of what this bill should be. On February 22, this was discussed in the Federation Council.
Now the operator of data in Russia is any organization that processes data, regardless of its size and the amount of data that it processes. The proposed mechanism, which obliges each operator to have insurance or other financial mechanisms, should be addressed to those companies that process significant amounts of data - for example, from 100 thousand records or from 1 million, according to Roskomnadzor. Such a proposal is due to the fact that not to require disproportionate efforts on financial guarantees from organizations such as management companies or kindergartens, explained the deputy head of Roskomnadzor Milos Wagner.
The department believes that it would be correct for such operators to present not only insurance requirements for risks associated with data leaks, but also to provide for a mechanism for special accreditation of this kind of companies and link the obligation of such accreditation with the amount of possible administrative punishment provided for by another bill - on working fines for leaks.
| | It is necessary to insure not only the risks associated with compensation for moral damage and other rights of personal data subjects, but also that operators who process a significant amount of data have the opportunity to pay an administrative fine. So that there are no situations when we adopted a law providing for liability of up to 15 million rubles, and the company processes large amounts of data and in case of leaks, nothing but bankruptcy or liquidation can offer anything, "said Milos Wagner. | |
One of the ideas voiced at the discussion from the participants is due to the fact that insurance is an additional administrative barrier. And while we strive for a digital society and develop technology, it will become an additional burden for smaller companies. It would be possible to establish a barrier so that the provisions of the new bill do not apply to small businesses. Moreover, there is an idea not to classify small businesses as data operators at all. However, from the regulators, this support has not yet received. Roskomnadzor takes the position that data leaks are extremely serious, they can affect a person's whole life.
The president of the All-Russian Union of Insurers (ARIA) Evgeny Ufimtsev said that the insurance community supports the cyber risk insurance initiative, and that guarantees to citizens whose data were used to damage them should be provided. But the All-Russian Union of Insurers believes that it is necessary to improve this initiative within the framework of the presented bill.
For example, it is necessary to fix accurate definitions, as well as limits and insurance amounts, otherwise there may be a problem associated with a wide interpretation of all expenses incurred. It is also necessary to more clearly fix whose liability is insured. There should be some kind of classification of operators, because the sensitivity of the leakage of different data is different: if the data leaked only with the phone and the place of residence is one thing, and if the data related to human life and health are financial, then this is a different level of sensitivity, Evgeny Ufimtsev explained.
The third question is to clearly determine the position of what is an insured event: whether the fact of leakage or circulation of people, damage to them or some other parameters. Without this, a problem may also arise: the appearance of some data in open sources is not always confirmation of the fact of leakage and harm to a person.
Vice-President of Rostelecom for information security Igor Lyapunov at a meeting in the Federation Council noted that negotiable fines and a bill on risk insurance are "a colossal step, a revolution in the protection of personal data." But he outlined two troubling moments. The first, if we talk about working fines, is a way of proving that the persdata operator has leaked. Now there is actually a presumption of guilt: the regulator says that the company has leaked, writes an order, and then the company must prove that this did not leak from it.
As for risk insurance, it is not clear how to estimate the cost of one line of data. How to evaluate it is a significant factor, because it depends on how much financial security should arise, and it should not be prohibitive, such as providing 500 million rubles for 500 thousand personal data. For modern IT companies that operate on the B2C market, collecting 100-500 thousand information is not a lot. And if responsibility comes for 500 million, then this business can be ruined, said Igor Lyapunov.
Another point is in what form financial security should be. Any form, except insurance, is a way to withdraw funds from the turnover of companies, from business development, believes the vice president of Rostelecom for information security.
He also raised the question of what kind of data leakage could cause maximum damage to the subject. The state, for example, has a colossal amount of a variety of data, and there could potentially be leaks. Will the state compensate for the damage if the leak occurs through its fault? The deputy head of Roskomnadzor noted this that by the end of 2023 only 2 or 3 cases out of 170 fell on state systems, mainly data from companies in the commercial sector are compromised. Milos Wagner added that the bill still deals with insurance of the risk of data compromise, and the damage, including moral, is then proven privately through the court.
Ilya Smirnov, director of the insurance market department of the Central Bank, said that only liability can be claimed, property is very more difficult. And when discussing liability insurance for the leakage of data, it is necessary to take into account the following: it is difficult to establish that a specific leak from a particular company led to damage.
| | Suppose that company A had a leak, and then for the same person - company B. How to prove that company B had losses, and the person suffered because of this? - Ilya Smirnov gave an example. | |
It is also important to determine who will control the availability of insurance - FOIVs, Roskomnadzor, the Ministry of Internal Affairs, Ministry of Digital Development, and how regular such control will be, he added. And what happens if the company does not have insurance: "The lack of insurance from Rostelecom will mean that it also cannot function in the market"?
And the general director of the National Insurance Information System (NSIS) Nikolai Galushin believes that there should be a direct connection between the leakage of data and damage. Insurance can work only if an individual is damaged. At the same time, there is all the information about any person on the Internet, but the presence of data and the damage from this are different things.
