On 4 December 2023, the Bill amending the Code of Administrative Offences of the Russian Federation, including fines for noncompliance with cybersecurity measures resulting in data breaches (Bill No. 502104-8), was introduced in the State Duma. The Bill introduces obligations for operators to notify the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) in the event of personal data breaches and reduces exceptions allowing data processing without notification. Failure to notify of the intention to process personal data will result in a fine of up to RUB 100’000 to 300’000. In cases of failure to notify Roskomnadzor after establishing the fact of unlawful transfer, including provision, distribution, and access of personal data, will face RUB 1 million to 10 million fine. The Bill establishes fines based on the amount of data that was leaked due to the operator's failure to implement security measures to safeguard the personal data stored. For the leaks of between 1’000 to 10’000 subjects' data or of 10’000 to 100’000 unique identifiers of information about data subjects, entities face a fine of RUB 3 million to 5 million. For 10’000 to 1000’000 subjects' data or 100’000 to 1 million unique identifiers, the fine applicable is RUB 5 million to 10 million. For repeated failures, a fine of 0.1% to 3% of the revenue obtained in the last financial year, but not less than RUB 15 million and not more than RUB 500 million, will be imposed. The inaction resulting in unlawful transfer, including provision, distribution and access of special categories of data, faces a fine of up to RUB 10 million to 15 million. For repeated violations, a fine ranging from 0.1% to 3% of the revenue obtained in the last financial year will be imposed, but it will not be less than RUB 20 million and not more than RUB 500 million. If adopted, the Bill would come into force 30 days following its publication.
Original source