The Ministry of Digital Development has developed a draft law on turnover fines for companies for leaking users’ personal data, they can be up to 3% of the organization’s turnover. This was announced by the head of the Ministry of Digital Development Maksut Shadayev at a meeting with the presidium of the faction of the Communist Party of the Russian Federation in the State Duma.
The Minister called the situation with the leakage of personal data “serious” and “difficult”.
“The Ministry of Digital Development has prepared a draft law on the introduction of turnover fines. Very serious fines – up to 3% of the turnover are provided if the company does not ensure the safety of data, ”said Shadayev (quoted by TASS).
He added that a mitigating circumstance for companies would be to pay damages to two-thirds of those affected by the leak. Also, the amount of the penalty may be reduced if the organization demonstrates that it has invested additional funds in the security infrastructure.
According to the amendments to the law “On Personal Data”, which came into force on September 1, 2022, in the event of a data leak, the operator is obliged to notify Roskomnadzor within 24 hours, and within 72 hours to provide the department with the results of an internal investigation indicating the reason and those responsible. persons. Currently, the maximum fine for a business for a data breach is RUB 500,000. (Article 13.11 of the Code of Administrative Offenses of the Russian Federation).
Also, since the spring of 2022, a bill on turnover fines has been discussed, such a proposal was made in April by the Ministry of Digital Development. Back in May, the ministry agreed on a bill imposing a fine of 1% of annual revenue and up to 3%. According to Vedomosti, such a fine is provided only in the event of a leak of more than 100,000 records.
In July, the agency announced that it was planned to fine for data leakage in two stages. For the first violation, the fine will be fixed, and the amount will depend on the volume of the leak. In case of repeated leakage, a negotiable penalty will apply.
In early October, Vedomosti wrote that the Ministry of Digital Transformation had finalized a bill on turnover fines for personal data leaks and included punishment not only for companies, but also for officials. According to the document, it is proposed to introduce a fine of 200,000 to 400,000 rubles. for executives of a company that leaked data from 10,000 to 100,000 subjects. For individual entrepreneurs and legal entities, the fine for the same incident will be 0.02% of the turnover, but not less than 1 million rubles.