Russia's legislation evolves rapidly and its personal data laws are no exception. On 27 March 2021 Russia enhanced personal data subjects' rights by changing fines and extending the limitation period for data-related breaches.
No changes to fines for data localisation breaches
The Federal Law on Amendments to the Code of Administrative Offences (19-ФЗ, 24 February 2021) amends the amount of administrative fines prescribed by Article 13(11) of the Code of Administrative Offences for Several Types of Offences Against the Federal Law On Personal Data (152-ФЗ, 27 July 2006). The fines may apply to legal entities and their responsible managers (eg, CEOs and data protection officers) on a case-by-case basis.
However, the amendments do not change the highest fines, which apply to breaches of the so-called 'data localisation' requirement. As before, companies which fail to ensure that the recording, systematisation, accumulation, storage, clarification (ie, updating or changing) and extraction of Russian nationals' personal data is carried out using databases located in Russia (when collecting such personal data in any manner, including via the Internet) may face a fine of between Rb1 million and Rb6 million (approximately $13,000 to $80,000). Responsible managers may face a fine of between Rb100,000 and Rb200,000 (approximately $1,300 to $2,600).
Administrative fines for repeated offences are higher. A 'repeated offence' is an offence that occurs within one year of the date on which the previous liability was completely enforced. A repeated breach of the localisation requirement incurs a fine of between Rb6 million and Rb18 million (approximately $80,000 to $240,000) for companies, while responsible managers may face a fine of between Rb500,000 and Rb800,000 (approximately $6,600 to $10,500) (Articles 13(11)(8) and 13(11)(9) of the code).
New limitation period
The amendments extend the maximum time after an offence within which an administrative fine may be imposed (known as the 'limitation period') from three months to one year. Accordingly, Russia's data protection authority, Roskomnadzor, may extend its regular and extraordinary supervisory checks to prevent offenders from escaping liability for formal reasons. This changes the strategy of passing such inspections and encourages companies to conduct a privacy audit under Russian law as soon as possible.
The legislative changes double the administrative fines for seven types of offence against Russia's personal data laws. They introduce new fines for repeatedly committing three types of offence.(1)
For example, amended Paragraphs 1 to 7 of Article 13(11) of the code provide that depending on the nature of the offence, non-compliance with the law may incur a fine of between Rb30,000 and Rb500,000 (approximately $400 to $6,500) for a company, while responsible managers may face a fine of between Rb6,000 and 100,000 (approximately $80 to $1,300).
The amendments improve the protection of data subjects' rights in Russia. At the same time, they notably increase the legal risks for companies which do business in Russia and the managers thereof. Given the extended limitation period, such companies should not put Russian compliance matters on the back burner. To minimise risks, they should establish routine compliance management procedures and monitor the case law and Roskomnadzor's law enforcement activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.