Russia Ups Fines for Data Protection Violations

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sergei Blagov

New fines adopted by Russian authorities for violations of personal data protection requirements could mean less protection for businesses, privacy professionals told Bloomberg BNA.

President Vladimir Putin signed into law Federal Law No. 13-FZ to amend Article 13.11 of the Code of Administrative Offenses and set forth new financial penalties for failure by businesses and individuals to comply with data protection requirements, the presidential press-service said in a statement. The law, adopted Jan. 27 by the lower house of Parliament and Feb. 1 by the upper house, takes effect July 1, 2017.

The amended provisions set forth new fines for violating the 2006 Federal Law No. 152-FZ on personal data, the statement said.

One of the more important amendments allows the country’s data protection regulator, Roscomnadzor, to initiate administrative proceedings related to personal data violations, instead of prosecutors, Vyacheslav Khayryuzov, counsel and head of the data privacy office at Noerr LLP in Moscow, told Bloomberg BNA in an e-mail.

“This amendment would practically mean less protection for businesses and data operators, since the number of audits would likely increase and, potentially, the number of unjustified claims to the business from Roscomnadzor may increase as well,” he said.

Because prosecutors frequently refuse to support Roscomnadzor’s claims, “considering them as being not entirely lawful,” they provide an additional safeguard for businesses by helping them avoid “abuses and misinterpretation of the law by Roscomnadzor,” Khayryuzov said.

New and Expanded Fines

The Russian data protection law provides for an extensive list of compliance measures, while the Code of Administrative Offenses previously provided only for two general fines, Khayryuzov said.

“There was a need to distinguish between various types of violations and also to increase the fines,” Khayryuzov said, although the increase only brings the maximum fine to 75,000 rubles ($1,277), he said.

The new law sets forth new fines for illegal or improper processing of personal data, nonconsensual processing of personal data and failure by data operators to meet data protection requirements. Fines vary depending on whether violations are incurred by businesses, executives or individuals.

To contact the reporter on this story: Sergei Blagov in Moscow at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security