The Russian Ministry of Justice has supported the concept of a draft law introducing new, and also increasing current, fines for non-compliance with requirements in the field of personal data protection
Pepeliaev Group advises that the Russian Ministry of Justice has drafted an official review of the Russian Government with respect to the draft of the federal law “On amending the Russian Code of Administrative Offences” submitted to the State Duma by Russian senators A.A. Turchak and I.V. Rukavishnikova, as well as deputy of the State Duma A.E. Hinshtein. The concept of the draft law has been supported, but there are a number of remarks on the amendments proposed.
You can read about the contents of the draft federal law “On amending the Russian Code of Administrative Offences” in our alert.
According to the text of the official draft review of the Russian Government (the “draft review”), the proposed amounts of administrative fines need additional justification and working through, in particular, in terms of whether they are proportionate and possible to perform by persons on whom administrative liability is imposed.
The main remarks indicated in the draft review are listed below.
- It is necessary to clarify exactly which actions (omissions) of the operator that entailed an unlawful transfer of information including personal data will entail administrative liability under articles 13.11(12)-13.11(14) of the Russian Code of Administrative Offences (as amended by the draft law).
- The proposed administrative liability for the leakage of personal data of a special category and biometric personal data should be differentiated depending on the nature of the administrative offence and the degree to which it is socially harmful.
- Imposing on individual entrepreneurs measures of administrative liability equal to legal entities for a violation of legislation in the field of personal data may entail non-compliance with the principle of the individualisation of an administrative punishment, which is to be designated taking into account, among other things, the property status of the person on whom administrative liability is imposed (article 4.1 of the Code of Administrative Offences).
- In order to encourage personal data operators to behave in good faith, it is necessary to provide in the draft law for personal data operators to pay voluntary monetary compensation for the alleged harm caused to personal data subjects in connection with the fact being established of an unlawful transfer of personal data as a factor mitigating administrative liability.
The draft review should be considered by the Russian Government, signed and sent to the proponent of legislative initiatives for the possible amendment of the text of the draft law.
What to think about and what to do
It is advisable for personal data operators already at this stage:
- to check whether information regarding the operator is available in Roskomnadzor’s register of personal data operators. If the information about the operator is missing in the Register, the operator should file a notification with Roskomnadzor of the intention to perform processing of personal data (article 22 of the Federal Law No. 152-FZ);
- to determine persons responsible for complying with the requirements to file a notification of the fact of an unlawful or accidental transfer of (the provision or distribution of, or access to) personal data, and to determine an internal procedure for filing such a notification (article 21(3.1) of the Federal Law No. 152-FZ);
- to determine whether the requirements of Order No. 77 of the Russian Federal Security Service “On approving the procedure for operators to interact with the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation, including informing the Russian Federal Security Service about computer incidents that have resulted in an illegal transfer of (the provision or distribution of, or access to) personal data” dated 13 February 2023;
- to ensure that personnel is informed regarding the requirements for the processing of personal data, regularly check their knowledge.
Help from your adviser
The lawyers of Pepeliaev Group would be happy to provide comprehensive legal support to companies.
Pepeliaev Group provides the following types of services:
- conducting a full-scale audit (including a technical audit) of the processing of personal data, identifying violations, and bringing processes in line with the legislative requirements;
- drafting and sending a notification of the intention to process personal data, and a notification of the intention to perform cross-border transferring of personal data;
- drafting legal opinions and providing advice on issues of personal data processing;
- drafting internal regulations aimed at fulfilling the requirements of personal data legislation;
- providing legal support in liaising with Roskomnadzor and/or a personal data subject;
- providing training to personnel with regard to the requirements for the processing of personal data; and
- other services.