Bills on working fines and criminal liability for data leaks adopted in the first reading
The State Duma on January 23, 2024 adopted in the first reading bills on administrative and criminal liability for personal data leaks. This was reported by the press service of the State Duma deputy RFAnton Nemkin.
| | He conducted a survey on this topic in his Telegram channel - the absolute majority spoke in favor of the need to strengthen punishment for the leakage of personal data, - said Volodin, commenting on the draft law. | |
These bills are the most discussed and the most expected in recent years, and both society and industry, noted Anton Nemkin.
| | Their relevance is especially obvious against the background of the catastrophe that occurs in terms of personal data leaks: according to official data from Roskomnadzor alone, a total of more than 300 leaks were recorded from 2022 to 2023, almost a billion lines with data from Russians leaked to the network. Therefore, I have no doubt that our bills will be adopted very quickly, in this session for sure. And so, the first step has already been taken - the State Duma at the plenary session adopted in the first reading both bills on administrative and criminal liability for personal data leaks, he said. | |
So, in the bill, which proposes to supplement with new parts of Art. 13.11 of the Administrative Code of the Russian Federation (violation of the legislation of the Russian Federation in the field of personal data), it is worth paying attention to the fact that the tightening of punishment will affect not only the fact of leakage, but also a number of duties of operators. For example, if you do not notify or do not notify Roskomnadzor at all about the intention to process personal data, the fine for citizens can range from 5 thousand to 10 thousand rubles, for officials - from 30 thousand to 50 thousand rubles, and for legal entities - from 100 thousand to 300 thousand rubles.
The lack of notification of the incident with personal data or its untimely sending to Roskomnadzor (a day is given for this) will also entail a fine for citizens from 50 thousand to 100 thousand rubles, for officials - from 400 thousand to 800 thousand rubles, and for legal entities - from 1 million to 3 million rubles.
Also, amendments to the Code of Administrative Offenses establish fines of up to 15 million rubles for leakage of personal data. At the same time, the variability of the size of the fine is proposed depending on the volume of the leak - the more data leaked, the more significant the fine will be. The largest amount of the fine is provided for those who committed a violation, and it led to the illegal transfer of information including personal data of more than one hundred thousand subjects of personal data.
| | However, the most serious punishment, of course, concerns those who have already been fined for an action or inaction that resulted in a data leak, and at the same time did it again. They face a negotiable fine, which can reach 500 million rubles, - added Nemkin. | |
The second bill proposes to supplement the Criminal Code of the Russian Federation with Article 272.1 (illegal use and (or) transfer, collection and (or) storage computer information of personal data, as well as the creation and (or) provision of the functioning of information resources intended for its illegal storage and (or) distribution). Accordingly, criminal liability will be provided for those who illegally collect, store, use and transfer illegally obtained computer information containing personal data. It also threatens those who illegally transfer databases with personal information abroad or create and administer sites that allow them to illegally store and provide access to personal data.
| | Meetings with representatives of the industry were held repeatedly, there were heated disputes, draft laws were finalized several times, transformed. In the version in which they were submitted to the State Duma, the bills, in my opinion, take into account at least 80% of all available comments. It is possible that by the second reading they can also be finalized if the industry or business comes up with constructive proposals. In particular, the mechanism of mitigating responsibility for operators is still subject to discussion, so far it has not been possible to reach a consensus, the parliamentarian concluded. | |
ICT companies and banks are asking to finalize a bill criminalizing data breaches
Big Data Association (DBA; it includes large Russian ICT companies and banks) to the State Duma Committee on State Construction and Legislation, a letter in which she asked the deputies to clarify the wording of the bill on criminal liability for working with personal data. This appeal became known on January 16, 2024.
As Forbes writes with reference to the ABD letter, the association supports criminal liability for data leaks, but believes that the composition introduced into the Criminal Code should be unambiguous, and the responsibility should be borne by hackers and those who sell databases. In the version of the bill submitted to the State Duma in early December 2023, the composition is "formal," the letter says, and the punishment is provided for the collection and storage of data, regardless of the presence of intent.
Members of the ABD proposed to add the wording: punishment "for the deliberately illegal collection, storage and use of personal data." Thus, according to the association, it will be possible to avoid punishing those who accidentally gained access to personal data. Also, the business proposed not to prosecute employees of information security departments or expert institutions who study leaks "in order to monitor the security and prevent attacks on their own information resources."
The bill submitted to the State Duma assumes that a fine of 300 to 700 thousand rubles is imposed for the use, transfer, collection or storage of illegally obtained personal data. Also, violators can be imprisoned for a term of four to five years. If such actions are committed by a group of persons causing major damage, then the amount of the fine will increase to 1 million rubles, and the maximum period - up to six years.[3]
2023
Penalties were imposed for high-profile data leaks from the Ministry of Education, EKSMO and Rosa Khutor
The courts issued administrative fines to the Ministry of Education of the Russian Federation, the EKSMO Publishing House, the Rosa Khutor resort, for leaks of personal data, which were published in early June 2023. In addition, a decision was made on the leakage of personal data of users of the site "МТВ.РУ," which was recorded on August 21. As a result, all listed companies received administrative fines in the amount of 60 thousand rubles. A similar process is going on against AST Publishing House, which appealed the court's decision.
In particular, the court found that on June 2, a database of users of the Russian Electronic School website was in the public domain, containing 2.019 million records, which include full name, phone number, email address, date of birth, city, position, place of work, place of study, information about the presence of children. The leak was the result of a hacker attack on components that the PD operator did not have updates to, but the court did not recognize this as a mitigating circumstance.
The highlight of the process is that it was not the Ministry of Education itself that processed the data, but the subordinate institute - the Federal State Autonomous Institution of Scientific Research Institute ITT "Informatics," against which no case was opened. The reason is that the consents to the processing of personal data published on the NES website were issued on behalf of the Ministry of Education of the Russian Federation.
