The Ministry of Digital Development finalized the bill on billing fines for personal data leaks and provided for the responsibility of officials in it. For database leaks that fail to identify a sufficient number of personal data holders, no fines will be imposed, according to the latest version of the bill.
The new version of the document provides for fines for company officials for data leakage from 10,000 to 100,000 entities – from 200,000 to 400,000 rubles, for individual entrepreneurs and legal entities, the fine will be 0.02% of turnover, but at least 1 million rubles, Vedomosti learned.
The revised version of the document establishes that rotation sanctions will be imposed when a database leak of 10,000 to 100,000 records allows to determine the ownership of these data by at least 1,000 specific subjects.
If the volume of the leak exceeds 100,000 records, then 10,000 subjects must be identified as belonging. Consequently, no fines will be imposed for database leaks that do not allow the identification of a sufficient number of personal data holders.
The new version of the document also mitigates the penalties in case the company leaks for the first time and takes steps to protect the information itself.
A voluntary audit of company information security may be considered “as a mitigating circumstance” and confirm the measures taken to protect against breaches.
- At the end of May, the Ministry of Digital Transformation agreed on a bill that involves the introduction of a fine of 1% of annual revenue and up to 3% if the company does not report the leak to Roskomnadzor in a timely manner.
- On June 6, the State Duma adopted in the third reading amendments to the law “On personal data”: they introduce the obligation for all companies to inform the Roskomnadzor about leaks of personal information of citizens. Companies must report a leak to Roskomnadzor within 24 hours of its discovery, and within 72 hours to provide the results of the investigation and information about those responsible.
- In July, the agency began discussing options to mitigate a bill to introduce response fines for companies for leaking personal data.
Now a fine for legal persons for data leakage under art. 13.11 of the Code of Administrative Offenses is from 60 thousand to 100 thousand rubles, in case of recidivism – up to 500 thousand rubles. For example, in 2021, Oriflame paid a fine of 30,000 rubles for leaking the data of 1.3 million customers, while Yandex.Food received a fine of 60,000 rubles this year.
I am Bret Jackson, a professional journalist and author for Gadget Onus, where I specialize in writing about the gaming industry. With over 6 years of experience in my field, I have built up an extensive portfolio that ranges from reviews to interviews with top figures within the industry. My work has been featured on various news sites, providing readers with insightful analysis regarding the current state of gaming culture.