Russia: The law introducing significant strengthening of liability for the violation of personal data regulations came into force

On July 1st, 2017, several amendments to the Code of Administrative Offences of the Russian Federation (hereafter – the Code) came into force[1], significantly elaborating on the list of offences in the sphere of personal data (PD) processing and increasing the penalties.

The amendments addressed Article 13.11 of the Code, which previously established liability for one major offence related to the data processing – the breach of legally prescribed procedure of gathering, storing, using and distribution of PD. The sanction stretched from an official warning to administrative fine limited to 10 000 RUB for companies.

The amended Article 13.11 diversifies and strengthens the liability, introducing seven general groups of offences related to PD, which themselves may have internal division between various administrative offences.

Five of seven Paragraphs of Article 13.11 require the special perpetrator – the operator of PD. According to the Federal Law No. 152-FZ of 27.07.2006 “On Personal Data”, the operator includes governmental body, municipal body, a company or a physical person, who, acting on their own, or jointly with other persons, organize and (or) directly perform the PD processing, as well as those who determine the purposes of processing, the amount of PD to be processed, and specific operations involved in PD processing.

Drawing particular attention is that operator of PD is liable for non‑publishing of its policy on data protection, as well as for depriving the third parties in any other way of access to such document, which is now explicitly stipulated in law. The obligation to elaborate and publicize the policy on data protection is established in the Article 18.1 of the Federal Law on personal data.

The liability is also established for data processing without written permission of the person (in case such written permission is required), as well as for failures to address lawful requests of persons with regard to their PD processed by the operator. The Article also stipulates the liability for the general offence consisting in data processing in a manner not provided by law.

The amended Article 13.11 also introduces significant increase of penalties for violation of PD protection rules. The maximum amount of administrative fine is increased and reaches 75 000 RUB for certain type of offences.

It is also worth noting that implementation of such legislative act falls directly in line with the state policy on broadening and intensification of regulatory work in the sphere of PD protection and, more generally speaking, the information technologies. The widely discussed Federal Law No. 242‑FZ of 31.12.2014 previously introduced the obligation for the operators of PD to store the PD related to the Russian citizens in the Russian Federation (in application since September 1st, 2015).

The significance of such regulatory transformation is further increased by the fact that almost each business entity is to certain extent influenced by the PD protection policy, notwithstanding the type of business activity and the size of the company.

On the other hand, companies that adopted internal regulations on PD are recommended to carefully scrutinize their internal personal data policies in order to ensure compliance with the continuously broadening scope of regulations in order to prevent relevant risks that may be caused by audits conducted by Roskomnadzor.

[1] The Federal Law No. 13‑FZ of 07.02.2017

Contact Person: Guest article by the Russian attorneys Vatslav Makarskiy and Andrey Ryabinin, law firm Integrites in Moscow, Russia