EKSMO Publishing House and Rosa Khutor Resort were also found guilty of violating Law No. 152-FZ On Personal Data and publishing 452 thousand lines and 522 thousand lines, respectively. In both cases, it is indicated that the leak includes such data as last name, first name, patronymic, date of birth, phone number, email address. For the site, eksmo.ru additional fields were gender, writing information and delivery address. In both cases, the cause of the incident was the attack on the 1C-Bitrix CMS, in which the vulnerability was exploited.
The decision in the case of the EKSMO publishing house noted the following:
| | At the same time, limited liability company EKSMO Publishing House LLC does not provide evidence of the lack of a real possibility of fulfilling the requirements of the current legislation, as well as the adoption by a legal entity of all measures dependent on it to fulfill these requirements. | |
This is where the very requirements for the safety of FSTEC and connection to State system of detection, prevention and elimination of consequences of computer attacks should come into force. If EKSMO Publishing House had accreditation for compliance with the requirements of FSTEC or at least an agreement for interaction with State system of detection, prevention and elimination of consequences of computer attacks, then, perhaps, the result of the trial would be different. And, probably, there would be no proceedings itself, since both FSTEC and NCCC sent warnings about the detection of critical vulnerabilities in CMS "1C-Bitrix," that is, the IT services of enterprises could simply install the appropriate updates.
Moreover, if you admit your guilt, then the trial will take place faster and with fewer details - the court will not need to formulate the indictment in detail. This is exactly what happened in the case of "МТВ.РУ." The fine turned out to be the same - 60 thousand rubles, but the published data on the leak itself is less.
This is important because in early December, a bill was submitted to the State Duma, which should tighten administrative punishment for not complying with the requirements of legislation in the field of personal data. After the adoption of this bill, legal entities will not get off with a fine of 60 thousand rubles - the maximum amount of the fine can be increased to 15 million rubles, and for repeated violation, a revolving fine of up to 3% of the company's annual revenue is generally provided.
The volume of fines for data leaks in Russia has grown 23 times since 2021
For incomplete 2023 - from the beginning of January to the beginning of December - the amount of fines for personal data leaks, which the Russian courts decided to recover, exceeded 4.6 million rubles, which is twice as much as a year earlier, and 23 times the volume of 2021. Such data in December 2023 were published in Roskomnadzor.
According to Vedomosti, citing a representative of Roskomnadzor, from early January to early December 2023, the courts considered 87 protocols drawn up by the department on the fact of personal data leaks against 66 cases for the entire 2022. In 2021, Roskomnadzor drew up only four protocols on such violations, and the amount of fines for them amounted to about 200,000 rubles.
The increase in the amount of fines is associated with increased attention to the problem of leaks, as well as with the fact that in recent years the number of leaks and cases of illegal sale of personal data has increased, said Yaroslav Shitsle, head of the IT&IP Dispute Resolution section of the law firm Rustam Kurmaev and Partners.
According to the estimates of experts interviewed by Vedomosti, from January 1 to early December 2023, more than 200 personal data leaks were recorded in Russia.
| | Their volume cannot yet be estimated accurately, but, most likely, it will amount to at least 300 million lines of unique client data, the interlocutors of the publication emphasized (the article was published on December 11, 2023), noting that for the entire 2021 leaks were at 260, but the criminals received only about 110 million lines with client data. | |
According to experts, information systems in the Russian Federation were not sufficiently protected from hacking. A huge number of ideologically motivated people were involved in the criminal business, respectively, the list of potential targets for hacking has grown, the interlocutors added.[4]
MPs seriously tighten penalties for personal data leaks
A group of deputies in early December submitted to the State Duma a package of bills that tighten responsibility for the leakage of personal data. Moreover, both organizations that did not protect personal data (for them the punishment is determined by bill[5], which amends the Code of Administrative Offenses) and hackers who received unauthorized access to personal data databases and were engaged in their distribution (bill[6]which changes the Criminal Code of the[7]).
Amendments to the Code of Administrative Offenses are mainly aimed at amending the existing article 13.11[8], which defines administrative punishment for individuals, officials and legal entities for violation of the requirements of Law No. 152-FZ "On the Security of Personal Data." Moreover, officials mean officials who organize data protection in state and municipal authorities. The proposed amendments increase the penalties for failure to comply with the requirements for the protection of the ISDS from 2 to 6 times.
In addition, seven more new violations are introduced, which are subject to this article: absence of notifications Roskomnadzor (up to 300 thousand rubles), non-investigation of incidents with ISDS (up to 3 million rubles), criminal negligence (signs of a criminal act - up to 5 million rubles), average leak size (up to 10 million rubles) and large (up to 15 million rubles), repeated violation (up to 3% of annual revenue for legal entities and up to 4 million for officials), leakage of special PDs (regardless of volume - up to 15 million rubles) and its repetition (up to 3% of the annual revenue of legal entities or 5 million for officials). The entry into force of the law is provided for within a month from the date of its publication.
The amendment to the Criminal Code adds a new article - 272.1, which punishes "the use and (or) transfer, collection and (or) storage of computer information containing personal data, as well as the creation and (or) provision of the functioning of information resources intended for its illegal storage and (or) distribution."
Previously, hackers who stole personal data were tried under Article 272[9] information of the] Criminal Code[9] the Russian Federation 'Illegal access to computer information', now there will be a separate article that punishes not only access, but also transfer, collection, storage and even for creating sites with stolen personal data. As a result, even analyzing published leaks or matching them with old ones may be outlawed.
The punishment in this article is provided for in the amount of a fine of up to 300 thousand rubles. or up to 4 years of restriction of freedom for ordinary personal protective equipment, and up to 700 thousand rubles. or up to 5 years - for special categories of data. The aggravating circumstances are selfish interest, major damage, grouping and official position. In this case, the punishment increases to 1 million rubles. or up to 6 years. The explanation indicates that the serious consequences are the suspension or violation of the activities of the personal data operator, that is, it means a situation where data theft is covered up by a DDoS attack.
