According to the Country Commercial Guide of the U.S. International Trade Administration, Russia is the sixth-largest economy globally, and its gross domestic product purchasing power parity is USD 4.016 trillion. The country has more than 140 million people with growing purchasing power that demand well-known global brands and quality service. All these factors make Russia a strategic market for different international companies.
Russian legislation evolves rapidly, and the personal data laws constitute no exception. Beginning March 27, 2021, Russia enhanced personal data subjects' rights by changing fines and extending the limitation period for data-related breaches.
No changes for data localization breach
The new federal law "On Amendments to the Code of Administrative Offenses" No.19-ФЗ dated Feb. 24, 2021, has amended the amounts of administrative fines prescribed in Article 13.11 of the "Code of Administrative Offenses for several types of offenses against the Federal Law On Personal Data" No.152-ФЗ dated July 27, 2006. On a case-by-case basis, the fines may apply to legal entities and their responsible managers (e.g., the CEO and data protection officer).
However, the amendments do not touch upon the highest fines for breaching the so-called data localization requirement. Same as before, a company that fails to ensure recording, systemizing, accumulating, storing, clarifying (updating, changing), and extracting the personal data of Russian Federation nationals with the use of databases located in the territory of the Russian Federation (when collecting such personal data in any manner, including via the internet) may face a fine of RUB 1,000,000 to 6,000,000 (approximately USD 13,000 to 80,000). Responsible managers may face a fine in the amount of RUB 100,000 to 200,000 (approximately USD 1,300 to 2,600).
Administrative fines for repeated offenses are higher. A repeated offense occurs within one year from the date the previous liability was completely enforced. Repeated breach of the localization requirement leads to a fine of RUB 6,000,000 to 18,000, 000 (approximately USD 80,000 to 240,000) on a company and responsible managers may face a fine of RUB 500,000 to 800,000 (approximately USD 6,600 to 10,500) (Article 13.11(8) and (9) of the code).
New limitation period
The amendments extended the maximum time after the offense within which an administrative fine may be imposed (the limitation period) from three months to one year. Correspondingly, Russia's data protection authority, Roskomnadzor, may extend its regular and extraordinary supervisory checks to prevent offenders from escaping liability for formal reasons. This changes the strategy of passing such inspections, mobilizing companies to conduct a privacy audit under Russian law as soon as possible.
The legislative changes doubled administrative fines for seven types of offenses against the personal data laws. They introduced new fines for repeatedly committing three types of offenses (see the below table for a summary of amended fines).
For instance, amended paragraphs 1 through 7 of Article 13.11 of the code provide that depending on the nature of the offense, noncompliance with the law may result in a fine of RUB 30,000 to 500,000 (approximately USD 400 to 6,500) on a company and responsible managers may face a fine of RUB 6,000 to 100,000 (approximately USD 80 to 1,300).
The amendments improve the protection of data subjects' rights in Russia. At the same time, these amendments notably increase legal risks for companies doing business in Russia and personally for their managers. Given the extended limitation period, such companies should not put Russian compliance matters on the back burner. To minimize the risks, they should establish routine compliance management procedures and monitor the case law and Roskomnadzor's law enforcement activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.