The Russian Federation is moving forward with a pair of draft laws aimed at tightening the rules around handling personal data within its borders. These measures were submitted to the State Duma Committee on Information Policy, IT and Communications for review, signaling a push to strengthen accountability for how personal information is collected, stored, and shared across organizations. The update was reported by Kommersant, a major business daily in Russia, and it highlights a broader government agenda centered on data protection and cyber governance that resonates far beyond Russia’s borders.
The first proposed law targets enforcement by introducing endorsement penalties for organizations that fail to safeguard personal data or that leak information. The core idea is to impose clear and meaningful consequences on entities whose lax practices lead to the exposure of sensitive data, thereby creating a stronger deterrent against negligent handling of personal information. This shift in liability would place a higher premium on compliance programs, data breach preparedness, and rapid notification protocols. The second piece of legislation extends to the Criminal Code and focuses on individuals who misuse personal data for illegal purposes, including theft, online sale, and distribution. By expanding criminal liability to cover these activities, lawmakers aim to deter both internal misdeeds and external breaches that target private citizens and their digital footprints. The two bills are anticipated to be taken up by the State Duma in April, with the goal of signaling a clear stance on data integrity and the consequences of mishandling such data.
Industry observers note that the real-world impact of criminal liability may vary depending on the actor and the environment in which data trades occur. Ashot Hovhannisyan, who founded DLBI, a service dedicated to intelligence and darknet monitoring of data leaks, commented that the shadowy and highly anonymous nature of darknet marketplaces could blunt the effect of criminal penalties on traders operating there. In his view, criminal liability operates as a stronger force against insiders who have legitimate access within organizations, where the risk of exposure and internal enforcement pressures are more immediate and tangible. The distinction between tackling insider risk and disrupting anonymous external networks becomes a focal point for policymakers considering how to structure enforcement without driving data trade underground or offline, where detection is more challenging.
Meanwhile, Maksut Shadayev, former head of the Ministry of Digital Development, confirmed that the final version of the draft law establishing turnover penalties for leaking personal data is ready. The language in this version would delineate the penalties associated with unauthorized dissemination and would likely specify thresholds, scales, and procedures for assessing damage, along with the mechanisms for breach notification and remediation. Such provisions are designed to create predictable penalties that businesses can build into their risk management frameworks, thereby elevating the priority of robust data governance programs across both public and private sectors.
From a broader policy perspective, the drive toward turnover penalties and heightened personal data liability reflects a concerted effort to modernize Russia’s data protection regime in line with international expectations. In January, President Vladimir Putin directed senior ministers to prepare for the introduction of turnover penalties on companies that leak personal data and to intensify the accountability for their illegal circulation by July 1, 2023. That directive underscored the government’s commitment to reinforcing data protection as a strategic asset and as a critical element of national cyber resilience. The current draft laws can be seen as concrete steps toward implementing that vision, aligning with global trends where data governance has become a cornerstone of trust, security, and regulatory compliance among both individuals and enterprises. The anticipated April deliberations in the State Duma are watched closely by industry stakeholders who must balance regulatory expectations with operational practicality, especially for multinational corporations operating in Russia or dealing with Russian data subjects. The evolving legal landscape underscores the importance of becoming familiar with both the letter of the law and the practical implications for governance, risk, and compliance programs that span data collection, storage, usage, and cross-border transfers.
Analysts caution that, while penalties can drive improved controls, the enforcement architecture will determine the real effectiveness of these measures. The proposed framework would likely require clearly defined data categories, explicit penalties for different levels of data sensitivity, and established processes for documenting violations and enforcing sanctions. Organizations may need to rethink data minimization practices, implement robust access controls, and invest in incident response capabilities that minimize the damage caused by leaks. The evolving approach also raises questions about how personal data is classified in various sectors, how consent and consent revocation are managed, and how penalties interact with existing data protection standards and digital governance protocols. Observers in the technology and legal communities will be watching for how Russian authorities translate these theoretical penalties into enforceable rules that can withstand scrutiny in courts and in the court of public opinion. The outcome could influence foreign investment decisions, cross-border data handling policies, and the broader dialogue around data sovereignty in a connected regional ecosystem.
As the legislative process unfolds, stakeholders are urged to monitor not only the text of the laws but also the accompanying guidelines and regulatory interpretations that typically accompany such reforms. Businesses would be wise to assess current data protection measures, perform gap analyses, and establish a clear road map for achieving compliance within the proposed timelines. In parallel, the international community may assess how these developments affect data flows, enforcement benchmarks, and collaborative efforts aimed at combating data theft and illicit data marketplaces. The interplay between national legislation and global norms is likely to shape how data protection is perceived, implemented, and enforced across markets that involve Russian data subjects and data processors operating in Canada and the United States, as well as in other regions where digital privacy is a high-priority concern. The March-to-April review window presents a pivotal moment for clarifying expectations, defining responsibilities, and setting the tone for responsible data handling in a rapidly evolving digital era. (Kommersant)”