A separate punishment is provided for the cross-border transfer of personal data, although the explanation deciphers that this means the physical transfer of data across the border on any medium. The punishment for this is provided for up to 10 years of restriction of freedom or a fine of up to 3 million rubles.
The new article also defines the punishment for creating a site or page on the Internet specifically intended for the illegal storage, transmission (distribution, provision, access) of computer information containing personal data. For this, a fine of up to 700 thousand rubles is due, or a punishment of up to 5 years.
| | The most significant measures of criminal liability will be applied to organized groups that committed illegal actions with databases containing data obtained illegally, which entailed grave consequences, - explained the amendments Alexander Khinshtein, chairman of the State Duma Committee on Information Policy, in his telegram channel. - Large fines are provided (up to 3 million rubles in case of serious consequences, or actions of the organizational group), a ban on holding certain positions, forced labor and imprisonment. The last sanction can reach five years, for the creators of resources that distribute stolen data. | |
Yandex.Eda will pay compensation to users for leakage of their data
At the end of November 2023, the St. Petersburg City Court put an end to the proceedings between Yandex.Food users and the service: they demanded compensation from the company for data leakage. Read more here.
State Duma Speaker Volodin learned about the desire of Russians to increase fines for personal data leaks
On October 3, 2023, Chairman of the State Duma Vyacheslav Volodin launched a vote on toughening the responsibility of companies for leaking personal data of citizens on his Telegram channel. This issue, according to Volodin, is being discussed in the State Duma.
The question is: 'Do you think it is right to increase fines for business in the event of repeated facts of such violations?'. Three answers have been proposed: 'Yes', 'No', 'All the same'.
As of October 4, 175 thousand people answered the survey, of which 93% require tougher fines for repeated leaks. The comments even propose to introduce criminal liability with confiscation of property.
Apparently, with his survey, Vyacheslav Volodin reacted to an open letter from the business community, which was sent to him a day earlier by representatives of Opora Rossii, Delovaya Rossiya, the Russian Union of Industrialists and Entrepreneurs, and the Chamber of Commerce and Industry. They also expressed a proposal to calculate a negotiable fine for repeated leakage differently: to multiply the size of the previous fine by the serial number of the offense.
That is, if the current bill provides for a fine of 15 million rubles or more, then for the third leak from the same operator you will already have to pay from 45 million rubles. Their proposal also contains a requirement that criminal liability comes from a certain number of repeated violations.
Judging by the vote in the Telegram channel, it is this concept of toughening punishment for violators of Law No. 152-FZ "On the Protection of Personal Data" that is the most popular.
Actually, the process of developing a bill on the introduction of negotiable fines was initiated in January 2023 by the order of the President of the Russian Federation - the report on the work done was scheduled for July. In mid-summer, a proposal was developed, which Prime Minister Mikhail Mishustin agreed with the President. According to RBC, that bill proposed to introduce the following fines: if the leak contains from 1 thousand to 10 thousand PD records, then the fine for legal entities will be from 3 million to 5 million rubles; from 10 thousand to 100 thousand - from 5 million to 10 million rubles; and more than 100 thousand - from 10 million to 15 million rubles. At the same time, for repeated violation with any volume of leaked information, but from 1 thousand subjects, a fine is proposed from 0.1 to 3% of the revenue of the fined company for the calendar year preceding the violation, or for a part of the current year, but at least 15 million rubles. and no more than 500 million rubles. For leaks of biometric personal data, it was proposed to fine legal entities in the amount of 15 million to 20 million rubles.
However, at the time of discussion, the State Duma was on vacation, so immediately after approval, the bill could not be submitted for consideration. Now, when the autumn session has already begun, the process of finalizing the bill is underway, since after the publication of RBC there were many complaints about it from personal data operators and the business community.
Actually, the current vote is just another attempt to show that the people have a clear desire to punish those companies that allow leaks, although not everyone voting for tougher punishment understands that now virtually all Russian companies have become operators of personal data, and such fines can be fatal for them.
Victims of data leaks will be able to receive compensation through Public services
The Government of the Russian Federation supported the initiative of the Ministry of Digital Development to compensate victims of leaked personal data under the law on working fines. This is stated in a message dated September 26, 2023, published on the official website of the ministry.
Financial compensation for harm caused to the user by the company that leaked will be recognized as a mitigating circumstance. In this case, reduced revolving fines will be applied to the company.
How it will work:
The company should inform the user about, to leak send SMS him/to the e-mail number/address that were specified at registration. If the company is ready to pay compensation, this will be directly indicated in the text of the message. The Ministry of Digital Development will also post this information on. Public services
After that, the user will have 15 working days to apply for Public services to compensate for the damage caused. Within 20 working days after receiving applications, the company will calculate the amount of cash payment and send its offer through the Public services to all applicants.
The user will be able to accept or refuse the offer within 20 business days.
If more than 80% of applicants agree to compensation, the company will have to pay it within 5 working days.
Roskomnadzor will take over the certification of personal data operators
On July 19, 2023, it became known about the plans of Roskomnadzor to take over the certification of personal data operators. According to Kommersant, the department proposes to introduce into the upcoming bill on working fines for personal data leaks a requirement for companies to obtain a license to process such data. Licensing should be engaged in the certification center of the regulator.
