Almost a year ago, the State Duma started considering a bill to amend the Russian Code on Administrative Offences relating to personal data protection violations. Despite some delays in the adoption of the bill, the newly convened State Duma resumed its consideration of the bill and finally adopted it. This amendment follows the recent trend aimed at strengthening the control over the processing of personal data. The bill has also been approved by the Federation Council and signed* by the Russian President.
As we reported earlier, the essence of the changes is to establish more clearly defined offences and increase the penalties for their violations. Interestingly, the final sums of fines are lower than those that were initially proposed in the bill.
| Breach | Administrative sanctions |
| Warning | Fine range for legal entities |
| Failure to comply with the requirements for obtaining the written consent of the personal data subjects | N/A | RUB 15,000 - 75,000 (approx. EUR 250 - 1,250) |
| Breach of the secure storage rules for tangible media objects (where personal data is processed otherwise than by automatic means) | N/A | RUB 25,000 - 50,000 (approx. EUR 415 - 830) |
| Processing of personal data without legal grounds or in a manner that is incompatible with the purposes of their collection | Applicable | RUB 30,000 - 50 000 (approx. EUR 500 - 830) |
| Failure to amend, block access to or destroy personal data at the legitimate request of a data subject or competent authority | Applicable | RUB 25,000 - 45,000 (approx. EUR 415 - 750) |
| Failure to provide a data subject with information on the processing of his/her personal data | Applicable | RUB 20,000 - 40,000 (approx. EUR 330 - 660) |
| Failure to publish or otherwise make publicly available the personal data processing policy or information on its implementation | Applicable | RUB 15,000 - 30,000 (approx. EUR 250 - 500) |
These new sanctions will take effect from 1 July 2017.
We note that the adopted version of the bill does not contain a separate offence for breach of personal data localisation requirements. Accordingly, the blocking of websites remains the only sanction for this type of breach. Further, the issue of how to calculate the total amount of fines (for one breach or for each personal data subject) remains unclear. This is likely to be resolved in the course of enforcement of the law.
Companies that process personal data are advised to carry out an audit of their existing data processes in order to ensure compliance with the requirements of the legislation before the new sanctions come into force.
Change in the list of countries providing adequate personal data protection
In addition to the above changes and explanations, Roskomnadzor has also recently announced* its intention to update the list of countries which are not members of the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, but which it believes provide an adequate level of personal data protection.
After analysing the situation, Roskomnadzor plans to amend its existing Order No. 274 dated 15 March 2013*, which currently comprises 17 countries, including Autralia and Canada.
If the proposed changes to the Order are adopted, they may affect international companies engaged in the cross-border transfer of personal data, as the legislation imposes more stringent requirements on cross-border data transfer. It is too early to say whether these amendments will be positive or negative. This will depend on whether the new countries are added to, or removed from, the list.
If you have any questions on the matters referred to in this Alert, please do not hesitate to contact CMS Russia experts Anton Bankovskiy and Vladislav Eltovskiy or your regular contact at CMS Russia.
* In Russian
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.