The State Duma immediately adopted in the second and third readings a law providing for fines for leakage of personal data in the amount of up to 3% of the organization’s annual turnover. Responsibility rests with citizens, officials and legal entities.
Image Source: Hack Capital / unsplash.com
Dissemination of from one thousand to ten thousand subjects of personal data or from ten thousand to one hundred thousand identifiers entails fines in the amount of: for citizens – from 100 thousand to 200 thousand rubles; for officials – from 200 thousand to 400 thousand rubles; for legal entities – from 3 million to 5 million rubles. A massive data leak, including more than 100 thousand subjects or more than 1 million identifiers, provides for larger fines: for citizens – up to 400 thousand rubles, for officials – up to 600 thousand rubles, for legal entities – up to 15 million rubles.
In the event of a repeated leak, even more severe punishment will follow in the form of fines of up to 600 thousand rubles for individuals, up to 1.2 million rubles for officials, and legal entities in this case face a fine of 1% to 3% of the total amount proceeds from the sale of all goods (works, services) for the calendar year. If a company spends at least 1% of its annual revenue on information security, the maximum fine for it will be 50 million rubles.
The law adopted by the State Duma also provides for an increase in fines for illegal data processing. In case of repeated violation, the fines will be: for citizens – up to 30 thousand rubles, for officials – up to 200 thousand rubles, for legal entities – up to 500 thousand rubles. Processing biometric personal data in information systems of government agencies without accreditation will be punishable by a fine of up to 2 million rubles; if the operator’s actions resulted in the transfer of biometric data, he is subject to a fine of up to 20 million rubles. For failure to take measures to ensure the security of biometric personal data, the fine will be up to 1.5 million rubles.