It is assumed that for this Roskomnadzor will audit the company's IT infrastructure for compliance with certain criteria, one of the interlocutors explained to the publication. A newspaper source close to Ministry of Digital Development says the initiative can only be extended to companies that process large amounts of data.
According to Kirill Lyakhmanov, General Counsel of the intellectual property practice of the EBR law firm, if the norm on licensing activities proposed by Roskomnadzor is adopted, then it will most likely concern all personal data processors, otherwise "its political effect will tend to zero." Roskomnadzor itself said that the department does not propose to introduce licenses for the processing of personal data.
| | That's not the case. The proposals in the bill do not provide for the need for licensing or the introduction of additional permitting procedures. We are talking about increasing the level of data protection of citizens for operators processing significant amounts of such data, the department noted. | |
Roskomnadzor reported that for such "large" operators who process over 1 million records, they consider it necessary to establish the following obligations: the operator must be a Russian legal entity; have at least five employees with higher education in the field of information protection responsible for protecting the operator's personal data databases; have financial liability for losses due to a possible data breach in the amount of at least 100 million rubles.[10]
The Ministry of Digital Development of the Russian Federation will introduce unscheduled inspections of data leaks of IT companies
On June 9, 2023, it became known that the Ministry of Digital Development of the Russian Federation and the Federal Antimonopoly Service (FAS) are going to lift the moratorium on unscheduled inspections for IT companies that leaked personal data or violated antimonopoly laws.
According to the Kommersant newspaper, it is proposed to conduct inspections if "a database directly or indirectly belonging to the organization appears on the Web." The fact is that the situation with leaks of confidential information in Russia is deteriorating. According to the DLBI darknet monitoring service, during the first quarter of 2023 alone, the volume of personal data of citizens who illegally got on the Internet exceeded 118 million unique records. This is 2.3 times more compared to the same period in 2022. It is assumed that the risk of falling under an unscheduled audit by regulators will stimulate Russian companies to introduce additional security tools. However, some experts believe that such measures will not always be effective.
| | The state's desire to regulate the digital environment in the current environment is understandable. But even an IT company can not always be directly accused of data leakage, especially since more often other industries appear in such incidents, "said Alexander Kovalev, deputy general director of Zecurion. | |
Unscheduled inspections in the field of violation of antimonopoly legislation will be carried out with "overpricing of products in the absence of an alternative." In the current geopolitical situation, there is a sharp increase in demand for Russian software and equipment. This provoked a rapid increase in prices for IT products: for example, the cost of some domestic software for the year rose by 30-50%.[11]
VK fined for leaking data of users of the mail service Mail.ru
On May 11, 2023, VK was fined for leaking data from users of the mail service Mail.ru. The corresponding decision was made by the Magistrate's Court of the Savelovsky District of Moscow. Read more here.
HSE fined 60 thousand rubles for personal data leakage
The National Research University Higher School of Economics (HSE) was fined 60 thousand rubles for leaking personal data. The corresponding decision on May 10, 2023, the magistrate of the judicial district No. 387 of the Central District of Moscow. The university was found guilty of committing an administrative offense under Part 1 of Article 13.11 of the Administrative Code of the Russian Federation (Processing of personal data in cases not provided for by the legislation of the Russian Federation in the field of personal data, or processing of personal data incompatible with the purposes of collecting personal data, except for cases provided for by Part 2 of this Article and Article 17.13 of this Code, if these actions do not contain criminal offenses). The maximum fine under this article is 100 thousand rubles. Read more here.
Uralchem fined for leaking employee database
The World Court of the Presnensky District of Moscow fined Uralchem 60 thousand rubles for leaking the employee base. One of the largest producers of mineral fertilizers was found guilty of violating the law on personal data. Read more here.
A court in Moscow fined Skyeng for leaking user data
On March 1, 2023, the judicial district of the Tagansky district of Moscow fined Skyeng 60,000 rubles due to the leakage of personal data of users of the online English school. The company was found guilty under Part 1 of Art. 13.11 of the Administrative Code (processing of personal data in cases not provided for by the legislation of the Russian Federation). The maximum punishment under the article is a fine of 100,000 rubles. Read more here.
Service "TuTu" fined for leakage of user data
In early March 2023, the Tagansky district of Moscow fined the Туту.ру service 60 thousand rubles for leaking user data. The company was found guilty of an administrative offense, which is provided for in Part 1 of Article 13.11 of the Administrative Code (violation of the legislation of the Russian Federation in the field of personal data). Read more here.
2022
The Government of the Russian Federation supported the introduction of criminal liability for the illegal collection of personal data
The Government of the Russian Federation supported the introduction of criminal liability for the illegal collection of personal data. This was announced on February 2, 2023 by the first deputy chairman of the Federation Council committee on constitutional legislation and state construction Irina Rukavishnikova, who is one of the authors of the project.
| | The concept of the bill on amending the Criminal Code of the Russian Federation, according to which it is proposed to establish criminal liability for the illegal collection, storage, use and transfer of databases, is supported by the government of the Russian Federation. Now the Federation Council is working on the final text of the draft federal law, "she said in a conversation with TASS (the article was published on February 2, 2023). | |
Rukavishnikova did not specify the punishment measures that are planned to be introduced for personal data leaks. Anton Gorelkin, deputy head of the State Duma Committee on Information Policy, said in his Telegram channel that he was counting on the "severe punishment" provided for by the authors of the document. Otherwise, he said he would insist on tougher liability.
Gorelkin noted that by the beginning of February 2023, the introduction of working fines for companies that have leaked personal data of customers is also being discussed. This bill has been discussed since the spring of 2022, and at the end of 2022 the Ministry of Digital Development announced that the document was ready. However, the text has not yet been published.
