Our latest news

Russia Strengthens Penalties for Personal Data Violations: New Fines and Prison Sentences

Legislation news

Revenue-Based Fines for Data Leaks

Until now, data leaks were penalized under general personal data processing rules, with maximum fines of RUB 700,000 for companies. Federal Law No. 420-FZ of 30 November, 2024 introduces a tiered system of fines tied to the number of individuals affected:
  • 1,000 to 10,000 people: Fines between RUB 3 million and RUB 5 million
  • 10,001 to 100,000 people: Fines between RUB 5 million and RUB 10 million
  • Over 100,000 people: Fines between RUB 10 million and RUB 15 million
Repeat offenses may result in revenue-based fines of 1% to 3% of the company’s annual revenue from the preceding year, with a minimum of RUB 20 million and a maximum of RUB 500 million. Breaches involving biometric data (e.g., fingerprints, facial images, retinal scans, voice recordings) incur fines ranging from RUB 15 million to RUB 20 million, with repeat offenses subject to the same revenue-based approach.

Increased Fines for Notification Failures

The new law also increases fines for failing to submit or late submission of mandatory notifications to Roskomnadzor. This includes the notification required before commencing any personal data processing, their cross-border transfer, and the notification required within 24 hours of a data leak.
It should be recalled that any company planning to process the personal data of Russian individuals must notify Roskomnadzor in advance. Under the new rules, failure to submit this notification will result in fines ranging from RUB 100,000 to RUB 300,000 for companies.

Criminal Liability for Data Leaks

A separate law (Federal Law No. 421-FZ of 30 November, 2024, effective from 11 December, 2024) introduced criminal liability for the illegal collection, use, and transfer of computer information containing personal data. Penalties include fines, forced labor, and imprisonment for up to four years. More severe sanctions apply to offenses involving minors' data, biometric data, or actions motivated by personal gain, causing significant damage, or involving a group of individuals.
It is important to note that these provisions do not apply to personal data processing for purely personal or family purposes.
The developments underscore the growing importance of data protection compliance in Russia. We strongly recommend reviewing your data processing practices and ensuring compliance with these new regulations. Contact Solstico Legal for expert guidance on navigating these complex legal changes and protecting your business.