The Ministry of Economic Development has proposed easing the turnover penalties attached to personal data leaks, arguing that the current fines are unreasonably high. The ministry’s response to the government and the Ministry of Justice is reportedly aimed at balancing accountability with the realities faced by businesses navigating data protection obligations.
According to the publication, the government is preparing a formal reply to the bill. The proposal includes evaluating the option of honoring the fines in a structured way while also offering reduced penalties for companies that voluntarily compensate leak victims promptly and transparently.
Under the current draft, penalties would rise dramatically for the first personal data breach, by approximately 100 times their present level. For subsequent incidents, fines could reach from 0.1% up to 3% of a company’s income. In late July, deputy Alexander Khinshtein, along with senators Andrei Turchak and Irina Rukavishnikova, sent the relevant documentation to Prime Minister Mikhail Mishustin for consideration.
The bill further proposes that a repeated violation involving discredited information from any number of subjects could carry a maximum fine ranging from 15 million to 500 million rubles, signaling a potential shift toward stiffer sanctions for repeated offenses.
Industry observers note that data breach regulation remains a hot topic. Kaspersky Lab reported that in 2022 there were 168 cases in which sensitive databases tied to Russian companies were exposed. In total, more than 2 billion records were made accessible, including roughly 300 million user data entries. About 16% of these records included passwords. The sectors most frequently impacted were logistics and delivery services, which accounted for about a third of cases, followed by the retail sector.
At present, the maximum fine for companies that compromise personal data stands at 100 thousand rubles, with penalties for repeat violations capped at 300 thousand rubles. The trend in proposed penalties reflects a broader push to deter breaches while encouraging responsible handling of data and remediation measures when incidents occur.
Officials have emphasized the importance of updating security practices. In response to ongoing data incidents, individuals are advised to change passwords on social networks and other critical accounts, and to implement unique, strong credentials across platforms to reduce risk from breaches and credential stuffing.