As I understand it, this issue passes through the Cabinet of Ministers more difficult - but is already close to the final stage, - said Gorelkin.
Irina Rukavishnikova stressed that the leakage of personal data poses a serious threat to Russia. According to her, the task set by Russian President Vladimir Putin to protect personal data is timely, since cases of sale of personal data of residents of the country have become more frequent, "and this is done without hesitation, in large bulk."[12]
The Ministry of Digital Development decided to introduce negotiable fines for data leaks of 500 million rubles
On December 26, 2022, it became known about the decision of the Ministry of Digital Development of the Russian Federation to establish fines for personal data leaks for companies in the range from 5 million to 500 million rubles.
According to Kommersant, citing a source familiar with the final version of the bill, the "upper ceiling" is provided if the company repeatedly leaked data from the moment the law came into force and violated a number of requirements of the regulator, for example, tried to hide the incident.
Sources of the publication noted that the amount of the fine will be calculated from the company's revenue for the calendar year preceding the year in which the data was leaked. The ministry expects that the provisions of the law will enter into force in September 2023.
The concept of repetition of the violation raised questions from the interlocutor of the newspaper in the IT industry, who indicated that criminals compile databases published on the Internet, and "their publication does not always mean a violation of data storage rules." Another source of publication in one of the IT companies suggests that the introduction of working fines can lead to the "crushing of companies" in order to reduce the base in case of possible leaks.
| | So, a large company can divide delivery, specialized services and the main business so that the revenue of each individual legal entity significantly decreases and, accordingly, the percentage of it is lower, "he said. | |
On December 23, 2023, the head of the Federation Council Committee on Constitutional Legislation and State Construction Andrei Klishas said that parliamentarians intend to work out the issue of toughening punishment for violations of legislation in the field of personal data in the near future. Earlier, the press service of Roskomnadzor told TASS that legislative changes to toughen the punishment for data leaks have already been prepared.[13]
The Ministry of Digital Development supported the introduction of prison sentences for the theft and sale of personal data
The Ministry of Digital Development supported the introduction of prison sentences for the theft and sale of personal data. This became known in mid-December 2022. Read more here.
IT companies in Russia face checks in case of personal data leakage
In December 2022, the Ministry of Digital Development of the Russian Federation published a draft government decree on the conduct by Roskomnadzor of unscheduled inspections of accredited IT companies in the event of a leak of data from employees and clients. According to the explanatory note, the initiative is aimed at preventing problems associated with mass leaks of personal data.
According to the document referred to by Interfax, Roskomnadzor, in agreement with the prosecutor's office, will be able to carry out unscheduled measures to control the processing of personal data against operators, including accredited organizations that carry out activities in the field of information technology. The condition for starting an unscheduled audit will be to establish the fact of distribution on the Internet of personal data databases (or part thereof), including those with signs of belonging to an accredited organization, the note says.
By mid-December 2022, Russia has a moratorium on scheduled and unscheduled inspections of all Russian companies (with the exception of certain types of inspections of socially significant facilities on compliance with sanitary and fire requirements, as well as hazardous production facilities). On the unified portal of public services (EPGU) there is a complaint service regarding the violation of the moratorium on inspections. As the government reported, as a result of improving control and supervisory activities, the annual business savings amounted to about 200 billion rubles.
On December 16, 2022, Roskomnadzor reported that since the beginning of the special military operation of the Russian Federation in Ukraine, more than 140 leaks of personal data of Russians have been registered, more than 600 million records have entered the network.
{{quote'The confidentiality of medical personal data subject to special protection is violated. The main source of drains is foreign resources, the ministry[14] }}
The Ministry of Digital Development decided to fine for data leaks by 3% of annual turnover
The Ministry of Digital Development, Communications and Mass Media of the Russian Federation has prepared a bill to increase fines for the leakage of user data. As the head of the department Maksut Shadayev said in mid-December 2022, the company is proposed to be fined up to 3% of the annual turnover. By December 14, 2022, the maximum fine for this violation is 500 thousand rubles.
| | Up to 3% negotiable penalties will force companies to invest more in security. It seems to us that here is the main motivation. No more fines to collect, namely that colleagues invest in infrastructure, - said Shadayev at a meeting of the presidium of the Communist Party faction in the State Duma on December 14, 2022. | |
According to him, mitigating circumstances when imposing a fine will be considered: investments in data protection, infrastructure certification, as well as compensation for damage to users whose data got into the network. If the company pre-trial compensates for damage to two-thirds of customers, this will be considered a mitigating circumstance.
In early December 2022, President RFVladimir Putin admitted that the punishment for data leakage could be toughened. He did not rule out that we can talk not only about negotiable fines, but also about criminal liability - only if "people understand that they are using stolen data." At the same time, according to the head of state, such decisions should be balanced and not impede the development of information technologies necessary for the state.
According to the amendments to the Law "On Personal Data," which entered into force on September 1, 2022, in the event of a data leak, the operator is obliged to notify Roskomnadzor within 24 hours, and within 72 hours to provide the department with the results of an internal investigation indicating the cause and perpetrators.[15]
Yandex fined for leaking data from users of educational service
On December 12, 2022, the World Court of the Khamovnichesky District of Moscow fined Yandex after leaking data from users of the Yandex.Workshop educational service. Read more here.
Russia is going to introduce criminal liability for the leakage of personal data
On December 8, 2022, it became known that the President Russia Vladimir Putin approved the introduction of criminal liability for illegal trafficking, personal data including for use, during flowed away databases a meeting with members of the Council for the Development of Civil Society and Human Rights (HRC).
