Russian draft law sets fines for personal data breaches and internet violations

Available languages: RU

On 10 September 2019, the Russian State Duma adopted a bill* introducing fines for the breach of personal data localisation rules. The draft law went through the first of three hearings in the lower chamber of parliament.

As reported earlier, these amendments will introduce liability for failure to comply with localisation rules with fines ranging from RUB 2m (EUR 28,500) to RUB 6m (EUR 85,500), and for repeat violations from RUB 6m (EUR 85,500) to RUB 18m (EUR 256,500).

In addition, the bill will also introduce fines for repeated violations of established internet rules by certain types of businesses as outlined below (the list of violations is not exhaustive):



Amount of fine

Organisers of information dissemination systems over the internet (e.g. social networks, messengers, e-mail operators, websites allowing for exchange of messages)

Repeated failure to notify the supervising authority of commencing information dissemination via the internet

RUB 500,000 (EUR 7,125) to RUB 1m (EUR 14,250)
Organisers of information dissemination systems over the internet Repeated breach of rules for storing information on the exchange of messages and the transfer of this information to law-enforcement agencies RUB 2m (EUR 28,500) to RUB 6m (EUR 85,500)
Organisers of information dissemination systems over the internet Repeated failure to provide encryption keys to the Federal Security Service RUB 2m (EUR 28,500) to RUB 6m (EUR 85,500)
Messengers Repeated failure to comply with statutory obligations (e.g. identifying users, ensuring confidentiality of data, etc.) RUB 1m (EUR 14,250) to RUB 2m (EUR 28,500)
Search engines operators Repeated failure to connect to the system containing information on resources blocked in Russia and repeated failure to restrict access to these resources RUB 1.5m (EUR 21,375) to RUB 5m (EUR 71,250)

The bill reflects recent trends by Russian state authorities to extend control over internet activities and to ensure personal data protection.

The bill is likely to be adopted in its final reading with only minor amendments. CMS Russia will continue to follow the stages of the bill’s review and will report on them in separate eAlerts.

For the present, companies are strongly advised to begin checking and ensuring that their current business processes comply with all legal requirements known at this stage.

If you have any questions on this eAlert, do not hesitate to contact CMS Russia experts Anton Bankovskiy and Vladislav Eltovskiy or your regular contact at CMS Russia.

* In Russian