Representatives from major corporations criticized the bill imposing penalties for turnover tied to personal data breaches, which the State Duma approved in the first reading. This overview comes from RBC reporting after a recent briefing.
The discussions emerged in the wake of a thematic session hosted by the Ministry of Economic Development on July 16.
Under the current draft, the measure would amend both the criminal and administrative codes. It would markedly raise penalties for personal data leaks, escalating fines from 100,000 rubles to as much as 15 million rubles when the breach affects more than 100,000 individuals.
For repeat violations, the bill contemplates turnover fines ranging from 0.1% to 3% of revenue, with a mandatory minimum of 15 million rubles and a maximum cap of 500 million rubles.
Industry voices from sizable companies pushed back against these provisions for several reasons. They cited ongoing hacker activity originating from Ukraine, substantial investments in data protection technologies, and the concern that higher costs would be passed to consumers in service prices. Some warned of a potential resurgence in the use of paper records as firms recalibrate.
One critical takeaway for many executives is the possibility that information security investments will not be treated as mitigating factors. In that scenario, some firms might prefer to appease extortionists with payments rather than absorb fines for data breaches. Small businesses, facing multi-million ruble penalties, could be driven out of operation altogether.
At the RBC request, all participants at the meeting declined to comment publicly.
Public records indicate that on January 23, 2024, the State Duma accepted the draft law on fines for leaking personal data in the first reading. The timeline for the second reading had not been announced at that stage.
Earlier discussions in Russia had also touched on turnover penalties tied to data breaches, highlighting a broad policy push to curb the leakage of personal information and to impose strict consequences for noncompliance.