The president promised to give appropriate recommendations and instructions, and Ministry of Digital Development MINISTRY OF INTERNAL AFFAIRS. Central Bank
The initiative was proposed by a member of the HRC, the head of the National Anti-Corruption Committee Kirill Kabanov. He called for introducing the concept of "illegal trafficking in personal data" into legislation by analogy with the concept of drug trafficking. And he proposed to prescribe negotiable fines and criminal punishment for companies that leaked and used the bases.
{{quote 'There is probably a need to tighten responsibility for offenses in this area, "Vladimir Putin replied to the proposal. "With regard to turnover fines and criminal liability, I understand that you are talking about criminal liability for trafficking, because those who use this data should know and understand that they use stolen data. Of course, this needs to be worked out and balanced decisions made that will protect the interests [16] citizens and will not be an obstacle to the development of appropriate and very necessary information technologies for the state. Russia [17]. }}
The Ministry of Digital Development has prepared new conditions for working fines for data leaks
In early October 2022, it became known about the new version of the bill on working fines for personal data leaks (PD). In the revised document, the Ministry of Digital Development proposes fines not only for companies, but also for their officials.
As they write Sheets"" with reference to the agenda for the meeting on the regulation of legislation in the field of personal data, which will be held in the Ministry of Digital Development on October 6, 2022, for the leaders of a company that allowed data breach from 10,000 to 100,000 subjects, the fine will be 200 000-400 000 , rubles for individual entrepreneurs and legal entities - 0.02% of the turnover, but at least 1 million rubles.
The initial version of the bill proposed fining the company at 1% of annual revenue and up to 3% if it did not report the leak on time. The latest version of the document provides for such a fine procedure only for companies that have leaked more than 100,000 records, a source familiar with the discussion of the project said.
Experts interviewed by the publication believe that the introduction of personal fines for data leaks, on the one hand, may lead to responsible officials taking appropriate measures to ensure reliable protection of users' PD, but on the other hand, this will not close the problems with the protection of PD in companies, where there are certain structured business processes that even senior officials cannot change or adjust within a short period of time.
On October 5, 2022, Deputy Head of the Ministry of Digital Development Alexander Shoytov announced that personal data leaks, which are led by intensifying hacker attacks, are destabilizing the situation in Russia. In his opinion, the adoption of a law on working fines for companies for leakage will help correct the situation.[18]
Companies will receive negotiable fines only if the leak affects data from 10 thousand Russians
At the end of August 2022, it became known that companies in Russia will receive negotiable fines only if the leak affects data from 10 thousand users. In other cases, the fine will be fixed.
RBC learned about the introduction of such a scheme for punishing business for data leaks. According to the source of the publication,. among the mitigating circumstances that "will reduce the fine to a fixed value of several million," he listed the following: if the company revealed a leak, publicly admitted, actively conducted an investigation, helped the supervisory authorities and as part of the investigation it turned out that the leak did not occur due to violation of information security requirements.
| | The Ministry of Digital Development is in favor of toughening and strengthening responsibility for personal data leaks, but the task is not in the fines themselves, additional liability in the form of working fines will encourage business to invest in the development of information security infrastructure and the protection of personal data of users, the ministry stressed on August 29, 2022. | |
The head of the Ministry of Digital Development Maksut Shadayev previously proposed to tighten responsibility for personal data leaks. By the end of August 2022, the maximum fine for leakage of personal data for business is 500 thousand rubles.
Companies, after confirming the fact of leaks, do not pay compensation to affected users. Roskomnadzor believes that customers of companies affected by the compromise of personal data have the right to demand proportionate compensation from the guilty person both in pre-trial and in court. In early August 2022, Roskomnadzor announced that since the beginning of 2022, more than 40 large leaks of personal data databases have occurred in Russia, 300 million records have been compromised.[19]
Delivery Club fined for leaking user data
On August 18, 2022, the judicial section of the Airport district fined Delivery Club 80 thousand rubles for leaking personal data of customers and couriers of the service. This was reported by RIA Novosti with reference to the press service of the Savelovsky Court of Moscow. Read more here.
The Ministry of Digital Development decided to make fines for data leakage proportionate to the amount of information
On July 12, 2022, it became known about the decision of the Ministry of Digital Development of the Russian Federation to make fines for data leakage commensurate with the amount of information. The corresponding proposal was included in the new version of the bill.
According to the press service of the department, fines will be applied in two stages. For the first leak, the fine will be fixed. Its size will depend on the amount of data the company leaked. In case of a repeated leak, a reverse penalty will be applied.
Boundaries will be set for working fines ("from" and "to" what percentage of revenue can be recovered). Mitigating and aggravating circumstances will be taken into account. For example, if the company has made every effort to protect information, this will be regarded as a mitigating circumstance in determining the amount of the fine. But if the company hid the fact of a leak, this could become an aggravating circumstance, and then the punishment will be maximum.
The procedure for voluntary accreditation of companies according to information security criteria will be provided. Perhaps it will be related to the professional liability insurance mechanism. Such accreditation can be a confirmation of the measures taken to protect against leaks. And this can be seen as a mitigating circumstance. Accreditation will require regular audits by professional companies that can confirm compliance with all necessary requirements.
