Substantial fines to be imposed for breaching the Russian personal data localisation rules

Available languages: RU

On 13 June 2019, a bill* was introduced in the State Duma of the Russian Federation to make it a finable offence in the Code on Administrative Violations to breach rules on the localisation of personal data of Russian citizens.

After amendments in 2017 to administrative offences in the field of personal data, no separate punishment for breaching personal data localisation rules was established. In practice, companies were held liable and received a minimal fine of RUB 3,000 (EUR 42) under a general provision for failing to provide information in response to a request from a state body. In some cases, the domain names of offenders were blocked.

The proposed amendments will introduce liability for failure to comply with localisation rules with substantial fines ranging from RUB 2m (EUR 27,900) to RUB 6m (EUR 83,700), and for repeat violations from RUB 6m (EUR 83,700) to RUB 18m (EUR 251,100). According to the general rules, a repeat violation has occurred if the offender committed a second breach within one year from the deadline by which the fine for the first breach should have been paid.

The personal data localisation rules on which the proposed fines are based have been in force since 1 September 2015.

In proposing these fines, Russian lawmakers are taking into account the European experience of a significant increase in fines for violations in the field of personal data processing, and trends of the increased risk for illegal processing of personal data brought on by the development of digital society.

Although the legislative process to adopt these changes has just begun, and the size of the fines could change in the final version of the bill, it appears that this bill will in all likelihood be passed, since the draft reflects the recent trend of expanding the scope of control and regulatory impact of the supervising authority, Roskomnadzor.

CMS Russia will follow the stages of the review of the bill and will report on them in separate Alerts.

For the present, however, companies are strongly advised to check the current status of localisation of personal data of Russian citizens and, if necessary, audit their existing data processing practices to ensure that they comply with the legal requirements.

If you have any questions on this eAlert, do not hesitate to contact CMS Russia experts Anton Bankovskiy and Vladislav Eltovskiy or your regular contact at CMS Russia.

*in Russian