The bill will also determine what exactly is the object of personal data leakage, as well as how the wines of a particular company will be established. For example, the mobile operator stores data containing the phone number and full name of the subscriber, but such data can also be leaked from the database of the online store. In addition, fraudsters often sell "glues" from different bases, passing them off as data leaked from specific companies.[20]
Ministry of Digital Development agreed not to introduce fines for companies for the first fact of user data leakage
As it became known on July 11, 2022, Ministry of Digital Development agreed not to introduce fines for companies for the first fact of leakage of user data. The department announced the decision to mitigate penalties for personal data leaks at a meeting on amendments to the Administrative Code, which was also attended by representatives of Rostelecom, MTS, Avito, Yandex, Ozon, VimpelCom, VK, etc.
According to Kommersant, the Ministry of Digital Development also agreed to reduce the amount of the fine for the leak below 1% of the turnover, but this issue is still being discussed by July 11, 2022.
Also at the meeting, they discussed reducing the fine for concealing a leak from Roskomnadzor. The ministry instructed companies to develop proposals for amendments to the bill in two weeks.
According to the source of the publication, business representatives at the meeting proposed a three-stage system of punishment for leaks. If the personal data of customers or employees were compromised for the first time, then the companies offered to issue only a warning. If the data is compromised again, it will have to pay a large fine, and for the third leak the company will already receive a negotiable fine, the source said.
One of the sources noted that the introduction of working fines by July 2022 was untimely, because this could further worsen business conditions in the context of double-digit inflation, disruption of supply chains, a decrease in the purchasing power of Russians, etc.
The punishment should not be for the fact of the leak, but for the lack of measures to prevent it and eliminate the consequences, said Anna Serebryanikova, president of the Big Data Association (ABD). In her opinion, the amount of the fine should depend on the scale of the leak and damage. But Oleg Blinov, a teacher at Moscow Digital School, considers the introduction of working fines a useful initiative that stimulates business to allocate funds to protect information.[21]
The Ministry of Digital Development supported the idea of working fines for the leakage of personal data
The Ministry of Digital Development supported the idea of working fines for the leakage of personal data. This became known on February 21, 2022.
The Ministry of Digital Development is confident that the measure will help reduce the number of leaks.
During the round table, the Federation Council discussed a proposal to introduce negotiable fines for personal data operators for their leaks. The initiative is supported by the Ministry of Digital Development. Development of amendments to legislation providing for the introduction of negotiable fines.
{{quote 'The penalties existing for February 2022 do not encourage operators to unconditionally comply with the requirements of the legislation in the field of PD, in connection with which the introduction of negotiable fines, in our opinion, will help reduce the number of incidents related to PD leaks, - said the representative of the ministry. }}
At the same time, Karen Ghazaryan, director of the Institute for Internet Research, announced the development of amendments to the legislation introducing negotiable fines for PD operators for their leaks. This information was confirmed by Alexandra Orekhovich, Director for Legal Initiatives of the Internet Initiatives Development Fund.
| | Of course, the introduction of negotiable fines can significantly reduce the number of leaks. But it is very important - and representatives of Roskomnadzor and the Federation Council drew attention to this at the meeting - it is necessary to take into account the degree of guilt of the legal entity brought to justice, she continued, clarifying that it was one thing when the company did not follow the necessary procedures to protect the personal data of employees and customers, and the other - when the intent of one of the employees[22]. | |
2021: ILV proposed to oblige personal data operators to pay compensation to victims of leaks
On March 23, 2021, information appeared that Roskomnadzor proposed to oblige personal data operators to compensate for moral damage to victims of Internet fraud if they are associated with leaks due to the fault of operators.
The deputy head of the department, Vladimir Logunov, at a meeting of the State Duma's inter-factional working group on combating cybercrime, proposed obliging personal data operators to compensate for moral damage to victims of online fraud related to leaks.
| | "This is such an innovative idea that we plan to work on the site of the State Duma so that compensation for damage, moral damage, the subject of personal data is commensurate with this damage," Logunov said. | |
The representative of Roskomnadzor noted that most often older people and those who have minor children are susceptible to Internet fraud.
| | "Only 17% of those defrauded online tried to open a criminal case, and 83%, when they lost data, or when they were somehow defrauded, do not contact the Ministry of Internal Affairs. Therefore, it is important to prevent such violations in the early stages, to conduct user training, "he stressed[23] | |
2020: Ministry of Justice of Russia proposed to significantly increase fines for personal data leakage
The Russian Ministry of Justice has proposed to significantly increase fines for leaked coopersonal data. It is proposed to implement this by amending the Code of Administrative Offenses (CAO). The Ministry of Justice proposes to increase fines for leakage of personal data in the proposed version of the Administrative Code by more than ten times in some cases. If the amendments are adopted, the changes will affect both legal entities and officials, as well as individual entrepreneurs (individual entrepreneurs) together with individuals. This became known on June 3, 2020.
For individuals, the amount of the fine, at the beginning of June 2020, amounting to 2,000 rubles, it was proposed to increase to 20 thousand rubles. Due persons will pay for the leak not the current 10 thousand rubles, but up to 100 thousand rubles. and individual entrepreneurs - up to 300 thousand rubles. instead of 20 thousand rubles. The maximum fine is provided for legal entities - as of June 3, 2020, it is 50 thousand rubles, but the Ministry of Justice proposes to increase it to 500 thousand rubles.
The draft Code of Administrative Offenses states that changes will be made to part 6 of article 33.1 (Failure to comply with the obligation to comply with the confidentiality of personal data). The fines in force before the entry into force of the new version of the Code are provided for in part 6 of article 13.11 of the Administrative Code.
The agency published the draft Code of Administrative Offenses on the federal portal of draft regulatory legal acts on May 29, 2020. The project number is 02/04/05-20/00102447, and as of June 3, 2020 it was at the stage of public discussion, the completion date of which is June 24, 2020.
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |